How do I install composer/spdx-licenses in a Laravel project?

Run `composer require composer/spdx-licenses` in your project root. The package has no external dependencies (post-v1.1.0) and integrates seamlessly with Laravel’s Composer-based dependency system.

Can I use this package to validate licenses in composer.json during CI/CD?

Yes. The library’s `validate()` method checks SPDX license expressions, and you can integrate it into GitHub Actions or GitLab CI to fail builds on invalid licenses. Example: `php vendor/bin/spdx-audit --fail-on-non-osi`.

Does this package support Laravel’s dependency injection (DI) container?

Absolutely. Register `SpdxLicenses` as a singleton in a `ServiceProvider` (e.g., `AppServiceProvider`) and inject it into controllers, commands, or middleware via Laravel’s DI system.

What Laravel versions does composer/spdx-licenses support?

The package works with any Laravel version requiring PHP ≥7.2 (recommended). Older PHP versions (5.3.2+) are supported but deprecated. Ensure your Laravel app’s PHP version aligns with the package’s requirements.

How do I check if a license is OSI-approved in Laravel?

Use `SpdxLicenses::isOsiApprovedByIdentifier('MIT')` in a controller, middleware, or Artisan command. For bulk checks, cache results with Laravel’s `cache()` helper to avoid repeated SPDX data lookups.

Can I integrate this with Laravel’s FormRequest or Policy classes?

Yes. Add custom validation rules like `validateLicense()` in `FormRequest` or `Policy` classes. Example: `$request->validate(['license' => ['required', function ($attribute, $value, $fail) { $licenses->validate($value) || $fail('Invalid SPDX license.'); }]])`.

What happens if I use a deprecated SPDX license identifier?

The package flags deprecated identifiers via `isDeprecatedByIdentifier()`. You can extend this to trigger alerts (e.g., Slack notifications) or fail CI builds by hooking into Laravel’s event system or middleware.

Are there alternatives to composer/spdx-licenses for Laravel?

Other options include `spdx-tools/php-spdx` (for RDF generation) or custom solutions using SPDX’s raw data. However, this package is lightweight, Composer-native, and directly tied to the official SPDX License List, making it ideal for Laravel’s dependency validation needs.

How do I extend this library for custom license handling?

Use the decorator pattern to wrap `SpdxLicenses`. For example, create a `CustomSpdxLicenses` class extending `SpdxLicenses` and override methods like `getLicenseByIdentifier()` to add custom logic before/after parent calls.

Should I pin the package version or allow auto-updates in Laravel?

Pin to a minor version (e.g., `^1.5`) to avoid breaking changes from SPDX updates. Major versions may introduce compatibility shifts, so test thoroughly before upgrading. Use `composer update composer/spdx-licenses` cautiously in production.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Spdx Licenses Laravel Package

composer/spdx-licenses

SPDX licenses list and validation library extracted from Composer. Look up licenses and exceptions by identifier or name, check OSI approval and deprecation, and validate SPDX license expressions using official SPDX License List data.

View on GitHub

Deep Wiki

Context7

SPDX licenses list and validation library.

Frequently asked questions about Spdx Licenses

How do I install composer/spdx-licenses in a Laravel project?: Run `composer require composer/spdx-licenses` in your project root. The package has no external dependencies (post-v1.1.0) and integrates seamlessly with Laravel’s Composer-based dependency system.
Can I use this package to validate licenses in composer.json during CI/CD?: Yes. The library’s `validate()` method checks SPDX license expressions, and you can integrate it into GitHub Actions or GitLab CI to fail builds on invalid licenses. Example: `php vendor/bin/spdx-audit --fail-on-non-osi`.
Does this package support Laravel’s dependency injection (DI) container?: Absolutely. Register `SpdxLicenses` as a singleton in a `ServiceProvider` (e.g., `AppServiceProvider`) and inject it into controllers, commands, or middleware via Laravel’s DI system.
What Laravel versions does composer/spdx-licenses support?: The package works with any Laravel version requiring PHP ≥7.2 (recommended). Older PHP versions (5.3.2+) are supported but deprecated. Ensure your Laravel app’s PHP version aligns with the package’s requirements.
How do I check if a license is OSI-approved in Laravel?: Use `SpdxLicenses::isOsiApprovedByIdentifier('MIT')` in a controller, middleware, or Artisan command. For bulk checks, cache results with Laravel’s `cache()` helper to avoid repeated SPDX data lookups.
Can I integrate this with Laravel’s FormRequest or Policy classes?: Yes. Add custom validation rules like `validateLicense()` in `FormRequest` or `Policy` classes. Example: `$request->validate(['license' => ['required', function ($attribute, $value, $fail) { $licenses->validate($value) || $fail('Invalid SPDX license.'); }]])`.
What happens if I use a deprecated SPDX license identifier?: The package flags deprecated identifiers via `isDeprecatedByIdentifier()`. You can extend this to trigger alerts (e.g., Slack notifications) or fail CI builds by hooking into Laravel’s event system or middleware.
Are there alternatives to composer/spdx-licenses for Laravel?: Other options include `spdx-tools/php-spdx` (for RDF generation) or custom solutions using SPDX’s raw data. However, this package is lightweight, Composer-native, and directly tied to the official SPDX License List, making it ideal for Laravel’s dependency validation needs.
How do I extend this library for custom license handling?: Use the decorator pattern to wrap `SpdxLicenses`. For example, create a `CustomSpdxLicenses` class extending `SpdxLicenses` and override methods like `getLicenseByIdentifier()` to add custom logic before/after parent calls.
Should I pin the package version or allow auto-updates in Laravel?: Pin to a minor version (e.g., `^1.5`) to avoid breaking changes from SPDX updates. Major versions may introduce compatibility shifts, so test thoroughly before upgrading. Use `composer update composer/spdx-licenses` cautiously in production.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

1,389

Favorites

1,391

Forks

Score

32.0

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 1389

+6.9
Forks

input: 22

+0.7
Open issues + PRs

input: 2

+0.2
Releases

input: 23

+6.9
Recency

input: 58

+16.8
Issue opportunity

input: 1

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 31.5

Opportunity

52.8

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

83.0
Contribution need

open_issues + open_prs: 2

0.0
Health factor

archived + recency + open issues

×0.98

Total 52.6

License

MIT

Last release

Apr 8, 2026

Watchers

Downloads

3M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai