HTML License Generator for NPM/Yarn based projects

Generate a HTML page with list of dependency licenses based on npm/yarn installed packages. Example output

This project is based on npm-license-generator

Usage

Install:

``bash
npm install --global html-license-gen
`

Options:

`bash
$ html-license-gen --help

Usage:
html-license-gen [folder]

Positionals:
folder Folder of NPM project. Defaults to current working directory [string]

Paths and files:
--folder Folder of NPM project. Defaults to current working
directory [string]
--monorepo-root Root folder of monorepo - if project is in monorepo[string]
--out-path HTML output path [string] [default: "./licenses.html"]
--tmp-folder-name Name of temporary folder
[string] [default: ".license-gen-tmp"]

Output HTML appearance:
--group Group licenses [boolean] [default: true]
--external-links Link package names to their repos [boolean] [default: true]
--add-index Creates index with link to licenses below
[boolean] [default: false]
--title Use given value as document title [string] [default: false]
--template Path to custom mustache template [string]

Package related:
--registry URL of package registry to use
[string] [default: "https://registry.npmjs.org"]
--ignored Semicolon-separated list of packages to ignore
[string] [default: "html-license-gen"]
--only-prod Ignore optional and dev dependencies[boolean] [default: false]
--package-lock Run on all packages listed in package-lock.json
[boolean] [default: false]

Cache and optimization:
--keep-cache Do not clean cache after run [boolean] [default: false]
--checksum-path Checksum file path, to detect if update of HTML is needed
[string] [default: false]
--checksum-embed Embed checksum into HTML to detect need for update
[boolean] [default: false]
--avoid-registry Try local package.json instead asking online registry
[boolean] [default: true]
--no-spdx Do not download license file based on SPDX string
[boolean] [default: false]
--only-spdx Do not use tarballs, only use SPDX string
[boolean] [default: false]
--only-local-tar Do not download tarballs, use only local tarballs
[boolean] [default: true]

Options:
--version Show version number [boolean]
--help Show help [boolean]
--log-level Configures how verbose logs are, one of the following values:
error, warn, info, verbose, debug [string] [default: "warn"]
--error-missing Exit 1 if no license is present for a package
[boolean] [default: false]
`

Options

All boolean options can be prepended with no- that negates flag,
for example; --group groups packages but --no-group disables grouping.

* --error-missing, --no-error-missing
If enabled, stops and exits generator (without generating/updating HTML file) when any expected license is missing
Disabled by default.



* --log-level
Decides how detailed log are. Allowed levels: error, warn, info, verbose, debug
warn by default




$3

* --folder
Specify root directory of project to parse, by default current directory



* --monorepo-root
Specify root directory of monorepo in case it is workspace based project, used to search for package, lock and license files.




* --out-path
Specify output path where generated file will be written.
File is always overwritten unless --checksum-path or --checksum-embed is used and no change is needed.



* --tmp-folder-name
Specify folder where to download tarballs. Folder need to be writable.
Folder and its contents gets deleted after generating file unless --keep-cache options is given.

$3

* --group, --no-group
Groups packages which use exact same license texts, reducing duplicates and file size.
Enabled by default.



* --external-links, --no-external-links
Links package names (in license header) to their homepages (if and as configured in package.json homepage)
Enabled by default.



* --add-index, --no-add-index
Creates index at begin of file - list of anchors allowing quickly jumping to respective package library.
Disabled by default.



* --title
Overrides default document title / main header (which is root app package name) with given string.



* --template
Overrides default template path, allowing passing custom template.



$3

* --registry
Allows specifying URL of custom NPM repository, otherwise default global NPM repo is used



* --ignored
Semicolon-separated list of packages to ignore and NOT include in generated HTML.
For example: typescript;eslint;tar



* --only-prod, --no-only-prod
If enabled, ignores optional and development packages, using only "production" facing packages
Disabled by default.



* --package-lock, --no-package-lock
Instead of relying solely on package.json - also scan lock files to include all dependencies and sub-dependencies.
Generates bigger file but include also dependencies of dependencies, not only direct deps.
Recommended to use with --only-prod (which would otherwise be huge) and without --no-avoid-registry which generates a lot of network requests to registry
Disabled by default.

$3

* --keep-cache, --no-keep-cache
If enabled, does not delete tmp folder, allowing cache to persist between runs
Disabled by default.



* --checksum-path
Allows skipping generation of HTM when packages have not changed.
If path is specified, special file indicated by path is used to store checksum.
If file exist and contains checksum matching checksum resolved for current package/version list - HTML generation will be skipped
After generating HTML file, checksum is written/updated int this file.
NOTICE - it does NOT checks for changes in license files, only if package list (and their version) are same.



* --checksum-embed, --no-checksum-embed
Allows skipping generation of HTM when packages have not changed.
If specified, embed checksum inside generated HTML (as an comment)
If existing HTML checksum matching checksum resolved for current package/version list - HTML generation will be skipped
NOTICE - it does NOT checks for changes in license files, only if package list (and their version) are same.
Disabled by default.



* --avoid-registry, --no-avoid-registry
By default, instead asking online NPM repo, uses package.json files found in node_modules.
It is way faster but may be inaccurate.
Enabled by default.



* --no-spdx
If enabled, does not use SPDX license repository as fallback for missing licenses
Disabled by default.



* --no-spdx
If enabled, use only SPDX license repository and do not use license files found in packages/tarballs
Disabled by default.



* --only-local-tar, --no-only-local-tar
By default, use only local filesystem and tarballs for license discovery.
--no-only-local-tar will enable downloading tarballs from resolved online URLs - but this may generate lot of internet traffic, especially when used together with --package-lock or without --only-prod
Enabled by default.

Use your own template

Supply your own template using the --template option. Templates are written in Mustache. Your template does not have to be HTML, change the output file name using --out-path.

Use template.html` file as and starting point

How licenses are found

1. Get package version and tarball location from package.lock / yarn.lock
2. Look for licenses in node_modules if avalible
3. Otherwise download tarball, extract, look for licenses, and use that
4. Otherwise, evaluate SPDX string and use a file from https://github.com/spdx/license-list-data/tree/master/text