In the previous tip, I showed you how to list your dependencies' licenses. Now let's make it more useful.
First, get a quick summary:
composer licenses --format=summary
This groups packages by license type. Nice to eyeball, but not easy to automate.
If you want to check against specific licenses, you can use JSON output with jq.
For example, say your project only allows MIT and Apache-2.0 licenses.
This command shows any packages outside that list:
composer licenses -f json | \
jq '.dependencies | to_entries[]' | \
jq 'select(any(.value.license[]; IN("MIT", "Apache-2.0")) | not)' | \
jq -r '.key'
Empty output means you're compliant. Any package names that appear need review.
For CI, drop this in a GitHub Action and fail the build if there's output.
Here to help,
Aaron
P.S. Found a package with a problematic license? Whether you swap it out or roll your own, we can help you decide. Schedule a code review.
