README.md
1 This package parses [SPDX license expression](https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60) strings describing license terms, like [package.json license strings](https://docs.npmjs.com/files/package.json#license), into consistently structured ECMAScript objects. The npm command-line interface depends on this package, as do many automatic license-audit tools. 2 3 In a nutshell: 4 5 ```javascript 6 var parse = require('spdx-expression-parse') 7 var assert = require('assert') 8 9 assert.deepEqual( 10 // Licensed under the terms of the Two-Clause BSD License. 11 parse('BSD-2-Clause'), 12 {license: 'BSD-2-Clause'} 13 ) 14 15 assert.throws(function () { 16 // An invalid SPDX license expression. 17 // Should be `Apache-2.0`. 18 parse('Apache 2') 19 }) 20 21 assert.deepEqual( 22 // Dual licensed under either: 23 // - LGPL 2.1 24 // - a combination of Three-Clause BSD and MIT 25 parse('(LGPL-2.1 OR BSD-3-Clause AND MIT)'), 26 { 27 left: {license: 'LGPL-2.1'}, 28 conjunction: 'or', 29 right: { 30 left: {license: 'BSD-3-Clause'}, 31 conjunction: 'and', 32 right: {license: 'MIT'} 33 } 34 } 35 ) 36 ``` 37 38 The syntax comes from the [Software Package Data eXchange (SPDX)](https://spdx.org/), a standard from the [Linux Foundation](https://www.linuxfoundation.org) for shareable data about software package license terms. SPDX aims to make sharing and auditing license data easy, especially for users of open-source software. 39 40 The bulk of the SPDX standard describes syntax and semantics of XML metadata files. This package implements two lightweight, plain-text components of that larger standard: 41 42 1. The [license list](https://spdx.org/licenses), a mapping from specific string identifiers, like `Apache-2.0`, to standard form license texts and bolt-on license exceptions. The [spdx-license-ids](https://www.npmjs.com/package/spdx-license-ids) and [spdx-exceptions](https://www.npmjs.com/package/spdx-exceptions) packages implement the license list. `spdx-expression-parse` depends on and `require()`s them. 43 44 Any license identifier from the license list is a valid license expression: 45 46 ```javascript 47 var identifiers = [] 48 .concat(require('spdx-license-ids')) 49 .concat(require('spdx-license-ids/deprecated')) 50 51 identifiers.forEach(function (id) { 52 assert.deepEqual(parse(id), {license: id}) 53 }) 54 ``` 55 56 So is any license identifier `WITH` a standardized license exception: 57 58 ```javascript 59 identifiers.forEach(function (id) { 60 require('spdx-exceptions').forEach(function (e) { 61 assert.deepEqual( 62 parse(id + ' WITH ' + e), 63 {license: id, exception: e} 64 ) 65 }) 66 }) 67 ``` 68 69 2. The license expression language, for describing simple and complex license terms, like `MIT` for MIT-licensed and `(GPL-2.0 OR Apache-2.0)` for dual-licensing under GPL 2.0 and Apache 2.0. `spdx-expression-parse` itself implements license expression language, exporting a parser. 70 71 ```javascript 72 assert.deepEqual( 73 // Licensed under a combination of: 74 // - the MIT License AND 75 // - a combination of: 76 // - LGPL 2.1 (or a later version) AND 77 // - Three-Clause BSD 78 parse('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))'), 79 { 80 left: {license: 'MIT'}, 81 conjunction: 'and', 82 right: { 83 left: {license: 'LGPL-2.1', plus: true}, 84 conjunction: 'and', 85 right: {license: 'BSD-3-Clause'} 86 } 87 } 88 ) 89 ``` 90 91 The Linux Foundation and its contributors license the SPDX standard under the terms of [the Creative Commons Attribution License 3.0 Unported (SPDX: "CC-BY-3.0")](http://spdx.org/licenses/CC-BY-3.0). "SPDX" is a United States federally registered trademark of the Linux Foundation. The authors of this package license their work under the terms of the MIT License.