License Compliance

Open source licenses are legal contracts

Every dependency you install comes with license terms. Using a GPL library in a proprietary product is a legal violation. Most teams don't check until it's too late.

Scan your dependencies

Five risk levels

Not all open source licenses are the same. The risk depends on what the license requires when you distribute your software.

Copyleft

Viral obligation

Derivative works must be released under the same license. If you distribute a binary containing copyleft code, your entire project may need to be open-sourced.

GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0

Weak copyleft

Library-level obligation

Copyleft applies to the library itself, not to your code that uses it. Modifications to the library must be shared, but your project remains yours.

LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0

Permissive

Minimal restrictions

Use in proprietary and open-source projects. Typically requires attribution (keep the copyright notice). No obligation to share your source code.

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC

Public domain

No restrictions

No conditions at all. Use for any purpose. No attribution required. The author has waived all rights.

Unlicense, CC0-1.0, WTFPL

Proprietary / Restrictive

Custom terms

Source-available but not open source. May restrict commercial use, modification, or redistribution. Always read the full license text.

BUSL-1.1, Elastic-2.0, SSPL-1.0

The AGPL trap for SaaS

AGPL-3.0 extends copyleft to network use. If your web service uses an AGPL library, you must release your entire source code to anyone who uses the service — even over the network. This catches many SaaS companies off guard. A single AGPL dependency in your stack can create a legal obligation to open-source your product.

Common licenses at a glance

License What it means Risk
MIT Do anything. Keep the copyright notice. Permissive
Apache-2.0 Like MIT plus patent grant. State changes made. Permissive
BSD-3-Clause Do anything. Keep notice. Don't use author's name. Permissive
ISC Simplified MIT. Do anything, keep notice. Permissive
MPL-2.0 File-level copyleft. Modified files must be shared. Weak copyleft
LGPL-3.0 Library copyleft. Link freely, share modifications. Weak copyleft
GPL-3.0 Strong copyleft. Distributed binaries must be GPL. Copyleft
AGPL-3.0 Network copyleft. SaaS must release source code. Copyleft
BUSL-1.1 Source-available. No production use without license. Proprietary
Elastic-2.0 No competing SaaS. Not OSI-approved open source. Proprietary

License compliance checklist

01 Declare your project license. Every project needs a LICENSE file and a license field in package.json / pyproject.toml. Without it, your code is "all rights reserved" by default.
02 Scan dependencies for copyleft. A single GPL or AGPL dependency in your tree can create viral obligations. Automated scanning catches what manual review misses.
03 Check transitive dependencies. Your direct dependencies have dependencies too. A permissive library might depend on a GPL library — the obligation flows through.
04 Flag unknown licenses. "UNKNOWN" or missing license fields are risk. You can't comply with terms you haven't read. Investigate or replace.
05 Watch for license changes. Libraries can change licenses between versions. Redis, Elasticsearch, and MongoDB all switched from permissive to restrictive. Pin versions and re-scan on updates.
06 Maintain attribution. Most permissive licenses require keeping the copyright notice. Bundle a THIRD-PARTY-NOTICES file with your distribution.
07 Review before acquisition or IPO. License compliance is a due diligence item. Undisclosed copyleft obligations can derail deals. Scan early.

Scan your dependencies now

Gridwork License Scanner classifies 60+ licenses, detects copyleft conflicts, flags AGPL SaaS risk, and identifies unknown licenses. One command.

npx gridwork-license click to copy

View source on GitHub