{"id":15382,"library":"spdx-whitelisted","title":"SPDX License Whitelist Checker","description":"spdx-whitelisted is a JavaScript library designed to evaluate whether a given SPDX license expression satisfies a provided whitelist of allowed SPDX licenses. It operates on structured SPDX expression objects, typically generated by parsers like `spdx-expression-parse`, and a list of structured license objects representing the whitelist. This package, currently at version 1.0.0, was forked from version 5.0.0 of `spdx-satisfies`. Its primary function is to return a boolean indicating satisfaction. The library is intended for legal and compliance checks within software projects, helping to ensure that declared licenses conform to organizational policies. It is a stable release with no explicit rapid release cadence mentioned, suggesting a focus on correctness for its specific utility.","status":"active","version":"1.0.0","language":"javascript","source_language":"en","source_url":"https://github.com/jslicense/spdx-whitelisted.js","tags":["javascript","SPDX","law","legal","license","metadata","package","package.json","standards"],"install":[{"cmd":"npm install spdx-whitelisted","lang":"bash","label":"npm"},{"cmd":"yarn add spdx-whitelisted","lang":"bash","label":"yarn"},{"cmd":"pnpm add spdx-whitelisted","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Needed to generate the required structured SPDX expression objects for input arguments.","package":"spdx-expression-parse","optional":false}],"imports":[{"note":"Package exports a single CommonJS function. Direct ESM import is not supported in v1.0.0.","wrong":"import whitelisted from 'spdx-whitelisted';","symbol":"whitelisted","correct":"const whitelisted = require('spdx-whitelisted');"}],"quickstart":{"code":"const assert = require('assert');\nconst whitelisted = require('spdx-whitelisted');\nconst parse = require('spdx-expression-parse'); // Required to generate valid SPDX expression objects\n\n// Define a sample license expression object (parsed from 'MIT')\nconst expressionMIT = parse('MIT');\n\n// Define a sample whitelist\nconst whitelist = [\n  parse('ISC'),\n  parse('MIT'),\n  parse('Apache-2.0')\n];\n\n// Example 1: Simple MIT license against a whitelist including MIT\nassert(\n  whitelisted(\n    expressionMIT,\n    whitelist\n  )\n);\nconsole.log('MIT is whitelisted (expected true)');\n\n// Example 2: GPL-3.0 is NOT in the whitelist\nconst expressionGPL = parse('GPL-3.0');\nassert(\n  !whitelisted(\n    expressionGPL,\n    whitelist\n  )\n);\nconsole.log('GPL-3.0 is not whitelisted (expected false)');\n\n// Example 3: Complex expression (MIT OR Apache-2.0) AND (ISC OR GPL-2.0) against a partial whitelist\nconst complexExpression = parse('(MIT OR Apache-2.0) AND (ISC OR GPL-2.0)');\nconst partialWhitelist = [\n  parse('Apache-2.0'),\n  parse('ISC')\n];\n\nassert(\n  whitelisted(\n    complexExpression,\n    partialWhitelist\n  )\n);\nconsole.log('Complex expression is whitelisted (expected true)');\n\n// Example 4: Demonstrating the 'plus' logic for license versions\nassert(whitelisted(\n  parse('GPL-3.0'),\n  [parse('GPL-2.0', { plus: true })]\n));\nconsole.log('GPL-3.0 is satisfied by GPL-2.0+ (expected true)');","lang":"javascript","description":"Demonstrates how to use `spdx-whitelisted` to check if various SPDX license expressions satisfy a defined whitelist, including complex expressions and 'plus' version logic."},"warnings":[{"fix":"Always parse raw SPDX strings into structured objects using a robust parser like `spdx-expression-parse` before passing them to `spdx-whitelisted`.","message":"The exported `whitelisted` function performs only naive type checks on its arguments. It does not provide rigorous validation of the SPDX expression or whitelist data structures. Developers must ensure valid input formats, typically by parsing with `spdx-expression-parse`.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Ensure the first argument is an object adhering to the `spdx-expression-parse` AST schema. Always use `require('spdx-expression-parse')('YOUR-SPDX-EXPRESSION')` to generate this input.","cause":"The first argument (the SPDX expression to check) was a string or a malformed object, not a properly structured SPDX expression object.","error":"TypeError: Invalid first argument.  Expects an object."},{"fix":"Provide the second argument as an array, where each element is a structured license object (e.g., `{ license: 'MIT' }`). For robustness, use `require('spdx-expression-parse')('LICENSE-ID')` to generate each entry in the whitelist array.","cause":"The second argument (the license whitelist) was not an array of structured license objects, or contained malformed entries.","error":"TypeError: Invalid second argument.  Expects an array."}],"ecosystem":"npm"}