定制 madewithlove/license-checker 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

madewithlove/license-checker

Composer 安装命令:

composer require madewithlove/license-checker

包简介

CLI tool to verify allowed licenses for composer dependencies

README 文档

README

This library offers a simple CLI tool to show the licenses used by composer dependencies in your project. These licenses can be verified against a list of allowed (or denied) licenses to offer a way for your continuous integration pipeline to block merging when a non-verified license is being introduced to the codebase.

Upgrading from 2.x

Version 3.x introduces a new structured configuration format. Run the migration command to upgrade:

vendor/bin/license-checker migrate-config --remove-old

This converts your .allowed-licenses file to the new .license-checker.yml format. See full migration details below.

Installation

Installing should be a breeze thanks to composer: Note that you need PHP 8.4 to install the latest version (3.x).

composer require madewithlove/license-checker

Configuration

Create a .license-checker.yml file in the root of your project (where composer.json is located).

Allowlist mode

Only the listed licenses are permitted. Any dependency using a license not on this list will be flagged:

# .license-checker.yml
allowed:
  - MIT
  - BSD-3-Clause
  - Apache-2.0

Denylist mode

All licenses are permitted except the ones listed. Use this when you want to block specific licenses:

# .license-checker.yml
denied:
  - GPL-3.0
  - AGPL-3.0

Note: allowed and denied are mutually exclusive — you must use one or the other, not both.

It's possible to use a custom configuration file by passing the --filename (or -f) option to the CLI commands.

Usage

These are the different CLI commands:

Check licenses

vendor/bin/license-checker check

List used licenses

vendor/bin/license-checker used

List configured licenses

Shows the configured allowed or denied licenses:

vendor/bin/license-checker list-config

Count used licenses

vendor/bin/license-checker count

Automatically generate configuration

This command will automatically generate a .license-checker.yml configuration in allowlist mode based on the currently used licenses:

vendor/bin/license-checker generate-config

Excluding development dependencies

Passing the --no-dev option to the CLI commands will scope all checks to production dependencies only. Checking production and development dependencies against separate configuration files is possible by passing options:

vendor/bin/license-checker check --no-dev --filename .license-checker-production.yml
vendor/bin/license-checker check --filename .license-checker-including-dev.yml

Output Formats (--format option)

You can choose how license information is displayed — as a human-readable table (text), machine-readable JSON (json), or SARIF for GitHub Actions code scanning (sarif).

vendor/bin/license-checker check --format=json
{
    "laravel/framework": {
        "license": "MIT",
        "is_allowed": true
    },
    "phpunit/phpunit": {
        "license": "BSD-3-Clause",
        "is_allowed": false
    }
}
vendor/bin/license-checker check --format=text
✓  phpunit/phpunit [BSD-3-Clause]
✓  symfony/console [MIT]

By default, results are printed as human-readable text. Use --format=json for structured machine-readable output. Use --format=sarif to generate a SARIF report for GitHub Actions integration (see below).

GitHub Actions integration

The --format=sarif option outputs results in SARIF 2.1.0 format, which GitHub can display as code scanning alerts directly on pull requests.

Each root dependency that requires a disallowed license — either directly or through a transitive dependency — appears as a separate annotation pointing to your composer.json.

Example workflow

# .github/workflows/license-check.yml
name: License check

on: [push, pull_request]

jobs:
  license-check:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # required to upload SARIF results
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: composer install --no-interaction --prefer-dist

      - name: Check licenses
        id: license-check
        run: vendor/bin/license-checker check --format=sarif > license-results.sarif
        continue-on-error: true

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: license-results.sarif
          category: license-checker

      - name: Fail if license violations found
        if: steps.license-check.outcome == 'failure'
        run: exit 1

Note: continue-on-error: true ensures the SARIF upload always runs even when violations are found. The final step then checks the original outcome and fails the build, so violations still block the pipeline.

SARIF output example

{
    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
    "version": "2.1.0",
    "runs": [
        {
            "tool": {
                "driver": {
                    "name": "license-checker",
                    "rules": [{ "id": "license-not-allowed" }]
                }
            },
            "results": [
                {
                    "ruleId": "license-not-allowed",
                    "level": "error",
                    "message": {
                        "text": "\"my/package\" requires \"bad/subdep\" which uses the disallowed license \"GPL-3.0\""
                    },
                    "locations": [
                        {
                            "physicalLocation": {
                                "artifactLocation": { "uri": "composer.json" }
                            },
                            "logicalLocations": [
                                { "name": "my/package", "kind": "package" }
                            ]
                        }
                    ]
                }
            ]
        }
    ]
}

Migrating from 2.x

Version 3.x introduces a new structured configuration format. Here's what changed:

Configuration file format

The old format was a plain YAML list in .allowed-licenses:

# OLD format (.allowed-licenses) — no longer supported
- MIT
- BSD-3-Clause

The new format uses a structured YAML file (.license-checker.yml) with an explicit allowed or denied key:

# NEW format (.license-checker.yml)
allowed:
  - MIT
  - BSD-3-Clause

Automatic migration

Use the migrate-config command to convert your old configuration:

vendor/bin/license-checker migrate-config

This reads .allowed-licenses and writes .license-checker.yml with the allowed: key.

To also remove the old file:

vendor/bin/license-checker migrate-config --remove-old

Renamed commands

2.x 3.x
allowed list-config

Other breaking changes

  • Minimum PHP version is now 8.4 (was 8.3)
  • Minimum Symfony version is now 7.4 (was 4.0)

madewithlove/license-checker 适用场景与选型建议

madewithlove/license-checker 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 494.93k 次下载、GitHub Stars 达 54, 最近一次更新时间为 2020 年 03 月 10 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 madewithlove/license-checker 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 madewithlove/license-checker 我们能提供哪些服务?
定制开发 / 二次开发

基于 madewithlove/license-checker 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 494.93k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 55
  • 点击次数: 25
  • 依赖项目数: 22
  • 推荐数: 2

GitHub 信息

  • Stars: 54
  • Watchers: 6
  • Forks: 5
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2020-03-10