How it works¶
The pipeline runs in six steps:
- Read: enumerate the installed packages in the target environment's site-packages and walk each package's
Requires-Distto build the dependency tree. - Detect: read each package's installed
*.dist-info/METADATA. Licenses come from user overrides (taken as-is), or from PEP 639License-Expression, the legacyLicensefield, and trove classifiers, where the first source with a recognized license wins. Strings are normalized against the full SPDX license list, so any valid SPDX expression is kept intact; a declared license that can't be normalized is preserved verbatim (rather than discarded) so the report shows the actual string. - Classify: categorize each license as permissive, weak-copyleft, strong-copyleft, or network-copyleft using OSADL copyleft data. A valid SPDX license that data doesn't cover reports as unknown until you classify it.
- Analyze: check pairwise compatibility using the OSADL matrix and flag conflicts.
- Recommend: determine the most permissive outbound license that satisfies every dependency constraint. For OR expressions (e.g.
MIT OR GPL-2.0), the most permissive alternative is selected before constraint solving. - Report: render findings as terminal output, Markdown, JSON, or third-party notices.
Because license-audit reads an already-installed environment, you provision it however you like first (uv sync, poetry install, pip install -e .). Whatever is installed is what gets audited, so choosing dependency groups is just a matter of how you provision.