Mark Alan Richards

NPM is lying to you and Facebook misses copyright attribution


Update: Originally titled "NPM is lying to you and Facebook is stealing copyright" I've amended it out of respect to those who weren't happy with this, but this error should reflect on Facebook audit processes (due diligence) of copyright attribution, which would hopefully have caught this. Regarding concerns about attribution to Mozilla in the issue ( I think there is a misrepresentation of CC0/dedicated to public domain in the comments: it is not the same as copyright expiry and it's important that the rights holder (which I believe is still Mozilla) is tracked by Facebook even if not attributed in published bundles. If nobody tracked that came from Mozilla, then when the page goes, the first to copy the page can sue everyone.

Firstly, copyright is complicated and getting this right is difficult and I don't believe that the npm website is trying to lie to you, but that some of the projects on there are (hopefully accidentally) doing so.

No billion dollar company has the right to get this wrong and they should all be running regular audits, but even they might slip up and if they do, SCO vs open source  and Google's 9 lines were painful moments, so if they could lead by example it would be great. I do hope everyone believes individual developers should be given a little room on accuracy in this domain, we're unlikely to be lawyers, but if you do spot this kind of thing... please please please let the parties affected know in a respectful fashion that allows them to resolve it sooner rather than later, it is one thing to slip up for a short period of time and another as it gets longer: the longer it is left without resolution, the more dependent projects that might be affected too.

When you look at the licences in a library in npm, you think great it is Apache, BSD, MIT, etc and I can probably use it pretty freely.

When it's LGPL, GPL, AGPL or EPL it gets more complicated, but may not be impossible... it might even be okay if you wish to adopt these.

Well, those licences aren't complete in npm for many libraries. Partly because of wonderful technologies like webpack that bundle your code with your dependent code, but don't, by default, facilitate creating a combined licence file in the process.

npm isn't the only party getting this wrong, too many open source tools encourage you to label a project as one licence, when in truth it is more likely that your project's direct code is one licence, but when packaged it is a multi-licence project.

To make matters more complicated, some source code repositories include third party code directly in their source repository (perhaps because it isn't available from the repository they choose for the project, like npm) and this results in the source code repository itself being mixed licence... how do I fit that in the Github licence option?

If you publish code that is a mix of others work, including in a bundle or even as just accompanying assets, please ensure that the licences are published too. At least we don't have to make printable booklets to ship with physical products.


Facebook is a big multinational software company. They obviously know about copyright law in their legal teams.

Well they've missed something... their current version of the React website uses this wonderful JavaScript file which is full of copyright statements about Facebook, but none for third party libraries.

Hmm... strange, their library has dependencies on object-assign (amongst others).

Let's npm install it and see what's in the dist folder. There's a basic react.min.js file and there's an add-ons one that's also available online at the version I'm seeing locally: 15.4.2

Strange, again it only has Facebook copyright in, but no third parties.

Their add-ons page doesn't exactly tell you about the embedded object-assign copyright licence which is MIT and requires that if you include object-assign in your own works you need to include their MIT licence with it so that users know that parts of the React software include object-assign.

Bad Facebook, not only breaching copyright, but as developers often use them as a reference for how to build web pages, they risk setting a bad example for how to manage copyright. Their legal team should be on top this, ensuring a regular audit happens and helping to oversee it.

They have a similar issue with Draft.js


I spotted jsrsasign did this, but I've seen it before. Sorry to out jsrsasign, it looks like a great project... Javascript encryption enables client-side private keys and object level security instead of passwords over only network level https (mutual auth is great for your enterprises' servers, but isn't catching on for the open web).

Make sure you understand encryption export law if you wish to use it, I won't pretend I know enough to offer advice and ThoughtWorks have been good enough to offer some, but you should check with a legal expert .

This has a hidden ext folder when attempting to determine how to reference open source licences that you would need to publish with your end product, because this isn't referenced in npm. I think it can be, but unluckily jsrsasign haven't yet... hopefully they will soon.