Skip to main content
Dependency Radar
Log in

Licence audit

npm licence audits are harder than they look

If you need to produce a licence report for legal, procurement, investors, clients, or an acquisition, package.json metadata alone is not enough.

npx dependency-radar
View example report

What it helps with

Review the dependency evidence, not just the lockfile

Dependency Radar runs against your installed JavaScript or TypeScript project and produces a self-contained report. Registry backed audit, outdated, signature, or enrichment checks need registry access unless you run with --offline.

SPDX validation

Check declared licence fields for valid, deprecated, ambiguous, or missing SPDX data.

Declared vs inferred

Compare package metadata with evidence found in local LICENCE, LICENSE, COPYING, and NOTICE-style files.

Workspace context

See whether a licence concern is direct, transitive, dev-only, runtime-relevant, or tied to a workspace.

Shareable report

Produce a self-contained HTML report for legal, procurement, investors, clients, or acquisition review.

SBOM outputs

Generate SPDX and CycloneDX outputs for licence and compliance workflows.

PNPM and workspaces

Review installed dependency evidence in modern npm-compatible package manager projects.

Origin

Built from a real licence audit need

In January 2026, my company needed a licence audit as part of an acquisition process. Existing tools were awkward on modern JavaScript repos and did not give the reviewable, explainable output I wanted. Dependency Radar started as the tool I wished I had then.

  • Designed around installed JavaScript and TypeScript projects
  • Built to produce evidence that can be reviewed outside the CLI
  • Useful before legal, procurement, clients, investors, or acquisition teams ask for the report

Evidence

package.json metadata is not the whole story

npm packages often declare licence metadata, but that metadata can be missing, malformed, deprecated, ambiguous, or inconsistent with the shipped licence file.

  • Validate declared SPDX expressions
  • Read local LICENCE, LICENSE, COPYING, and NOTICE-style files
  • Infer licence evidence from installed package files
  • Flag declared-vs-inferred mismatches for review

Context

See where a licence issue comes from

A concerning licence is easier to handle when you know whether it is direct, deeply transitive, dev-only, or pulled in by one workspace.

  • Show dependency depth and paths
  • Keep workspace context attached to dependency evidence
  • Separate direct and transitive dependency review
  • Use the HTML report as a review artefact

Exports

Generate outputs for compliance workflows

The HTML report is useful for review, but Dependency Radar can also emit structured data for downstream compliance and SBOM tooling.

  • Generate SPDX output
  • Generate CycloneDX output
  • Export JSON for custom checks
  • Share the report without asking reviewers to run a CLI

Explore other use cases

Security Review

Scan for supply-chain vulnerabilities, script execution, and risk signals.

CI Guardrails

Enforce dependency gates, compare against JSON baselines, and protect your builds.

Try it

Generate a report locally

Run Dependency Radar in the root of your project to generate a reviewable HTML report plus machine-readable licence and SBOM outputs.

npx dependency-radar
View example reportBack to homepage →GitHub →