Skip to main content

Check licenses ๐Ÿ‘จโ€โš–๏ธ

Very Good CLI offers a simple and straightforward license checker for dependencies hosted by Dart's package manager. Allowing developers to easily keep track of the rights and restrictions external dependencies might impose on their projects.

Quick Start ๐Ÿš€โ€‹

To get started, install Very Good CLI and run the following command within your Dart or Flutter project:

very_good packages check licenses
info

We do not collect any information about your project or dependencies. The license checker doesn't require an internet connection, it detects licenses locally using Dart's package analyzer license detector.

Arguments โš™๏ธโ€‹

allowedโ€‹

Only allows the use of certain licenses. The command will exit with an error and log the list of all the dependencies that have an unlisted license.

Example usage:โ€‹

very_good packages check licenses --allowed=MIT,BSD-3-Clause

# โœ“ Retrieved 6 licenses from 6 packages of type: BSD-3-Clause (3), MIT (1), unknown (1) and Apache-2.0 (1).
# 2 dependencies have banned licenses: html (unknown) and universal_io (Apache-2.0).
info

A comprehensive list of all the licenses allowed as options is available within the Supported licenses section of this document.

forbiddenโ€‹

Deny the use of certain licenses. The command will exit with an error and log the list of all the dependencies that have a blocked license.

Example usage:โ€‹

very_good packages check licenses --forbidden=unknown,Apache-2.0

# โœ“ Retrieved 6 licenses from 6 packages of type: BSD-3-Clause (3), MIT (1), unknown (1) and Apache-2.0 (1).
# 2 dependencies have banned licenses: html (unknown) and universal_io (Apache-2.0).
warning

The allowed and forbidden options can't be used at the same time. Typical organization usage dictates which licenses are allowed or forbidden, hence optimizing for that use case.

dependency-typeโ€‹

The type of dependencies to check licenses for. There are three available types:

  • direct-dev: Another package that your package needs during development.
  • direct-main: Another package that your package needs to work.
  • direct-overridden: A dependency that your package overrides that is not already a direct-main or direct-dev dependency.
  • transitive: A dependency that your package indirectly uses because one of its dependencies requires it.

When unspecified, it defaults to direct-main.

Example usage:โ€‹

very_good packages check licenses --dependency-type=direct-main,transitive

# โœ“ Retrieved 83 licenses from 82 packages of type: BSD-3-Clause (65), MIT (15), unknown (1), BSD-2-Clause (1) and Apache-2.0 (1).
info

The license checker only requires a lockfile to gather dependencies. The lockfile is generated automatically for you by pub when you run pub get, pub upgrade, or pub downgrade.

skip-packagesโ€‹

Skips packages from having their licenses checked. Skipped packages will not be checked against allowed or forbidden licenses.

Example usage:โ€‹

very_good packages check licenses --skip-packages=html,universal_io

# โœ“ Retrieved 4 licenses from 4 packages of type: BSD-3-Clause (3) and MIT (1).

ignore-retrieval-failuresโ€‹

Avoids terminating if the license of a dependency could not be retrieved; this may happen if something went wrong when retrieving the license for a package. When enabled, those packages' licenses will fallback to unknown.

Example usage:โ€‹

very_good packages check licenses --ignore-retrieval-failures

# โœ“ Retrieved 6 licenses from 6 packages of type: BSD-3-Clause (3), MIT (1), unknown (1) and Apache-2.0 (1).

Supported licenses ๐Ÿ’ณโ€‹

The license detection is processed by Dart's package analyzer, which reports commonly found licenses (SPDX licenses). The list of accepted licenses can be seen in the SPDX GitHub repository or in the SPDX License enumeration. Therefore, when specifying a license within arguments it must strictly match with the SPDX license name.

If a license file is incorrectly formatted or is not a commonly found license, then it might be reported as unknown. If the former is true, we suggest notifying the package maintainer about the issue.