Skip to main content

LICENSE file exists and is stated in README

ab-001013 · developer-documentation.maintenance.license
Severity: lowactive

Why it matters

A missing LICENSE file means the code is, by default, all rights reserved — no one can legally use, fork, distribute, or embed it in their product. Enterprise legal teams explicitly block adoption of unlicensed code, and many package registries and distribution channels will flag or reject it. A mismatch between LICENSE (MIT) and package.json license field (ISC) also creates legal ambiguity that blocks commercial use until resolved.

Severity rationale

Low because unlicensed code blocks commercial adoption but has no runtime or security impact.

Remediation

Add a LICENSE file at the project root with the full text of your chosen license (MIT, Apache-2.0, GPL-3.0, etc.), reference it in the README, and set the matching license field in package.json. Example:

## License
MIT — see [LICENSE](./LICENSE) for details.

{ "license": "MIT" }

Verify the string in package.json matches the license file exactly, including spelling and version suffix.

Detection

  • ID: developer-documentation.maintenance.license

  • Severity: low

  • What to look for: Check for a LICENSE file at the project root (LICENSE, LICENSE.md, LICENSE.txt, LICENCE). Verify the license type is mentioned in the README (usually near the bottom or in a badge). Check that package.json (or equivalent) has a license field that matches. Count all instances found and enumerate each.

  • Pass criteria: A LICENSE file exists at the project root, the license type is mentioned in the README, and the license field in package.json matches. At least 1 implementation must be confirmed.

  • Fail criteria: No LICENSE file exists, or LICENSE exists but the README doesn't mention the license type, or package.json has no license field or a mismatched one.

  • Skip (N/A) when: The project is proprietary/closed-source and intentionally has no open-source license.

  • Detail on fail: Example: "No LICENSE file at project root -- developers cannot legally use this code" or "LICENSE file says MIT but package.json says 'ISC' -- mismatch" or "LICENSE file exists but README doesn't mention the license anywhere"

  • Remediation: Add a LICENSE file and reference it:

    <!-- At the bottom of README.md -->
## License

MIT -- see [LICENSE](./LICENSE) for details.

    And in package.json:

    { "license": "MIT" }

Taxons

code-quality

History