211

I have a small node.js project that is company-internal and will not be released publicly or shared with third parties. It certainly will not be contributed to any public package repositories.

But when I run npm install I always get the following error:

npm WARN package.json <<myproject>>@0.1.0 license should be a valid SPDX license expression

The desired license is: "copyright by us and all rights reserved". I could not find anything that looked applicable in the SPDX license list. The suggestion in this answer does not work either. If I simply remove the license field from package.json the error changes to no license field.

How do I get npm install to show no errors or warnings without putting a license reference in there that we do not want to use?

Jonas Stein
  • 6,826
  • 7
  • 40
  • 72
wberry
  • 18,519
  • 8
  • 53
  • 85

4 Answers4

343

According to the new npm specification you can use { "license": "UNLICENSED"} if you do not wish to grant others the right to use a private or unpublished package under any terms.

Please refer the full details here

So you might not get the error you mentioned.

kds
  • 28,155
  • 9
  • 38
  • 55
  • This certainly is great for no license, but doesn't help if you want to reference an external license. – brandonscript Dec 16 '15 at 23:01
  • 28
    From the same npmjs page, "Consider also setting "private": true to prevent accidental publication." – bgth Dec 21 '15 at 06:32
  • 1
    the SPDX list contains `Unlicense` without the final D and in mixed case. is that what you're referring to? though in looking at it, doesn't seem like that would be the right thing. there is no `UNLICENSED` in the list – ekkis Mar 19 '17 at 03:22
  • @ekkis, the documentation of `package.json` does describe `UNLICENSED` as a valid value (cf. https://docs.npmjs.com/files/package.json#license). – Frederik Krautwald Sep 08 '17 at 07:46
  • 27
    @ekkis The Unlicense is the complete opposite of `{ "license": "UNLICENSED" }` https://spdx.org/licenses/Unlicense. (I realize you had a look at the license and saw it wasn't right, I just thought this needs to be spelled out here just in case) – JollyJoker Nov 06 '17 at 11:16
  • 2
    Better to use "SEE LICENSE IN ", even though "UNLICENSED" is a valid value it does not specify your conditions, see the answer provided by brandomscript bellow. – Pablo Dec 26 '19 at 17:31
  • Wouldn't unlicensed mean you are not specifying what the license is, which means people can do whatever they want with it, including distributing it under a new and permissive license? Isn't that exactly the opposite of what the question is wanting? – still_dreaming_1 Aug 15 '20 at 14:29
  • 1
    @still_dreaming_1 the legal assumption is that you don't have rights to use anything, unless the owner grants you some rights. Something that is "unlicensed" means you have no license, so you can't use it in any way - unless it falls under "fair use" legislation in your jurisdiction. This is why there are so many open source licenses - copyright owners (in this case, software developers) disagree on how things should be shared, and lawyers disagree on how owners' preferences should be worded to ensure they are enforceable. Put simply, no license = no rights. – Matt Jul 09 '21 at 05:37
  • Does "Unlicensed" allow developers within the company to use, modify, etc. the package? –  Nov 16 '22 at 17:23
  • The unlicense listing states anyone can do anything with the code. I recomend using the license file in other answer here. – DanielD Mar 15 '23 at 18:05
66

According to the latest docs for package.json:

If you are using a license that hasn't been assigned an SPDX identifier, or if you are using a custom license, use the following valid SPDX expression:

{ "license" : "SEE LICENSE IN <filename>" }

Then include a file named <filename> at the top level of the package.

Community
  • 1
  • 1
brandonscript
  • 68,675
  • 32
  • 163
  • 220
  • 1
    Bradonscript, how do you include a file named at the top level of the package? Sorry, I'm sure this is a basic question, but thank you for your help in advance. – Lazor Jan 01 '21 at 22:54
  • 1
    @Lazor please use the “ask” button to ask a new question – brandonscript Jan 01 '21 at 23:23
  • Is there a way to link a new question to your comment, since it would be an attempt to clarify what you said? Also, I found the answer here: https://docs.npmjs.com/cli/v6/configuring-npm/package-json#files and https://stackoverflow.com/questions/40795836/how-do-you-use-the-files-and-directories-properties-in-package-json – Lazor Jan 02 '21 at 00:02
37

UNLICENSED means that it is not licensed, while "unlicense", with no "d" at the end, refers to a license named The Unlicense, which is something very different. To prevent confusion, and if you want to assert a copyright, you should point someone to your own internal license file.

Definitely DO NOT use:

{ "license": "unlicense" }

as suggested by the top voted answer if you wish to clearly communicate that you wish to have a copyright claim style license.

A clip from the first two paragraphs of the UNLICENSE license makes clear this has no relation at all to the OP's request to have a copyright claim:

This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or distribute this software, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.

To the top voted answer's credit, the Node documentation page makes a claim that the use of the UNLICENSED option is to make it so you are not granting any rights to others:

if you do not wish to grant others the right to use a private or unpublished package under any terms:

This does not appear to be a safe choice for retaining your rights. You could infer that the lack of the extra "D" means these are two entirely different terms, but you can not assume that others will know that, and when they search for what the UNLICENSED license is, they may get the link to The Unlicense.

So, the following:

{ "license": "SEE LICENSE IN <filename>" }

is the safer answer at this time.

ggriffin
  • 322
  • 3
  • 9
Carl Kidwell
  • 505
  • 4
  • 3
  • 6
    I don't think this is correct. The SPDX list of licenses does include an entry for "The Unlicense" that you found, and it is different than the "UNLICENSED" which grants no rights. https://spdx.org/licenses/Unlicense.html So while a spelling error would be highly consequential ("Unlicense" being an unrestricted license and "UNLICENSED" reserving all rights), there is no ambiguity. The package.json spec clearly states that "UNLICENSED" does not grant any rights "under any terms". – wberry May 18 '20 at 22:02
  • 1
    Even so, I think your answer serves a good purpose of pointing out how close these two choices are to each other. It is something to watch out for. Welcome to Stack Overflow! – wberry May 18 '20 at 22:04
  • 1
    Thanks wberry I did not see the SPDX definition for "The Unlicense" thats a good call out. – Carl Kidwell May 20 '20 at 05:39
  • The Unlicense is the opposite of what the OP wants. It puts the code completely in the public domain. UNLICENSED is the exact opposite, in that the owner maintains copy right protections – Gambai Apr 25 '21 at 21:24
31

Also consider adding "private": true which will cause npm to prevent any publishing of your package. So in package.json :

  "license": "UNLICENSED",
  "private": true,

Ref: https://docs.npmjs.com/cli/v7/configuring-npm/package-json

GraSim
  • 3,830
  • 1
  • 29
  • 35