Hire me
Pooyan Razian

The license risk hiding in your dependency tree

The license risk hiding in your dependency tree
Published: July 18, 2026

Most teams never check the license of every package they depend on, including the indirect ones pulled in underneath. That is a real risk. Some licenses, like GPL or AGPL, can legally require you to open-source your own product if you use them a certain way.

I built Open License Auditor to catch this automatically. It is a GitHub Action that maps every dependency in your repo, direct and indirect, and flags any open source license that could be a problem.

Get it on GitHub Marketplace · Source on GitHub

What it does

It scans npm, Yarn, pnpm, pip, Poetry, uv, Cargo, Go modules, Maven, Gradle, RubyGems, Composer, and NuGet automatically, no configuration required to get started. On every pull request, it posts one comment: a direct list of anything risky, plus a full dependency map you can expand if you want to see everything. If nothing is wrong, it just says so.

Example PR comment listing dependencies with warning-level licenses
What the PR comment looks like when it finds something

What ok, warning, and critical mean

BucketMeaning
oka permissive license. Safe to use without extra review in almost all cases.
warninga weak copyleft license, or one it could not confidently identify. Worth a second look.
criticala strong copyleft license. Using it can require you to open source your own code.

Unknown or unidentified licenses default to warning, not ok, on purpose. The "unknown" should never be treated as safe. A few examples from the default table: MIT, Apache-2.0, and BSD are ok; LGPL and MPL are warning; GPL, AGPL, and SSPL are critical. The full table is configurable.

Example workflow

Save this as .github/workflows/license-audit.yml:

name: License Audit

on: pull_request

permissions:
  pull-requests: write
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: yanovian/open-license-auditor@v1
        with:
          config-path: .github/license-audit.yml
          severity-filter: both
          fail-on: critical
          comment-on-pr: true
          github-token: ${{ secrets.GITHUB_TOKEN }}

That's it. Open a pull request and it runs automatically.

Main inputs

InputDefaultDescription
config-path.github/license-audit.ymlwhere to find your config file; missing is fine
severity-filterbothwhat the PR comment shows: critical, warning, both, or none
fail-oncriticalwhat makes the Action exit non-zero: critical, warning, or none
comment-on-prtruewhether to post a PR comment at all
comment-only-on-problemsfalseif true, skip commenting entirely when nothing is wrong
update-existing-commenttrueedit the previous comment instead of posting a new one each run
github-token${{ github.token }}token used to read the PR and post the comment
cachetruecache license lookups across runs, so repeat runs are faster

You can change which licenses count as ok, warning, or critical by copying the example config into .github/license-audit.yml and editing it.

Permissions and tokens

You do not need to create a token yourself. The default GITHUB_TOKEN is enough, as long as your workflow grants pull-requests: write, as in the example above. Without it, the Action still audits your dependencies and can fail the check, it just cannot post the comment.

One limitation: if a pull request comes from a fork, GitHub gives the default token read-only access no matter what your workflow requests, so the comment will not post. That is a GitHub security restriction, not something this Action can work around. Switching the trigger to pull_request_target fixes it, but that trigger runs with your base repository's permissions even for untrusted forks, so only do it if your workflow does not check out or run code from the fork.

This is an automated check, not a legal opinion. License detection can be wrong, and a license can change between versions of a package. Use it as a starting point.

PS: OlAudit is now deprecated in favor of this new one.

If you liked the article, feel free to share it with your friends, family, or colleagues. You can also follow me on Medium or LinkedIn.

Copyright & Disclaimer

  • All content provided on this article is for informational and educational purposes only. The author makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.
  • All the content is copyrighted, except the assets and content I have referenced to other people's work, and may not be reproduced on other websites, blogs, or social media. You are not allowed to reproduce, summarize to create derivative work, or use any content from this website under your name. This includes creating a similar article or summary based on AI/GenAI. For educational purposes, you may refer to parts of the content, and only refer, but you must provide a link back to the original article on this website. This is allowed only if your content is less than 10% similar to the original article.
  • While every care has been taken to ensure the accuracy of the content of this website, I make no representation as to the accuracy, correctness, or fitness for any purpose of the site content, nor do I accept any liability for loss or damage (including consequential loss or damage), however, caused, which may be incurred by any person or organization from reliance on or use of information on this site.
  • The contents of this article should not be construed as legal advice.
  • Opinions are my own and not the views of my employer.
  • English is not my mother-tongue language, so even though I try my best to express myself correctly, there might be a chance of miscommunication.
  • Links or references to other websites, including the use of information from 3rd-parties, are provided for the benefit of people who use this website. I am not responsible for the accuracy of the content on the websites that I have put a link to and I do not endorse any of those organizations or their contents.
  • If you have any queries or if you believe any information on this article is inaccurate, or if you think any of the assets used in this article are in violation of copyright, please contact me and let me know.

