1 | This package parses [SPDX license expression](https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60) strings describing license terms, like [package.json license strings](https://docs.npmjs.com/files/package.json#license), into consistently structured ECMAScript objects. The npm command-line interface depends on this package, as do many automatic license-audit tools.
|
2 |
|
3 | In a nutshell:
|
4 |
|
5 | ```javascript
|
6 | var parse = require('spdx-expression-parse')
|
7 | var assert = require('assert')
|
8 |
|
9 | assert.deepEqual(
|
10 | // Licensed under the terms of the Two-Clause BSD License.
|
11 | parse('BSD-2-Clause'),
|
12 | {license: 'BSD-2-Clause'}
|
13 | )
|
14 |
|
15 | assert.throws(function () {
|
16 | // An invalid SPDX license expression.
|
17 | // Should be `Apache-2.0`.
|
18 | parse('Apache 2')
|
19 | })
|
20 |
|
21 | assert.deepEqual(
|
22 | // Dual licensed under either:
|
23 | // - LGPL 2.1
|
24 | // - a combination of Three-Clause BSD and MIT
|
25 | parse('(LGPL-2.1 OR BSD-3-Clause AND MIT)'),
|
26 | {
|
27 | left: {license: 'LGPL-2.1'},
|
28 | conjunction: 'or',
|
29 | right: {
|
30 | left: {license: 'BSD-3-Clause'},
|
31 | conjunction: 'and',
|
32 | right: {license: 'MIT'}
|
33 | }
|
34 | }
|
35 | )
|
36 | ```
|
37 |
|
38 | The syntax comes from the [Software Package Data eXchange (SPDX)](https://spdx.org/), a standard from the [Linux Foundation](https://www.linuxfoundation.org) for shareable data about software package license terms. SPDX aims to make sharing and auditing license data easy, especially for users of open-source software.
|
39 |
|
40 | The bulk of the SPDX standard describes syntax and semantics of XML metadata files. This package implements two lightweight, plain-text components of that larger standard:
|
41 |
|
42 | 1. The [license list](https://spdx.org/licenses), a mapping from specific string identifiers, like `Apache-2.0`, to standard form license texts and bolt-on license exceptions. The [spdx-license-ids](https://www.npmjs.com/package/spdx-license-ids) and [spdx-exceptions](https://www.npmjs.com/package/spdx-exceptions) packages implement the license list. `spdx-expression-parse` depends on and `require()`s them.
|
43 |
|
44 | Any license identifier from the license list is a valid license expression:
|
45 |
|
46 | ```javascript
|
47 | var identifiers = []
|
48 | .concat(require('spdx-license-ids'))
|
49 | .concat(require('spdx-license-ids/deprecated'))
|
50 | .filter(function (id) { return id[id.length - 1] !== '+' })
|
51 |
|
52 | identifiers.forEach(function (id) {
|
53 | assert.deepEqual(parse(id), {license: id})
|
54 | })
|
55 | ```
|
56 |
|
57 | So is any license identifier `WITH` a standardized license exception:
|
58 |
|
59 | ```javascript
|
60 | identifiers.forEach(function (id) {
|
61 | require('spdx-exceptions').forEach(function (e) {
|
62 | assert.deepEqual(
|
63 | parse(id + ' WITH ' + e),
|
64 | {license: id, exception: e}
|
65 | )
|
66 | })
|
67 | })
|
68 | ```
|
69 |
|
70 | 2. The license expression language, for describing simple and complex license terms, like `MIT` for MIT-licensed and `(GPL-2.0 OR Apache-2.0)` for dual-licensing under GPL 2.0 and Apache 2.0. `spdx-expression-parse` itself implements license expression language, exporting a parser.
|
71 |
|
72 | ```javascript
|
73 | assert.deepEqual(
|
74 | // Licensed under a combination of:
|
75 | // - the MIT License AND
|
76 | // - a combination of:
|
77 | // - LGPL 2.1 (or a later version) AND
|
78 | // - Three-Clause BSD
|
79 | parse('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))'),
|
80 | {
|
81 | left: {license: 'MIT'},
|
82 | conjunction: 'and',
|
83 | right: {
|
84 | left: {license: 'LGPL-2.1', plus: true},
|
85 | conjunction: 'and',
|
86 | right: {license: 'BSD-3-Clause'}
|
87 | }
|
88 | }
|
89 | )
|
90 | ```
|
91 |
|
92 | This package differs slightly from the SPDX standard in allowing lower- and mixed-case `AND`, `OR`, and `WITH` operators:
|
93 |
|
94 | ```javascript
|
95 | assert.deepEqual(
|
96 | parse('MIT or BSD-2-Clause'),
|
97 | { left: { license: 'MIT' }, conjunction: 'or', right: { license: 'BSD-2-Clause' } }
|
98 | )
|
99 | assert.deepEqual(
|
100 | parse('GPL-2.0 with GCC-exception-2.0'),
|
101 | { license: 'GPL-2.0', exception: 'GCC-exception-2.0' }
|
102 | )
|
103 | ```
|
104 |
|
105 | The Linux Foundation and its contributors license the SPDX standard under the terms of [the Creative Commons Attribution License 3.0 Unported (SPDX: "CC-BY-3.0")](http://spdx.org/licenses/CC-BY-3.0). "SPDX" is a United States federally registered trademark of the Linux Foundation. The authors of this package license their work under the terms of the MIT License.
|