Your Composer Package is Broken: Update your License ID

    image


    If you, like me:


    • You are the maintainer of any library or framework;
    • your library or framework is released under any free license
    • your library or framework is available for installation through Composer and hosted on the Packagist service;

    then you may have problems that you don’t even suspect.


    What happened?


    Some time ago, the layout of the composer.json file changed


    From now on, it is licensestrictly recommended to specify only those license identifiers that are in the SPDX Open License Registry, or write proprietaryif you do not plan to follow any free license.


    All packages in composer.jsonwhich the license identifier is specified differently from the SPDX list are no longer automatically updated on Packagist


    And what's the problem?


    Previously, most packages indicated instead of the recommended license identifier just its name.


    As it was, for example, with me:


      "license": "LGPL v.3",

    As now required:


      "license": "LGPL-3.0-or-later",

    The problem is that packages just silently stop updating. They say that the authors of the packages receive a message in the mail from Packagist. I personally haven’t seen him, it’s probably my fault - I looked or accidentally stuffed him into spam ...


    What to do?


    To get started, go to packagist.org on your package page. Log in as the author of the package, click the Update button. If your package has an incorrect (from the point of view of packagist) license, you will see a message with something like this:


    Invalid package information: 
    License "LGPL v.3" is not a valid SPDX license identifier, see https://spdx.org/licenses/ if you use an open license.
    If the software is closed-source, you may use "proprietary" as license.

    Then you have no choice but to update the property licensein the composer.json file of your package, remember to do it in all branches, create new version tags and update the package on Packagist.


    Take care of the users of your packages - do it today!


    What to read?



    Also popular now: