Spdx Licenses Laravel Package
composer/spdx-licenses
PHP library providing the official SPDX license and exception lists plus validation of SPDX license expressions. Look up licenses by identifier or name, check OSI approval and deprecation status, and validate complex license strings.
Getting Started
-
Install the package via Composer:
composer require composer/spdx-licenses -
Start validating licenses in your own code or tools:
use Composer\Spdx\SpdxLicenses; $license = 'MIT'; if (SpdxLicenses::isValid($license)) { echo "Valid SPDX ID: $license\n"; } // Get full license data $data = SpdxLicenses::getLicenseById($license); echo "Name: " . $data['name'] . "\n"; echo "OSI Approved: " . ($data['osiApproved'] ? 'Yes' : 'No') . "\n"; -
Explore available identifiers (e.g., for autocomplete in tooling):
$ids = SpdxLicenses::getAllLicenseIds(); // Returns array like ['0BSD', 'AAL', 'Abstyles', ...]
First use case: Add a license validation step to your CI pipeline using this package to prevent invalid or deprecated license IDs from creeping into your project.
Implementation Patterns
-
CI/CD Validation Hook:
Integrate into Composer scripts or GitHub Actions to run license checks oncomposer.jsonor installed dependencies:# In composer.json "scripts": { "check-licenses": "php ./scripts/validate-licenses.php" } -
Composer Plugin Integration:
Build or extend a Composer plugin (e.g., for license auditing) using the package’s API to:- Validate
licensefield incomposer.json - Normalize user-supplied license IDs (e.g.,
mit→MIT) - Warn about non-OSI-approved or deprecated IDs
- Validate
-
CLI Tooling / Audit Scripts:
Scan vendor directories or JSON export (composer show -i --format=json) and cross-check against SPDX:$packages = json_decode(file_get_contents('composer.json'), true)['require'] ?? []; foreach ($packages as $pkg => $version) { $info = SpdxLicenses::getLicenseById($pkgLicense); if (!$info) { /* handle unknown license */ } } -
Metadata-Driven UI/Reports:
Leverage nested data for richer reporting:- Highlight deprecated licenses (
'deprecated' => true) - Flag see-also links or special exceptions (
'exceptions' => [...]) - Filter only OSI-approved licenses for compliance dashboards
- Highlight deprecated licenses (
Gotchas and Tips
-
⚠️ Case Sensitivity: SPDX IDs are case-sensitive (
MIT, notmit). UseSpdxLicenses::validate($license, true)to normalize (enforce uppercase) before validation. -
⚠️
UNKNOWNvsNOASSERTIONvsNONE:
These special identifiers (e.g., used incomposer.json) are not real SPDX IDs and will returnfalsefromisValid(). Handle them explicitly if needed:$id = $json['license']; if (in_array($id, ['UNLICENSED', 'NOASSERTION', 'NONE'], true)) { // Handle special cases manually } else { SpdxLicenses::isValid($id); } -
🔍 Missing License Data?
getLicenseById()returnsnullfor unknown IDs — alwaysnullcheck before accessing keys (e.g.,$data['osiApproved'] ?? false). -
📦 Data Source:
License metadata is bundled viadata/spdx-licenses.json. Update frequency depends on package releases — check SPDX’s official site for latest IDs. For bleeding-edge accuracy, contribute PRs or pin to latest commit. -
🔄 Extending Metadata:
You can safely override or augment license data in your app by copyingSpdxLicenses::getAllLicenses()and adding custom keys — but avoid modifying the package’s source. -
🐞 Debugging Tip:
IfisValid()fails unexpectedly, compare against the raw list:$id = 'GPL-3.0-only'; var_dump(in_array($id, SpdxLicenses::getAllLicenseIds(), true));
How can I help you explore Laravel packages today?