Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Ilyas Saïd Makari, Ahmed Zerouali, Coen De Roover

Research output: Chapter in Book/Report/Conference proceedingConference paper

7 Downloads (Pure)

Abstract

It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.
Original languageEnglish
Title of host publicationThe 20th International Conference on Software and Systems Reuse (ICSR-2022)
Number of pages16
Publication statusAccepted/In press - 20 Mar 2022

Keywords

  • Open Source Software
  • Software Packages
  • Software Licenses

Fingerprint

Dive into the research topics of 'Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks'. Together they form a unique fingerprint.

Cite this