npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

node-module-license-output

v1.0.0

Published

Generate third-party-license markdown by scanning licenses in node_modules.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

myookenmyooken

Keywords

licensethird-partynoticesnode_modulesosscompliancecli

Readme

Third-Party License Output for node_modules

Package name: node-module-license-output

https://www.npmjs.com/package/node-module-license-output

What is this?

A tool to scan node_modules and output third-party licenses in Markdown.
It generates two files: THIRD-PARTY-LICENSE.md (main content) and THIRD-PARTY-LICENSE-REVIEW.md (review checklist).

Highlights

  • ESM / Node.js 18+, zero dependencies
  • Outputs full license texts from LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING files
  • Review file flags missing Source / license / license files
  • --fail-on-missing supports CI enforcement
  • Requires a package.json next to the target node_modules when using --dependencies-only
  • Intended for npm/pnpm usage (node_modules layout)

CLI command: third-party-license

Usage

Run without installing (recommended)

npx --package=node-module-license-output -- third-party-license

Run via npm exec

npm exec --package=node-module-license-output -- third-party-license

Install globally

npm i -g node-module-license-output
third-party-license

Options

| Option | Description | Default | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | --node-modules <dir> | Path to node_modules | node_modules | | --review [file] | Write review file only; optional filename | THIRD-PARTY-LICENSE-REVIEW.md | | --license [file] | Write main file only; optional filename | THIRD-PARTY-LICENSE.md | | --recreate | Regenerate files from current node_modules only (drops removed packages) | true (default) | | --update | Merge with existing outputs, keep removed packages, and mark their presence | false | | --fail-on-missing | Exit with code 1 if LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING are missing | false | | --dependencies-only | Limit output to dependency tree rooted at dependencies (and optionalDependencies) in the project package.json | true (default) | | --dependencies-all | Scan all packages under node_modules | false | | -h, --help | Show help | - |

If neither --review nor --license is specified, both files are generated. Packages in both files are sorted by name@version; --update keeps entries for packages no longer in node_modules and annotates their usage status. --dependencies-only reads the package.json next to the target node_modules and limits output to the dependency tree rooted at dependencies and optionalDependencies (not devDependencies or peerDependencies); it throws if that package.json is not found. Operationally, the default (--dependencies-only) is intended for day-to-day use, while --dependencies-all is intended for SBOM-like, exhaustive reporting. When duplicates are disambiguated by path, --update may treat path-changed entries as new.

Examples

# Default (both files)
third-party-license

# Update existing files without dropping removed packages
third-party-license --update

# Custom node_modules path
third-party-license --node-modules ./path/to/node_modules

# Review-only output (optional filename)
third-party-license --review
third-party-license --review ./out/THIRD-PARTY-LICENSE-REVIEW.md

# Main-only output (optional filename)
third-party-license --license
third-party-license --license ./out/THIRD-PARTY-LICENSE.md

# Exit with code 1 when something is missing (with --fail-on-missing)
third-party-license --fail-on-missing

# Day-to-day (dependencies only)
third-party-license --dependencies-only

# Audit / SBOM-like (scan all packages under node_modules)
third-party-license --dependencies-all
third-party-license --dependencies-all --license ./out/THIRD-PARTY-LICENSE.md --review ./out/THIRD-PARTY-LICENSE-REVIEW.md

Programmatic API

import { collectThirdPartyLicenses } from "node-module-license-output";

const result = await collectThirdPartyLicenses({
  nodeModules: "./node_modules",
  outFile: "./THIRD-PARTY-LICENSE.md",
  reviewFile: "./THIRD-PARTY-LICENSE-REVIEW.md",
  failOnMissing: false,
  dependenciesOnly: true,
  // mode: "update", // keep packages missing from node_modules when updating files
});

console.log(result.mainContent);
console.log(result.reviewContent);

Outputs are sorted by package key. Use mode: "update" to merge with existing files and keep packages that are no longer in node_modules, with their usage shown in both outputs.

Output overview

  • THIRD-PARTY-LICENSE.md
    • List of packages (default: only those reachable from dependencies/optionalDependencies)
    • Source / License info
    • Full LICENSE/NOTICE/COPYRIGHT/THIRD-PARTY-NOTICES/THIRD-PARTY-LICENSES/ThirdPartyNoticeText/ThirdPartyText/COPYING texts
    • Usage line shows whether the package is present in the current node_modules (or kept from previous output with --update)
  • THIRD-PARTY-LICENSE-REVIEW.md
    • Review-oriented checklist
    • Usage-aware status (present / not found) for each package
    • Missing summary section

How it differs from typical npm license tools (general view)

Examples: license-checker, license-report, license-finder

  • Focused on bundling full license texts into a single Markdown file
    • Many existing tools emphasize JSON/CSV reports; this tool emphasizes ready-to-share license documents.
  • Separate review file to track missing metadata
    • Easier to integrate into audit workflows.
  • ESM / Node.js 18+ with no dependencies
    • Simple runtime requirements.

Notes

  • Default output is restricted to the dependency tree from dependencies and optionalDependencies.
  • Use --dependencies-all to scan all packages under node_modules (including nested dependencies).
  • License files are searched only in each package root directory.
  • If multiple copies of the same name@version exist, dependency-only output disambiguates them by path.
  • pnpm installs may be resolved via .pnpm directories under node_modules; this tool follows resolved package paths rather than only direct node_modules/<pkg> locations.
  • Recognizes LICENSE, NOTICE, COPYRIGHT, THIRD-PARTY-NOTICES, THIRD-PARTY-LICENSES, ThirdPartyNoticeText/ThirdPartyText, and COPYING files (e.g., TypeScript's ThirdPartyNoticeText.txt).
  • Exit code 0: success.
  • Exit code 1: missing license files when --fail-on-missing is set, or node_modules not found.
  • Throws an error if node_modules does not exist.
  • Missing license or repository fields are flagged in the review file.
  • Paths printed in outputs/logs are shown relative to the current working directory.