7

I am trying to understand if an NPM package can be open-source on GitHub with an MIT license if it depends on NPM packages that are open-source on GitHub with a BSD-2, BSD-3, Apache 1 or Apache 2 License (I've been told GPL and LGPL does prevent an MIT license in this case)?

My project doesn't build binaries, it just gets uploaded to NPM.

Improve this question

3 Answers 3

Reset to default
8

Open Source license obligations are usually triggered on distribution of the software. That is, if you are only distributing your MIT-licensed NPM package via GitHub but none of its (transitive) dependencies, then it's not you who's creating a potentially conflicting license mix (due to maybe contradicting license obligations).

So you're fine as your NPM package only refers to the other packages via its package.json, but these are not included in your distribution. Instead, you require your users to run npm install.

Things would be different if you were distributing e.g. a ZIP archive which for some reason includes your package plus all dependencies. Then it would be you (re-)distributing all the packages, and you would be liable for any license compliance issues.

BTW, this is also why it usually makes a big difference whether you link a dependency dynamically or statically, but that concept does not really apply to JavaScript, and I'm mentioning it only for completeness.

Improve this answer
3
  • 2
    Be careful. E.g. the FSF contends that just writing code to use an API is creating a derivative work, and (depending on how intimate the use of said API is) they might even win the point in court. Commented Aug 22, 2020 at 15:02
  • Interesting, would you have any reference for that? Commented Aug 22, 2020 at 15:51
  • @vonbrand That is only for the purpose of the wording of the GPL though. Apache 2 explicitly says that what you describe is NOT a derivative work for the purpose of the license. The other license use completely different wording to describe attribution requirements: BSD's attribution conditions trigger on distributing a copy of the original software with or without modification, and MIT's attribution conditions trigger on distributing a substantial portion of the original software. Commented Sep 18, 2020 at 3:00
4

The BSD, MIT and Apache license are all permissive licenses. They have little to no restrictions on how code licensed under then can be used and they have no restrictions on how other projects can be licensed.

Improve this answer
5
  • This is pretty accurate. Apache v2 does have a compatibility issue with GPLv2, but that isn't happening here, so... Worry about that if you come to it. Commented Aug 24, 2020 at 21:24
  • @Daniel, and that compatibility issue between Apache and GPLv2 stems from the requirements that the GPLv2 puts on the licenses of the rest of the application. Commented Aug 25, 2020 at 5:30
  • 1
    The Apache-2.0 and GPL-2.0 patent clauses clash. Therefore, Apache-2.0 code cannot be coerced to GPL-2.0. Commented Aug 27, 2020 at 3:49
  • @BartvanIngenSchenau -- I'm not talking about the GPL's general derivative work rules, I'm talking about use of Apache code in GPL v2 code. The issue relates to indemnification and the patent license in the Apache license version 2.0. Commented Sep 7, 2020 at 14:22
  • @Daniel, what I am saying is that Apache doesn't have a compatibility issue with GPLv2, but that GPLv2 has a compatibility issue with Apache. It is the clauses in the GPLv2 that extend its sphere of influence to the entire codebase including third-party libraries and the disallowing of additional clauses around patent licensing that cause the incompatibility. The incompatibility is because the GPL requires that the entire codebase is distributed effectively under the GPL rules and the Apache license has some additional rules that the GPLv2 doesn't allow. Commented Sep 7, 2020 at 15:53
2

Yes. If you are uploading to NPM you also do not need to include the license of downstream BSD or Apache licensed code assuming you are not distributing the dependencies.

It would be a good idea to mention in your README file's licensing section if you used Apache code because of GPL2 compatibility issues, or if you used BSD+Patents code.

Improve this answer
4
  • BSD-2-Clause-Patent is incompatible with GPL-2.0? Commented Aug 27, 2020 at 3:51
  • Actually PATENTS.txt and GPL compatibility is under debate, but I'm mainly mentioning it since users would probably want to know the existence of the patens file, regardless of GPL issues. Commented Aug 28, 2020 at 4:04
  • BSD-2-Clause-Patent is compatible with GPL-2.0. It was especially designed for that purpose. See spdx.org/licenses/BSD-2-Clause-Patent.html and opensource.stackexchange.com/questions/217/… Commented May 6, 2023 at 7:30
  • I am not referring to that license but with specific situations where the licensor chose a restrictive patents license (eg. with the old license of React) that may not be GPL compatible Commented May 7, 2023 at 5:08

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.