--- id: code-license-compliance-and-dependency-metadata title: 'Code License Compliance and Dependency Metadata' schema_type: TechArticle category: computer-science language: en confidence: medium last_verified: '2026-06-03' created_date: '2026-06-03' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-cs-code-license-compliance-and-dependency-metadata-1 statement: >- npm package.json documentation defines the license field for specifying the package license. source_title: npm package.json License Field source_url: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license confidence: medium - id: fact-cs-code-license-compliance-and-dependency-metadata-2 statement: >- The SPDX specification defines a Package License Declared field for licenses declared by package authors. source_title: SPDX Package Information source_url: https://spdx.github.io/spdx-spec/v2.3/package-information/ confidence: medium - id: fact-cs-code-license-compliance-and-dependency-metadata-3 statement: >- GitHub documentation says adding a license to a repository helps others understand how they can use the code. source_title: GitHub Licensing a Repository source_url: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository confidence: medium completeness: 0.82 known_gaps: - License compliance depends on transitive dependencies, dual licensing, generated code, vendored code, package manager metadata, source distribution, notice files, policy exceptions, and legal review. disputed_statements: [] primary_sources: - title: npm package.json License Field type: documentation year: 2026 url: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license institution: npm - title: SPDX Package Information type: standard year: 2023 url: https://spdx.github.io/spdx-spec/v2.3/package-information/ institution: SPDX - title: GitHub Licensing a Repository type: documentation year: 2026 url: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository institution: GitHub secondary_sources: [] updated: '2026-06-03' ai_models: - gpt-5-codex --- ## TL;DR Code agents should inspect license metadata before copying dependencies, vendored code, snippets, or generated artifacts into a repository. ## Core Explanation Dependency metadata can expose declared licenses, package ownership, source URLs, and policy exceptions. That evidence helps agents distinguish an ordinary version bump from a compliance-sensitive change. It also helps reviewers decide whether generated or vendored code needs separate notices. Agents should record package name, version, ecosystem, declared license, detected license files, SPDX expression when available, transitive path, and whether the dependency is shipped to users. License metadata is evidence for review, not a replacement for legal judgment. ## Source-Mapped Facts - npm package.json documentation defines the license field for specifying the package license. ([source](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license)) - The SPDX specification defines a Package License Declared field for licenses declared by package authors. ([source](https://spdx.github.io/spdx-spec/v2.3/package-information/)) - GitHub documentation says adding a license to a repository helps others understand how they can use the code. ([source](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository)) ## Further Reading - [npm package.json License Field](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license) - [SPDX Package Information](https://spdx.github.io/spdx-spec/v2.3/package-information/) - [GitHub Licensing a Repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository)