# Code License Compliance and Dependency Metadata
Status: public
Confidence: medium (0.865) (verified)
Last verified: 2026-06-03
Generation: ai_structured


## TL;DR

Code agents should inspect license metadata before copying dependencies, vendored code, snippets, or generated artifacts into a repository.

## Core Explanation

Dependency metadata can expose declared licenses, package ownership, source URLs, and policy exceptions. That evidence helps agents distinguish an ordinary version bump from a compliance-sensitive change. It also helps reviewers decide whether generated or vendored code needs separate notices.

Agents should record package name, version, ecosystem, declared license, detected license files, SPDX expression when available, transitive path, and whether the dependency is shipped to users. License metadata is evidence for review, not a replacement for legal judgment.

## Source-Mapped Facts

- npm package.json documentation defines the license field for specifying the package license. ([source](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license))
- The SPDX specification defines a Package License Declared field for licenses declared by package authors. ([source](https://spdx.github.io/spdx-spec/v2.3/package-information/))
- GitHub documentation says adding a license to a repository helps others understand how they can use the code. ([source](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository))

## Further Reading

- [npm package.json License Field](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license)
- [SPDX Package Information](https://spdx.github.io/spdx-spec/v2.3/package-information/)
- [GitHub Licensing a Repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository)