Spdx Licenses Laravel Package
composer/spdx-licenses
PHP library providing the official SPDX license and exception lists plus helpers to look up licenses by identifier/name, check OSI approval/deprecation, and validate SPDX license expressions. Extracted from Composer and kept in sync with SPDX data.
Getting Started
-
Install the package via Composer:
composer require composer/spdx-licenses -
Start validating licenses in your own code or tools:
use Composer\Spdx\SpdxLicenses; $license = 'MIT'; if (SpdxLicenses::isValid($license)) { echo "Valid SPDX ID: $license\n"; } // Get full license data $data = SpdxLicenses::getLicenseById($license); echo "Name: " . $data['name'] . "\n"; echo "OSI Approved: " . ($data['osiApproved'] ? 'Yes' : 'No') . "\n"; -
Explore available identifiers (e.g., for autocomplete in tooling):
$ids = SpdxLicenses::getAllLicenseIds(); // Returns array like ['0BSD', 'AAL', 'Abstyles', ...]
First use case: Add a license validation step to your CI pipeline using this package to prevent invalid or deprecated license IDs from creeping into your project.
Implementation Patterns
-
CI/CD Validation Hook:
Integrate into Composer scripts or GitHub Actions to run license checks oncomposer.jsonor installed dependencies:# In composer.json "scripts": { "check-licenses": "php ./scripts/validate-licenses.php" } -
Composer Plugin Integration:
Build or extend a Composer plugin (e.g., for license auditing) using the package’s API to:- Validate
licensefield incomposer.json - Normalize user-supplied license IDs (e.g.,
mit→MIT) - Warn about non-OSI-approved or deprecated IDs
- Validate
-
CLI Tooling / Audit Scripts:
Scan vendor directories or JSON export (composer show -i --format=json) and cross-check against SPDX:$packages = json_decode(file_get_contents('composer.json'), true)['require'] ?? []; foreach ($packages as $pkg => $version) { $info = SpdxLicenses::getLicenseById($pkgLicense); if (!$info) { /* handle unknown license */ } } -
Metadata-Driven UI/Reports:
Leverage nested data for richer reporting:- Highlight deprecated licenses (
'deprecated' => true) - Flag see-also links or special exceptions (
'exceptions' => [...]) - Filter only OSI-approved licenses for compliance dashboards
- Highlight deprecated licenses (
Gotchas and Tips
-
⚠️ Case Sensitivity: SPDX IDs are case-sensitive (
MIT, notmit). UseSpdxLicenses::validate($license, true)to normalize (enforce uppercase) before validation. -
⚠️
UNKNOWNvsNOASSERTIONvsNONE:
These special identifiers (e.g., used incomposer.json) are not real SPDX IDs and will returnfalsefromisValid(). Handle them explicitly if needed:$id = $json['license']; if (in_array($id, ['UNLICENSED', 'NOASSERTION', 'NONE'], true)) { // Handle special cases manually } else { SpdxLicenses::isValid($id); } -
🔍 Missing License Data?
getLicenseById()returnsnullfor unknown IDs — alwaysnullcheck before accessing keys (e.g.,$data['osiApproved'] ?? false). -
📦 Data Source:
License metadata is bundled viadata/spdx-licenses.json. Update frequency depends on package releases — check SPDX’s official site for latest IDs. For bleeding-edge accuracy, contribute PRs or pin to latest commit. -
🔄 Extending Metadata:
You can safely override or augment license data in your app by copyingSpdxLicenses::getAllLicenses()and adding custom keys — but avoid modifying the package’s source. -
🐞 Debugging Tip:
IfisValid()fails unexpectedly, compare against the raw list:$id = 'GPL-3.0-only'; var_dump(in_array($id, SpdxLicenses::getAllLicenseIds(), true));
How can I help you explore Laravel packages today?