Repository files navigation

This package parsesSPDX license expression strings describing license terms, likepackage.json license strings, into consistently structured ECMAScript objects. The npm command-line interface depends on this package, as do many automatic license-audit tools.

In a nutshell:

varparse=require('spdx-expression-parse')varassert=require('assert')assert.deepEqual(// Licensed under the terms of the Two-Clause BSD License.parse('BSD-2-Clause'),{license:'BSD-2-Clause'})assert.throws(function(){// An invalid SPDX license expression.// Should be `Apache-2.0`.parse('Apache 2')})assert.deepEqual(// Dual licensed under either:// - LGPL 2.1// - a combination of Three-Clause BSD and MITparse('(LGPL-2.1 OR BSD-3-Clause AND MIT)'),{left:{license:'LGPL-2.1'},conjunction:'or',right:{left:{license:'BSD-3-Clause'},conjunction:'and',right:{license:'MIT'}}})

The syntax comes from theSoftware Package Data eXchange (SPDX), a standard from theLinux Foundation for shareable data about software package license terms. SPDX aims to make sharing and auditing license data easy, especially for users of open-source software.

The bulk of the SPDX standard describes syntax and semantics of XML metadata files. This package implements two lightweight, plain-text components of that larger standard:

1. Thelicense list, a mapping from specific string identifiers, likeApache-2.0, to standard form license texts and bolt-on license exceptions. Thespdx-license-ids andspdx-exceptions packages implement the license list.spdx-expression-parse depends on andrequire()s them.

   Any license identifier from the license list is a valid license expression:

   require('spdx-license-ids').forEach(function(id){assert.deepEqual(parse(id),{license:id})})

   So is any license identifierWITH a standardized license exception:

   require('spdx-license-ids').forEach(function(id){require('spdx-exceptions').forEach(function(e){assert.deepEqual(parse(id+' WITH '+e),{license:id,exception:e})})})

2. The license expression language, for describing simple and complex license terms, likeMIT for MIT-licensed and(GPL-2.0 OR Apache-2.0) for dual-licensing under GPL 2.0 and Apache 2.0.spdx-expression-parse itself implements license expression language, exporting a parser.

   assert.deepEqual(// Licensed under a combination of:// - the MIT License AND// - a combination of://   - LGPL 2.1 (or a later version) AND//   - Three-Clause BSDparse('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))'),{left:{license:'MIT'},conjunction:'and',right:{left:{license:'LGPL-2.1',plus:true},conjunction:'and',right:{license:'BSD-3-Clause'}}})

The SPDX standard document provides a loose grammar, along with interpretive notes. This package implements the parser grammar specified by the following ABNF:

license-ref= [DOCUMENTREF":"]LICENSEREFlicense-plus=LICENSE["+"]postfixed-license= (license-ref/license-plus) ["WITH"EXCEPTION]parenthesized-expression="("expression")"atom=parenthesized-expression/postfixed-licenseand-expression=atom ["AND"and-expression]or-expression=and-expression ["OR"or-expression]expression=or-expressiontag-value-format-license-expression=parenthesized-expression/license-id/license-ref

The Linux Foundation and its contributors license the SPDX standard under the terms ofthe Creative Commons Attribution License 3.0 Unported (SPDX: "CC-BY-3.0"). "SPDX" is a United States federally registered trademark of the Linux Foundation. The authors of this package license their work under the terms of the MIT License.