lpm licenses
Inventory installed dependency licenses and fail CI on compliance policy.
lpm licenses
lpm licenses --json
lpm licenses --fail-on copyleft
lpm licenses --deny GPL-3.0 --deny AGPL-3.0lpm licenses lists the licenses declared by installed packages in the current lpm.lock graph. It reads the same installed package manifest metadata that lpm sbom uses: node_modules/ first, then the LPM store when present.
Use lpm query :copyleft when you want selector-style security queries. Use lpm licenses when you need the exact license inventory and a CI compliance gate.
Examples
lpm licenses # table output
lpm licenses --json # structured inventory
lpm licenses --fail-on copyleft # fail if any GPL-family license is present
lpm licenses --fail-on copyleft,missing # fail on copyleft or absent license metadata
lpm licenses --deny GPL-3.0 --deny AGPL-3.0 # fail on exact denied expressionsInventory source
lpm licenses is local-first and does not fetch registry metadata. Run lpm install first so lpm.lock, node_modules/, and the store have the package manifests to inspect.
The JSON output includes:
root— the current project's own license metadatapackages— installed dependency packages withname,version,scope,licenses,license_expression,missing,copyleft, and denied-license fieldssummary— counts forcopyleft,missing, anddeniedpolicy— the active--fail-on/--denygate and whether it failed
scope is derived from root reachability in lpm.lock, including root-aliases for npm alias declarations. Required paths win over optional paths, and optional paths win over excluded/dev-only paths, so a dev-only transitive package is marked excluded unless a production or optional root also reaches it.
Policy applies to dependency packages. The root project license is included for context.
Policy gates
lpm licenses --fail-on copyleft--fail-on copyleft uses the same copyleft classifier as lpm audit and lpm query :copyleft. It catches GPL-family and other known reciprocal license identifiers inside SPDX-style expressions.
lpm licenses --fail-on missing--fail-on missing fails when a package has no license declaration or only no-license markers such as UNLICENSED, NONE, PROPRIETARY, NOASSERTION, or SEE LICENSE IN ....
lpm licenses --deny GPL-3.0--deny <LICENSE> fails on exact declared license-expression matches, case-insensitive. Repeat it or pass comma-separated values:
lpm licenses --deny GPL-3.0,AGPL-3.0
lpm licenses --deny GPL-3.0 --deny AGPL-3.0When a policy fails, the command exits 1. Under --json, stdout is still a single JSON object with "success": false, summary counts, and per-package denial details.
Flags
| Flag | Effect |
|---|---|
--fail-on <copyleft|missing> | Fail when matching packages are present. Repeatable and comma-separated. |
--deny <LICENSE> | Fail on an exact declared license expression. Repeatable and comma-separated. |
Plus the global flags.
See also
lpm sbom— CycloneDX/SPDX export with license metadatalpm query— selector queries such as:copyleftand:no-licenselpm audit— vulnerability and behavioral audit- Security & audit — how the audit/query/license surfaces fit together