Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

  • Conference paper
  • First Online:
Reuse and Software Quality (ICSR 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13297))

Included in the following conference series:

Abstract

It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://spdx.org/licenses/.

  2. 2.

    https://choosealicense.com/no-permission/.

  3. 3.

    https://www.gnu.org/licenses/license-list.en.html.

  4. 4.

    https://github.com/librariesio/license-compatibility.

  5. 5.

    https://www.gnu.org/licenses/license-list.en.html.

  6. 6.

    https://ec.europa.eu/jrc/sites/default/files/20150930-second-best-practices-tto-circle-gentile_en.pdf.

  7. 7.

    https://www.gnu.org/licenses/gpl-faq.en.html.

  8. 8.

    https://libraries.io/data.

  9. 9.

    https://www.npmjs.com/package/keypair.

  10. 10.

    https://www.npmjs.com/package/webgazer.

  11. 11.

    https://choosealicense.com/no-permission/.

  12. 12.

    https://github.com/npm/cli/blob/latest/changelogs/CHANGELOG-1.md.

  13. 13.

    https://github.com/rubygems/bundler/blob/master/CHANGELOG.md.

  14. 14.

    https://choosealicense.com/community/.

  15. 15.

    https://github.com/anvaka/npmgraph.an.

  16. 16.

    https://doi.org/10.5281/zenodo.5913761.

  17. 17.

    In (_ , None), “_ ” refers to dependent with any license and None refers to dependency without a license.

References

  1. Kapitsaki, G.M., Kramer, F., Tselikas, N.D.: Automating the license compatibility process in open source software with SPDX. J. Syst. Softw. 131, 386–401 (2017)

    Article  Google Scholar 

  2. Gangadharan, G.R., D’Andrea, V., De Paoli, S., Weiss, M.: Managing license compliance in free and open source software development. Inf. Syst. Front. 14(2), 143–154 (2012)

    Article  Google Scholar 

  3. Wheeler, D.A.: The free-libre/open source software (floss) license slide, September 2007

    Google Scholar 

  4. Kapitsaki, G.M., Tselikas, N.D., Foukarakis, I.E.: An insight into license tools for open source software systems. J. Syst. Softw. 102, 72–87 (2015)

    Article  Google Scholar 

  5. Kechagia, M., Spinellis, D., Androutsellis-Theotokis, S.: Open source licensing across package dependencies. In: 2010 14th Panhellenic Conference on Informatics, pp. 27–32. IEEE (2010)

    Google Scholar 

  6. Qiu, S., German, D.M., Inoue, K.: Empirical study on dependency-related license violation in the javascript package ecosystem. J. Inf. Process. 29, 296–304 (2021)

    Google Scholar 

  7. Decan, A., Mens, T.: What do package dependencies tell us about semantic versioning? IEEE Trans. Softw. Eng. 47(6), 1226–1240 (2019)

    Article  Google Scholar 

  8. Michaeli, S.: Top 10 open source software licenses of 2016 and key trends. https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends. January 2017

  9. Balter, B.: Open source license usage on github.com. https://github.blog/2015-03-09-open-source-license-usage-on-github-com/. March 2015

  10. Openbsd Copyright Policy. https://www.openbsd.org/policy.html

  11. Reid, B.: Kea to be released under mozilla public license 2.0, December 2015

    Google Scholar 

  12. Vendome, C., Linares-Vásquez, M., Bavota, G., Di Penta, M., German, D., Poshyvanyk, D.: License usage and changes: a large-scale study of java projects on github. In: 2015 IEEE 23rd International Conference on Program Comprehension, pp. 218–228. IEEE (2015)

    Google Scholar 

Download references

Acknowledgments

This research was partially funded by the Excellence of Science project 30446992 SECO-Assist financed by F.R.S.-FNRS and FWO-Vlaanderen.

Author information

Authors and Affiliations

  1. Software Languages Lab, Vrije Universiteit Brussel, Brussels, Belgium

    Ilyas Saïd Makari, Ahmed Zerouali & Coen De Roover

Authors
  1. Ilyas Saïd Makari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmed Zerouali
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Coen De Roover
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Zerouali .

Editor information

Editors and Affiliations

  1. University of Namur, Namur, Belgium

    Gilles Perrouin

  2. École de Technologie Supérieure, Montreal, QC, Canada

    Naouel Moha

  3. University of Montpellier, Montpellier, France

    Abdelhak-Djamel Seriai

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Makari, I.S., Zerouali, A., De Roover, C. (2022). Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks. In: Perrouin, G., Moha, N., Seriai, AD. (eds) Reuse and Software Quality. ICSR 2022. Lecture Notes in Computer Science, vol 13297. Springer, Cham. https://doi.org/10.1007/978-3-031-08129-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08129-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08128-6

  • Online ISBN: 978-3-031-08129-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation