Your Composer Package is Broken: Update your License ID
If you, like me:
- You are the maintainer of any library or framework;
- your library or framework is released under any free license
- your library or framework is available for installation through Composer and hosted on the Packagist service;
then you may have problems that you don’t even suspect.
What happened?
Some time ago, the layout of the composer.json file changed
From now on, it is license
strictly recommended to specify only those license identifiers that are in the SPDX Open License Registry, or write proprietary
if you do not plan to follow any free license.
All packages in composer.json
which the license identifier is specified differently from the SPDX list are no longer automatically updated on Packagist
And what's the problem?
Previously, most packages indicated instead of the recommended license identifier just its name.
As it was, for example, with me:
"license": "LGPL v.3",
As now required:
"license": "LGPL-3.0-or-later",
The problem is that packages just silently stop updating. They say that the authors of the packages receive a message in the mail from Packagist. I personally haven’t seen him, it’s probably my fault - I looked or accidentally stuffed him into spam ...
What to do?
To get started, go to packagist.org on your package page. Log in as the author of the package, click the Update button. If your package has an incorrect (from the point of view of packagist) license, you will see a message with something like this:
Invalid package information:
License "LGPL v.3" is not a valid SPDX license identifier, see https://spdx.org/licenses/ if you use an open license.
If the software is closed-source, you may use "proprietary" as license.
Then you have no choice but to update the property license
in the composer.json file of your package, remember to do it in all branches, create new version tags and update the package on Packagist.
Take care of the users of your packages - do it today!