"All Rights Reserved" license in package.json

Asked 13/8, 2015 at 20:51 Answered 2/5, 2021 at 16:7

222

I have a small node.js project that is company-internal and will not be released publicly or shared with third parties. It certainly will not be contributed to any public package repositories.

But when I run npm install I always get the following error:

npm WARN package.json <<myproject>>@0.1.0 license should be a valid SPDX license expression

The desired license is: "copyright by us and all rights reserved". I could not find anything that looked applicable in the SPDX license list. The suggestion in this answer does not work either. If I simply remove the license field from package.json the error changes to no license field.

How do I get npm install to show no errors or warnings without putting a license reference in there that we do not want to use?

Prism answered 13/8, 2015 at 20:51 Comment(0)

365

According to the new npm specification you can use { "license": "UNLICENSED"} if you do not wish to grant others the right to use a private or unpublished package under any terms.

Please refer the full details here

So you might not get the error you mentioned.

Biome answered 17/11, 2015 at 11:11 Comment(10)

This certainly is great for no license, but doesn't help if you want to reference an external license. – Warplane 16/12, 2015 at 23:1

From the same npmjs page, "Consider also setting "private": true to prevent accidental publication." – Archy 21/12, 2015 at 6:32

the SPDX list contains Unlicense without the final D and in mixed case. is that what you're referring to? though in looking at it, doesn't seem like that would be the right thing. there is no UNLICENSED in the list – Cairngorm 19/3, 2017 at 3:22

@ekkis, the documentation of package.json does describe UNLICENSED as a valid value (cf. docs.npmjs.com/files/package.json#license). – Gestapo 8/9, 2017 at 7:46

@Cairngorm The Unlicense is the complete opposite of { "license": "UNLICENSED" } spdx.org/licenses/Unlicense. (I realize you had a look at the license and saw it wasn't right, I just thought this needs to be spelled out here just in case) – Orchardman 6/11, 2017 at 11:16

Better to use "SEE LICENSE IN <filename>", even though "UNLICENSED" is a valid value it does not specify your conditions, see the answer provided by brandomscript bellow. – Mertz 26/12, 2019 at 17:31

Wouldn't unlicensed mean you are not specifying what the license is, which means people can do whatever they want with it, including distributing it under a new and permissive license? Isn't that exactly the opposite of what the question is wanting? – Propound 15/8, 2020 at 14:29

@Propound the legal assumption is that you don't have rights to use anything, unless the owner grants you some rights. Something that is "unlicensed" means you have no license, so you can't use it in any way - unless it falls under "fair use" legislation in your jurisdiction. This is why there are so many open source licenses - copyright owners (in this case, software developers) disagree on how things should be shared, and lawyers disagree on how owners' preferences should be worded to ensure they are enforceable. Put simply, no license = no rights. – Eastsoutheast 9/7, 2021 at 5:37

Does "Unlicensed" allow developers within the company to use, modify, etc. the package? – Argive 16/11, 2022 at 17:23

The unlicense listing states anyone can do anything with the code. I recomend using the license file in other answer here. – Shifflett 15/3, 2023 at 18:5

According to the latest docs for package.json:

If you are using a license that hasn't been assigned an SPDX identifier, or if you are using a custom license, use the following valid SPDX expression:

{ "license" : "SEE LICENSE IN <filename>" }

Then include a file named <filename> at the top level of the package.

Warplane answered 13/8, 2015 at 20:58 Comment(3)

Bradonscript, how do you include a file named <filename> at the top level of the package? Sorry, I'm sure this is a basic question, but thank you for your help in advance. – Cr 1/1, 2021 at 22:54

@Cr please use the “ask” button to ask a new question – Warplane 1/1, 2021 at 23:23

Is there a way to link a new question to your comment, since it would be an attempt to clarify what you said? Also, I found the answer here: docs.npmjs.com/cli/v6/configuring-npm/package-json#files and #40796336 – Cr 2/1, 2021 at 0:2

UNLICENSED means that it is not licensed, while "unlicense", with no "d" at the end, refers to a license named The Unlicense, which is something very different. To prevent confusion, and if you want to assert a copyright, you should point someone to your own internal license file.

Definitely DO NOT use:

{ "license": "unlicense" }

as suggested by the top voted answer if you wish to clearly communicate that you wish to have a copyright claim style license.

A clip from the first two paragraphs of the UNLICENSE license makes clear this has no relation at all to the OP's request to have a copyright claim:

This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or distribute this software, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.

To the top voted answer's credit, the Node documentation page makes a claim that the use of the UNLICENSED option is to make it so you are not granting any rights to others:

if you do not wish to grant others the right to use a private or unpublished package under any terms:

This does not appear to be a safe choice for retaining your rights. You could infer that the lack of the extra "D" means these are two entirely different terms, but you can not assume that others will know that, and when they search for what the UNLICENSED license is, they may get the link to The Unlicense.

So, the following:

{ "license": "SEE LICENSE IN <filename>" }

is the safer answer at this time.

Sydel answered 12/5, 2020 at 4:32 Comment(4)

I don't think this is correct. The SPDX list of licenses does include an entry for "The Unlicense" that you found, and it is different than the "UNLICENSED" which grants no rights. spdx.org/licenses/Unlicense.html So while a spelling error would be highly consequential ("Unlicense" being an unrestricted license and "UNLICENSED" reserving all rights), there is no ambiguity. The package.json spec clearly states that "UNLICENSED" does not grant any rights "under any terms". – Prism 18/5, 2020 at 22:2

Even so, I think your answer serves a good purpose of pointing out how close these two choices are to each other. It is something to watch out for. Welcome to Stack Overflow! – Prism 18/5, 2020 at 22:4

Thanks wberry I did not see the SPDX definition for "The Unlicense" thats a good call out. – Sydel 20/5, 2020 at 5:39

The Unlicense is the opposite of what the OP wants. It puts the code completely in the public domain. UNLICENSED is the exact opposite, in that the owner maintains copy right protections – Wesleywesleyan 25/4, 2021 at 21:24

Also consider adding "private": true which will cause npm to prevent any publishing of your package. So in package.json :

  "license": "UNLICENSED",
  "private": true,

Ref: https://docs.npmjs.com/cli/v7/configuring-npm/package-json

Sipple answered 2/5, 2021 at 16:7 Comment(0)

Recommended topics

Hot tags