When using dependencies such as NPM packages, Composer packages. Weather you use a CDN or host the packages on the web server, don’t many packages out there require you to display the licenses of the package being used and show attributions?
How would one place this on their website? I even went to several websites to see how they do this and could not find a section and I am sure these website use packages that require the license to be listed and list the attributions.
I can find the licenses and attributions of packages used in many applications on desktop and mobile, usually in the apps “about” page.
Yeah, I imagine at least some NPM packages will be licensed under Apache-2.0, for example, which states:
- Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
a. You must give any other recipients of the Work or Derivative Works a copy of this License;
At $DAYJOB, we’re building a web-UI with WebAssembly+Rust, so I can’t provide details how to do that with NPM, but basically, what we do is:
- When building a release artifact, collect license information for all libraries. Presumably, NPM should provide this. Maybe there’s some extension/script/whatever for NPM that can collect this information for you. We then place the collected license information in a JSON file into a directory of the release artifact, where it will get served.
- Create a UI page with a table that displays all packages with their respective licenses.
- Link this page somewhere as “About” or “Licenses”.
- Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You can just have a Credits/Licenses page in your legal section that lists these packages. If you’re using npm packages, you could use an npm package like nlf or license-checker to compile a list of all licenses in your dependencies