Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Spdx Licenses
Assessments

Spdx Licenses Laravel Package

composer/spdx-licenses

SPDX licenses list and validation library extracted from Composer. Look up licenses and exceptions by identifier or name, check OSI approval and deprecation, and validate SPDX license expressions using official SPDX License List data.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Compliance Automation for Open-Source Projects:

    • Enforce SPDX license validation in CI/CD pipelines (e.g., fail builds if dependencies use deprecated or non-OSI-approved licenses).
    • Integrate with GitHub/GitLab PR checks to block merges with non-compliant licenses (e.g., MIT vs. GPL-3.0).
    • Automate license reporting for open-source contributions (e.g., generate SPDX-RDF for supply chain transparency).

  • Dependency Governance in Laravel/Ecosystem:

    • Standardize license checks across all PHP projects (e.g., reject AGPL-3.0 in proprietary modules).
    • Laravel Package Store Validation: Use this to validate licenses submitted to the Laravel Package Repository or a custom package registry.
    • SaaS Multi-Tenancy: Ensure third-party Laravel packages (e.g., payment gateways, auth services) comply with licensing terms before integration.

  • Regulatory and Legal Risk Reduction:

    • EU Digital Operational Resilience Act (DORA) Compliance: Automate license audits for financial services using Laravel.
    • Government/Defense Contracts: Validate SPDX compliance for classified or restricted software distributions.
    • Open-Source Contribution Policies: Enforce OSI-approved licenses in internal repositories (e.g., reject Unlicense in corporate projects).

  • Tooling and Developer Experience:

    • Composer Plugin: Extend composer validate with a --check-licenses flag to enforce SPDX compliance during composer install.
    • Laravel Artisan Command: Build php artisan spdx:audit to scan vendor/ for deprecated/non-compliant licenses.
    • IDE Integration: Power autocomplete for license fields in composer.json (e.g., VS Code/Laravel IDE Helper plugins).

  • Build vs. Buy Decision:

    • Replace custom regex-based license parsers with a maintained, SPDX-aligned library (used by Composer).
    • Avoid reinventing the wheel: Leverage SPDX’s curated license list (updated via package releases) instead of manual maintenance.
    • Reduce technical debt: No need to sync with SPDX’s license-list-data repository.

  • Roadmap for License Governance Platforms:

    • License Compliance Dashboard: Use this as the backend for a web UI showing project-wide license risks (e.g., "10% of dependencies use deprecated licenses").
    • API for License Validation: Expose endpoints (e.g., /api/licenses/validate) to validate licenses in real-time for SaaS platforms.
    • Audit Logs: Track license changes over time (e.g., "GPL-2.0 was deprecated in SPDX 3.20").

When to Consider This Package

Adopt if:

  • Your PHP/Laravel project uses Composer for dependency management (core use case).
  • You need to validate SPDX license identifiers in:
    • composer.json files (e.g., license field).
    • CI/CD pipelines (e.g., GitHub Actions, GitLab CI).
    • Package metadata (e.g., Packagist submissions).
  • Your team requires OSI approval checks or deprecation warnings (e.g., for open-source distributions or proprietary software).
  • You’re building compliance tools, audit scripts, or license governance features (e.g., a "License Compliance Dashboard").
  • You want to avoid maintaining a custom SPDX license list (this package auto-updates with SPDX releases).
  • Your project must comply with SPDX standards (e.g., for government contracts, open-source contributions, or supply chain transparency).
  • You need lightweight, zero-maintenance license validation with battle-tested code (used by Composer).
  • Your PHP version is 7.2+ (package dropped PHP 5.3–7.1 support in v1.6.0).

Look elsewhere if:

  • You’re not using PHP/Composer (e.g., Node.js, Python, or non-PHP ecosystems).
  • Your license needs include non-SPDX licenses (e.g., custom proprietary licenses requiring full text parsing).
  • You require interactive license selection (e.g., a UI component for users to pick licenses).
  • Your PHP version is <7.2 (use v1.5.x for legacy support).
  • You need full license text extraction (e.g., parsing LICENSE files for clauses) rather than identifier validation.
  • You’re not concerned with SPDX/OSI compliance (e.g., internal tools with no open-source dependencies).
  • You require license negotiation or dynamic approval workflows (e.g., "Approve this GPL dependency for this project only").

How to Pitch It (Stakeholders)

For Executives: *"This package lets us automate SPDX license compliance—reducing legal risk, audit costs, and dependency issues. By integrating it into our CI/CD pipeline, we can:

  • Block non-compliant licenses before they enter production (e.g., reject GPL in proprietary modules).
  • Meet regulatory requirements (e.g., EU DORA, government contracts) with minimal effort.
  • Save developer time by replacing manual license checks with automated validation. Used by Composer (the PHP package manager), it’s battle-tested and maintained, so we avoid reinventing the wheel. For a one-time composer require, we gain enterprise-grade license governance."*

For Engineering/DevOps: *"This is a drop-in solution for SPDX license validation. Key benefits:

  • Zero maintenance: SPDX license list is auto-updated via package releases.
  • CI/CD ready: Validate licenses in GitHub Actions/GitLab CI with a few lines of PHP.
  • Laravel-friendly: Can power Artisan commands, middleware, or Composer plugins.
  • Lightweight: Pure PHP, no external dependencies (just Composer). Example use case: Fail a PR if a new dependency uses a deprecated license (e.g., MITMIT-0). Let’s prototype this in our next audit tool."*

For Legal/Compliance: *"This package eliminates manual license audits by automating SPDX validation. It helps us:

  • Enforce OSI-approved licenses across all PHP projects.
  • Track deprecated licenses (e.g., flag Apache-1.1 as obsolete).
  • Generate compliance reports for open-source distributions or government contracts. It’s used by Composer, so it’s trusted and up-to-date with SPDX standards. We can integrate it into our existing tooling with minimal effort."*
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai