spdx-expression-validate
★
★
★
★
★
3
reviews
validate SPDX license expressions
100
Security
35
Quality
0
Maintenance
49
Overall
v2.0.0
npm
JavaScript
Feb 15, 2019
by Kyle E. Mitchell
No Known Issues
This package has a good security score with no known vulnerabilities.
4.0/5
Avg Rating
Community Reviews
RECOMMENDED
Simple, focused validator that does one thing well with minimal fuss
This package is refreshingly straightforward. The API is dead simple: pass a string to the validate function and get back an array of validation problems (empty array means valid). No configuration, no ceremony. I've used it in several projects for validating package.json license fields and it just works.
The error messages are clear and specific, pointing out exactly what's wrong with malformed expressions like 'MIT + Apache' (should be 'OR' not '+'). It correctly handles complex expressions with parentheses and compound operators. The one gotcha I hit was that it only validates syntax, not whether license identifiers actually exist in the SPDX list - you'll need spdx-correct or spdx-expression-parse for that.
Documentation is minimal but sufficient since the API surface is tiny. The README gives you everything you need in about 30 seconds of reading. No Stack Overflow presence to speak of, but honestly, you won't need it. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't concerning for this particular use case.
The error messages are clear and specific, pointing out exactly what's wrong with malformed expressions like 'MIT + Apache' (should be 'OR' not '+'). It correctly handles complex expressions with parentheses and compound operators. The one gotcha I hit was that it only validates syntax, not whether license identifiers actually exist in the SPDX list - you'll need spdx-correct or spdx-expression-parse for that.
Documentation is minimal but sufficient since the API surface is tiny. The README gives you everything you need in about 30 seconds of reading. No Stack Overflow presence to speak of, but honestly, you won't need it. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't concerning for this particular use case.
Extremely simple API - one function, returns array of validation errors
Clear, specific error messages that tell you exactly what's wrong with the expression
Correctly handles complex nested expressions with AND/OR/WITH operators
Zero dependencies and tiny footprint
Only validates expression syntax, doesn't check if license IDs actually exist in SPDX list
No TypeScript definitions included (though @types/spdx-expression-validate exists)
Best for: Projects needing to validate SPDX license expression syntax in package managers, build tools, or license compliance checkers.
Avoid if: You need to validate that license identifiers themselves are real SPDX IDs (use spdx-correct or spdx-expression-parse instead).
RECOMMENDED
Simple, focused validator that does one thing well with minimal fuss
This package is extremely straightforward to use - you literally call one function with a string and get back an array of validation problems (or an empty array if valid). The learning curve is essentially zero. I integrated it into a license compliance tool in about 5 minutes, including reading the (admittedly sparse) README. The function returns structured error objects with `message` and `offset` properties, making it trivial to display helpful feedback to users.
The error messages are clear and actionable, like "EMPTY PARENTHESES" or "UNKNOWN LICENSE". When debugging license expression parsing issues, the offset property tells you exactly where things went wrong. It correctly handles all the SPDX 2.0 operators (AND, OR, WITH) and catches malformed expressions like unbalanced parentheses or double operators.
The main limitation is lack of examples beyond the basic usage in the README. There's no guidance on integrating with build systems or handling edge cases. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't really a concern for day-to-day use.
The error messages are clear and actionable, like "EMPTY PARENTHESES" or "UNKNOWN LICENSE". When debugging license expression parsing issues, the offset property tells you exactly where things went wrong. It correctly handles all the SPDX 2.0 operators (AND, OR, WITH) and catches malformed expressions like unbalanced parentheses or double operators.
The main limitation is lack of examples beyond the basic usage in the README. There's no guidance on integrating with build systems or handling edge cases. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't really a concern for day-to-day use.
Dead simple API - single function that returns an array of structured errors
Error messages include both description and character offset for precise debugging
Zero dependencies means no supply chain concerns or bloat
Handles all SPDX 2.0 expression syntax correctly including nested parentheses
README only shows one basic example with no real-world integration patterns
No TypeScript definitions included (though community @types package exists)
Best for: Projects needing straightforward SPDX license expression validation with minimal overhead and clear error reporting.
Avoid if: You need to parse or manipulate license expressions beyond validation, or require extensive documentation and examples.
RECOMMENDED
Simple, focused validator that does one thing well with minimal friction
This package is refreshingly straightforward - you pass a string, it returns an array of error objects or an empty array if valid. The API is literally one function that validates SPDX license expressions like 'MIT', 'Apache-2.0 OR GPL-3.0', and complex expressions with parentheses. There's essentially no learning curve; I had it working in under a minute without reading docs.
Error messages are practical and specific, pointing to exact positions in the string where validation fails. When you mess up parentheses or use invalid operators, you get messages like 'Expected AND, OR, or WITH' with offset information. This makes debugging user input straightforward. The package handles all the nuances of SPDX expression syntax including the WITH operator for license exceptions.
The main limitation is that it only validates syntax, not whether license IDs are actually valid SPDX identifiers. You'd need spdx-expression-parse or spdx-correct for that. Documentation is minimal but honestly sufficient given the simplicity. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't concerning for this specific use case.
Error messages are practical and specific, pointing to exact positions in the string where validation fails. When you mess up parentheses or use invalid operators, you get messages like 'Expected AND, OR, or WITH' with offset information. This makes debugging user input straightforward. The package handles all the nuances of SPDX expression syntax including the WITH operator for license exceptions.
The main limitation is that it only validates syntax, not whether license IDs are actually valid SPDX identifiers. You'd need spdx-expression-parse or spdx-correct for that. Documentation is minimal but honestly sufficient given the simplicity. The package hasn't been updated since 2019, but SPDX expression syntax is stable, so this isn't concerning for this specific use case.
Zero learning curve - single function API that's immediately obvious
Error messages include precise offset positions for easy debugging
Handles complex nested expressions with AND, OR, WITH operators correctly
No dependencies, tiny footprint, does exactly what the name suggests
Only validates expression syntax, doesn't verify if license IDs exist in SPDX list
Minimal documentation and examples, though API simplicity makes this less critical
Best for: Projects that need to validate user-supplied SPDX license expression syntax before parsing or storage.
Avoid if: You need to validate that license identifiers are legitimate SPDX IDs, not just syntactically correct expressions.
Write a Review
Sign in to write a review
Sign In
Dependencies