The license risk hiding in your dependency tree

The license risk hiding in your dependency tree
Published: July 18, 2026

Most teams never check the license of every package they depend on, including the indirect ones pulled in underneath. That is a real risk. Some licenses, like GPL or AGPL, can legally require you to open-source your own product if you use them a certain way.

I built Open License Auditor to catch this automatically. It is a GitHub Action that maps every dependency in your repo, direct and indirect, and flags any open source license that could be a problem.

Get it on GitHub Marketplace · Source on GitHub

What it does

It scans npm, Yarn, pnpm, pip, Poetry, uv, Cargo, Go modules, Maven, Gradle, RubyGems, Composer, and NuGet automatically, no configuration required to get started. On every pull request, it posts one comment: a direct list of anything risky, plus a full dependency map you can expand if you want to see everything. If nothing is wrong, it just says so.

Example PR comment listing dependencies with warning-level licenses
What the PR comment looks like when it finds something

What ok, warning, and critical mean

BucketMeaning
oka permissive license. Safe to use without extra review in almost all cases.
warninga weak copyleft license, or one it could not confidently identify. Worth a second look.
criticala strong copyleft license. Using it can require you to open source your own code.

Unknown or unidentified licenses default to warning, not ok, on purpose. The "unknown" should never be treated as safe. A few examples from the default table: MIT, Apache-2.0, and BSD are ok; LGPL and MPL are warning; GPL, AGPL, and SSPL are critical. The full table is configurable.

Example workflow

Save this as .github/workflows/license-audit.yml:

name: License Audit

on: pull_request

permissions:
  pull-requests: write
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: yanovian/open-license-auditor@v1
        with:
          config-path: .github/license-audit.yml
          severity-filter: both
          fail-on: critical
          comment-on-pr: true
          github-token: ${{ secrets.GITHUB_TOKEN }}

That's it. Open a pull request and it runs automatically.

Main inputs

InputDefaultDescription
config-path.github/license-audit.ymlwhere to find your config file; missing is fine
severity-filterbothwhat the PR comment shows: critical, warning, both, or none
fail-oncriticalwhat makes the Action exit non-zero: critical, warning, or none
comment-on-prtruewhether to post a PR comment at all
comment-only-on-problemsfalseif true, skip commenting entirely when nothing is wrong
update-existing-commenttrueedit the previous comment instead of posting a new one each run
github-token${{ github.token }}token used to read the PR and post the comment
cachetruecache license lookups across runs, so repeat runs are faster

You can change which licenses count as ok, warning, or critical by copying the example config into .github/license-audit.yml and editing it.

Permissions and tokens

You do not need to create a token yourself. The default GITHUB_TOKEN is enough, as long as your workflow grants pull-requests: write, as in the example above. Without it, the Action still audits your dependencies and can fail the check, it just cannot post the comment.

One limitation: if a pull request comes from a fork, GitHub gives the default token read-only access no matter what your workflow requests, so the comment will not post. That is a GitHub security restriction, not something this Action can work around. Switching the trigger to pull_request_target fixes it, but that trigger runs with your base repository's permissions even for untrusted forks, so only do it if your workflow does not check out or run code from the fork.

This is an automated check, not a legal opinion. License detection can be wrong, and a license can change between versions of a package. Use it as a starting point.

PS: OlAudit is now deprecated in favor of this new one.

If you liked the article, feel free to share it with your friends, family, or colleagues. You can also follow me on Medium or LinkedIn.

Copyright & Disclaimer

  • All content provided on this article is for informational and educational purposes only. The author makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.
  • All the content is copyrighted, except the assets and content I have referenced to other people's work, and may not be reproduced on other websites, blogs, or social media. You are not allowed to reproduce, summarize to create derivative work, or use any content from this website under your name. This includes creating a similar article or summary based on AI/GenAI. For educational purposes, you may refer to parts of the content, and only refer, but you must provide a link back to the original article on this website. This is allowed only if your content is less than 10% similar to the original article.
  • While every care has been taken to ensure the accuracy of the content of this website, I make no representation as to the accuracy, correctness, or fitness for any purpose of the site content, nor do I accept any liability for loss or damage (including consequential loss or damage), however, caused, which may be incurred by any person or organization from reliance on or use of information on this site.
  • The contents of this article should not be construed as legal advice.
  • Opinions are my own and not the views of my employer.
  • English is not my mother-tongue language, so even though I try my best to express myself correctly, there might be a chance of miscommunication.
  • Links or references to other websites, including the use of information from 3rd-parties, are provided for the benefit of people who use this website. I am not responsible for the accuracy of the content on the websites that I have put a link to and I do not endorse any of those organizations or their contents.
  • If you have any queries or if you believe any information on this article is inaccurate, or if you think any of the assets used in this article are in violation of copyright, please contact me and let me know.
Copyright © 2026 - pooyan.info