LICENSE file pointed at in package.json is not included in released packages

[codepunkt]

The package.json files of the packages in this project have a "license" field that says "SEE LICENSE IN LICENSE".

License automation, which is necessary and important in certain contexts, reads this "license" field to do it's magic and usually expects a valid spdx license identifier string. "SEE LICENSE IN LICENSE" is a special case, which results in reading the LICENSE file for license information. This file does not exist as part of the files released to npm - which means that effectively, your packages released to npm do not carry any licensing information.

Which is bad and might lead to companies not being able to use them due to licensing policy.

Please either

• include the LICENSE file from repository in every release of every package (not great, but still better than the status quo)
• change the "license" field to the appropriate spdx license identifier (better)
• change the "license" field to the appropriate spdx license identifier and include the LICENSE file with license text and copyright information (this is what i would suggest)

For more information, see the readme of webpack-license-plugin. Should anything be unclear, please ask!

[mmmeff]

+1

This broke my team's gatsby project via automation around infosec/licensing.