No packages with unknown or missing licenses

ab-000961 · dependency-supply-chain.license.no-unknown-licenses

Severity: highactive

Why it matters

In most jurisdictions, software without a license is implicitly 'all rights reserved' — you have no legal permission to use it, even if it is freely distributed on npm. A production dependency with an absent, UNLICENSED, or unrecognizable license field exposes you to IP claims from the original author at any time. CWE-1357 applies because you are relying on a component whose terms of use cannot be verified. Unlike the copyleft check, unknown licenses represent legal uncertainty in all directions: you do not know whether commercial use is permitted, whether redistribution triggers obligations, or whether the author intends to change the terms. This risk is amplified when AI tools generate npm install commands for packages they may have hallucinated.

Severity rationale

High because using software without a valid license means you have no legal permission to do so, exposing the business to IP claims from the original author with no clear defense.

Remediation

Audit all production dependencies for license fields:

npx license-checker --production --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD'

For any package flagged as UNLICENSED or UNKNOWN:

Check the GitHub repository for a LICENSE file not included in the npm publish.
Contact the maintainer to request license clarification.
If no response, replace the package with a licensed alternative.

Do not ship to production with UNLICENSED code in your dependency graph.

Detection

ID: no-unknown-licenses
Severity: high
What to look for: Check direct production dependencies in package.json for packages where the license cannot be determined. Look at node_modules/package-name/package.json for a license field. A package is "unknown" if: the license field is absent, set to UNLICENSED, set to SEE LICENSE IN FILE but no LICENSE file exists, or set to a non-standard string that doesn't map to a known SPDX identifier. Well-known packages with known licenses should be treated as passing even without inspection. Count every dependency and enumerate those with missing, "UNKNOWN", or "UNLICENSED" license fields. Report: X of Y packages have identifiable licenses.
Pass criteria: All direct production dependencies have a recognizable license identifier (MIT, Apache-2.0, BSD-2-Clause, ISC, etc.) in their package metadata. Report the count of total packages and confirmed license identifications even on pass. At least 1 implementation must be confirmed.
Fail criteria: One or more direct production dependencies have an absent, UNLICENSED, or unrecognizable license field.
Skip (N/A) when: No package.json detected or no production dependencies listed.
Detail on fail: "Package 'mystery-lib@1.0.0' has no license field — using unlicensed code is legally ambiguous. Contact the author or find an alternative." or "2 production dependencies have unknown licenses: mystery-lib, another-lib"
Remediation: Without a license, software is legally "all rights reserved" by default — you don't have permission to use it. This is a legal risk even if the package is freely available on npm.

For each unlicensed package:
1. Check the GitHub repository for a LICENSE file that wasn't included in the npm publish.
2. Contact the maintainer and request a license clarification.
3. If no license is forthcoming, find a licensed alternative.
Use license-checker to audit all dependencies at once:
```
npx license-checker --production --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;0BSD'
```

External references

cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
spdx · UNLICENSED — No license declared

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from dependency-supply-chain·automated