License Compliance
Track dependency licenses and enforce compliance policies to avoid legal risks from incompatible licenses.
How License Detection Works
During dependency analysis, DepVault:
- Checks package registry metadata for declared license fields.
- Falls back to
LICENSEorCOPYINGfiles in the package source. - Maps the result to a standardized SPDX identifier (e.g.,
MIT,Apache-2.0,GPL-3.0-only). - Marks undetectable licenses as Unknown (defaults to WARN policy).
Compliance Summary
After analysis, the Licenses tab shows each dependency’s compliance status:
| Status | Indicator | Meaning |
|---|---|---|
| Pass | Green | License is explicitly allowed. |
| Warn | Yellow | Review recommended but not blocking. |
| Fail | Red | License is blocked — replace the dependency or obtain an exception. |
A summary bar shows aggregate counts: passing, warnings, failing, and unknown.
Configuring License Policies
Navigate to Settings > License Policies to define rules per SPDX identifier:
| Action | Effect |
|---|---|
| ALLOW | Passes compliance checks silently. |
| WARN | Flagged in the report but not blocking. |
| BLOCK | Fails compliance checks, highlighted in red. |
Licenses without an explicit rule default to WARN.
GPL/AGPL Flagging
Enable the Flag copyleft licenses toggle to automatically BLOCK all GPL-family and AGPL-family licenses — useful for commercial projects.
Compliance Report
Export a CSV report from the Licenses tab. Includes dependency name/version, SPDX identifier, policy action, compliance status, and detection source.
Common License Categories
Permissive (typically ALLOW)
MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
Weak Copyleft (typically WARN)
LGPL-2.1-only, LGPL-3.0-only, MPL-2.0
Strong Copyleft (typically BLOCK for commercial)
GPL-2.0-only, GPL-3.0-only, AGPL-3.0-only — requires derivative works to be distributed under the same license. AGPL extends this to network/server-side use.