I've got a package.json that's expecting a SPDX-approved license acronym, but I can't find one that means 'proprietary commercial license, all rights reserved'.
Is there one for non-FOSS, where I want to specify that I want to allow no reuse?
Asked
Active
Viewed 6.5k times
3 Answers
177
As of npm 3.10 you have to use UNLICENSED:
{ "license": "UNLICENSED"}
or
{ "license": "SEE LICENSE IN <filename>"}
The value of license must either one of the options above or the identifier for the license from this list of SPDX licenses. Any other value is not valid.
The following is no longer valid for current versions of npm
For npm versions before 3.10 you may use:
{ "license" : "LicenseRef-LICENSE" }
Then include a LICENSE file at the top level of the package. It could be as short as:
(c) Copyright 2015 person or company, all rights reserved.
But you might want to be more explicit about what is not allowed.
9
Not so sure about specifically npm, but SPDX standard version 1.2 (2013) and later has provision for specifying arbitrary custom licensing terms, in their machine-readable license expressions format. Section Other Licensing Information Detected:
5.1.4 Data Format: "LicenseRef-"[idString] where [idString] is a unique string containing letters, numbers, “.”, “-” or “+”.
This is also present in the latest (today) spec version 2.3 (2022).
So basically, we should be able to say:
{"license": "LicenseRef-Proprietary"},{"license": "LicenseRef-Custom-Commercial-Agreement"},{"license": "LicenseRef-PrivateUndisclosed"},
and so on, along those lines.
Relatedly, there's also the special keyword NOASSERTION — but it isn't considered a "valid SPDX License Expression", and I'm not positive if it's intended for package developers. See PackageLicenseDeclared: that keyword is apparently for license-scanning software to express "I failed to determine the SPDX ID of the package's license, or didn't even try".
ulidtko
- 870