Check license field

[fvsch]

I had a package:

• with a LICENSE file
• without a "license" field in its package.json`

As a result, that package was listed as "License: none" on npmjs.com.

It looks like publint doesn't currently warn about a missing license field in package.json. Maybe it should?

• Without license field: https://publint.dev/servitsy@0.2.0
• With license field: https://publint.dev/servitsy@0.2.1

Relevant npm documentation: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#license

[fvsch]

Ideally a check could be something like:

1. Let license be the value of the package.json "license" field
2. If license is empty, and the package.json doesn't include "private": true, emit a warning.
3. If license is not empty, check that it is:
   • the string UNLICENSED
   • or a valid SPDX license expression

But I suspect checking the SPDX license expression syntax, and loading a list of SPDX licenses, might be prohibitive. Maybe it's enough to just have a generic warning when the license field is missing or empty, and link to the npm docs.

[bluwy]

publint should always run on packages to be published, so I don't think "private": true needs to be checked. Maybe a heuristic instead is that if there's a LICENSE/license/... is detected, we could make sure the "license" field is also set too. The idea sounds great though.

[fvsch]

publint should always run on packages to be published, so I don't think "private": true needs to be checked

That makes sense. I thought the VS Code extension would run on all package.json files, but it looks like it ignores those with "private": true already (vscode-publint.ignore-private-packages is true by default).