Using open source in commercial product — license compliance basics

Building a commercial SaaS that uses a bunch of open source libraries. My package.json has like 200 dependencies. How do I even know if I'm compliant? Some say MIT, some say Apache 2.0, saw one GPL thing in there. Help?

Quick guide to common licenses:

MIT/BSD: Do whatever you want, just include the license text somewhere (usually in your about page or docs). Super permissive.

Apache 2.0: Same as MIT but includes patent grant. Also requires noting any modifications. Still very commercial-friendly.

GPL: The "viral" one. If you distribute GPL code, you must make YOUR source code available under GPL too. For SaaS this usually doesn't apply since you're not distributing binaries.

AGPL: Like GPL but applies to SaaS specifically. This is the dangerous one for commercial products.

wait so if I have ONE GPL dependency buried in node_modules, I have to open source my entire product??

For SaaS (code runs on your servers, not distributed): Regular GPL doesn't apply. You only need to worry about AGPL.

For desktop/mobile apps (code distributed to users): Then yes, GPL matters. But it's about "distribution" — if GPL code is linked into your distributed binary, your code may need to be GPL too.

There are nuances (dynamic vs static linking, etc.) but that's the basic framework.

Practical advice: run `npx license-checker` on your project. It'll list all licenses in your dependency tree. Scan for GPL/AGPL/SSPL. If you find any, investigate whether you can swap for a permissive alternative (usually you can).

Just ran license-checker. Found one LGPL and one GPL-2.0. The GPL one is a dev dependency (testing framework) — does that matter if it's not in production?

Dev dependencies that don't ship with your product: not a problem. The license terms kick in when you distribute the code.

LGPL is usually fine even for distributed software — it only requires you to make the LGPL component's source available, not your whole codebase. But double-check how it's linked.

FYI: this matters a lot if you ever get acquired. We went through M&A due diligence and they scanned our entire codebase for license issues. Had to swap out two AGPL dependencies before closing. Easier to deal with now than during a transaction.