License field and LICENSE file present

Why it matters

Without a LICENSE field and LICENSE file, your package defaults to exclusive copyright — consumers who install it are technically violating copyright law even for internal use. Enterprise legal teams routinely reject dependencies with no license declaration. SPDX license expressions enable automated license scanning in CI pipelines (SSDF PO.1.2). A package without a clear SPDX identifier won't pass compliance checks at many organizations, meaning your package gets blocked regardless of its technical quality.

Remediation

Add an SPDX license field to package.json and create a LICENSE file in the project root.

{ "license": "MIT" }

Create LICENSE at the repo root with the full license text. For MIT:

MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction...

Use https://choosealicense.com to select the right license. Ensure the license field in package.json matches the LICENSE file exactly — mismatches create legal ambiguity.

Detection

ID: sdk-package-quality.package-config.license-field
Severity: medium
What to look for: List all package.json files and LICENSE files. For each, check for:
1. license field in package.json with a valid SPDX identifier (e.g., MIT, Apache-2.0, ISC, BSD-3-Clause)
2. A LICENSE or LICENSE.md file in the project root
3. That the two are consistent (both say MIT, or both say Apache-2.0) For Python: check pyproject.toml [project] license field. For Rust: check Cargo.toml license field.
Pass criteria: Valid SPDX license field in package metadata AND a LICENSE/LICENSE.md file exists in the project root — 100% of packages must have both a license field in package.json and a LICENSE file. Report: "X packages found, all Y have license field and LICENSE file."
Fail criteria: Missing license field, OR invalid/non-SPDX license identifier, OR no LICENSE file in the project root.
Skip (N/A) when: Never — every published package should have a license. Without one, the default copyright law applies and no one can legally use your code.
Detail on fail: "license field in package.json is 'UNLICENSED' and no LICENSE file exists. Without an explicit license, other developers cannot legally use this package."
Remediation: Choose a license appropriate for your project. For most open-source packages, MIT is the simplest choice:
```
// package.json:
{ "license": "MIT" }
```
Then create a LICENSE file in the project root:
```
MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
...
```
Use https://choosealicense.com if you need help deciding.

Why it matters

Remediation

Add an SPDX license field to package.json and create a LICENSE file in the project root.

{ "license": "MIT" }

Create LICENSE at the repo root with the full license text. For MIT:

MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction...

Use https://choosealicense.com to select the right license. Ensure the license field in package.json matches the LICENSE file exactly — mismatches create legal ambiguity.

Detection

ID: sdk-package-quality.package-config.license-field
Severity: medium
What to look for: List all package.json files and LICENSE files. For each, check for:
1. license field in package.json with a valid SPDX identifier (e.g., MIT, Apache-2.0, ISC, BSD-3-Clause)
2. A LICENSE or LICENSE.md file in the project root
3. That the two are consistent (both say MIT, or both say Apache-2.0) For Python: check pyproject.toml [project] license field. For Rust: check Cargo.toml license field.
Pass criteria: Valid SPDX license field in package metadata AND a LICENSE/LICENSE.md file exists in the project root — 100% of packages must have both a license field in package.json and a LICENSE file. Report: "X packages found, all Y have license field and LICENSE file."
Fail criteria: Missing license field, OR invalid/non-SPDX license identifier, OR no LICENSE file in the project root.
Skip (N/A) when: Never — every published package should have a license. Without one, the default copyright law applies and no one can legally use your code.
Detail on fail: "license field in package.json is 'UNLICENSED' and no LICENSE file exists. Without an explicit license, other developers cannot legally use this package."
Remediation: Choose a license appropriate for your project. For most open-source packages, MIT is the simplest choice:
```
// package.json:
{ "license": "MIT" }
```
Then create a LICENSE file in the project root:
```
MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
...
```
Use https://choosealicense.com if you need help deciding.

License field and LICENSE file present

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

License field and LICENSE file present

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History