Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Ilyas Saïd Makari, Ahmed Zerouali, Coen De Roover

Research output: Chapter in Book/Report/Conference proceedingConference paperResearch

67 Downloads (Pure)


It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.
Original languageEnglish
Title of host publicationProceedings of the 20th International Conference on Software and Systems Reuse (ICSR 2022)
EditorsGilles Perrouin, Naouel Moha, Abdelhak-Djamel Seriai
Number of pages16
ISBN (Electronic)978-3-031-08129-3
ISBN (Print)978-3-031-08128-6
Publication statusPublished - 10 Jun 2022
Event20th International Conference on Software and System Reuse (ICSR 2022) - Montpellier, France
Duration: 15 Jun 202217 Jun 2022
Conference number: 20

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13297 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference20th International Conference on Software and System Reuse (ICSR 2022)
Abbreviated titleICSR
Internet address

Bibliographical note

Funding Information:
Acknowledgments. This research was partially funded by the Excellence of Science project 30446992 SECO-Assist financed by F.R.S.-FNRS and FWO-Vlaanderen.

Publisher Copyright:
© 2022, Springer Nature Switzerland AG.

Copyright 2022 Elsevier B.V., All rights reserved.


  • Open Source Software
  • Software Packages
  • Software Licenses


Dive into the research topics of 'Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks'. Together they form a unique fingerprint.

Cite this