Replies: 7 comments 8 replies
-
I'm surprised how this issue doesn't have any comments. This should definitely be changed. It's easier to add a licence to an unlicensed project than the other way around since you can't retroactively do that. Additionally, by default, unlicensed projects mean regular copyright law applies. npm's default should mimic the real world's setting. |
Beta Was this translation helpful? Give feedback.
-
This just happened to me, I intentionally didn't want a License on a project and didn't realized that ISC was the default on my package.json, which I found strange why people forked my project and changed my code and added a ISC license to it, without talking with me. The default should be UNLICENSED and if people really want to add a permissive license they should be the ones to change it and not default to ISC. Now I have a complete project with an ISC licensed on GitHub when I didn't want it to be licensed due to my own pixel art sprites being generated by code - which is now unprotected. |
Beta Was this translation helpful? Give feedback.
-
I am not sure if it is still in the plans, but at one point the npm team had decided a community owned package init would be good. That work is in the pkgjs org as part of the Node.js project's Package Maintenance Working Group. When I saw this this morning I figured I would get some of the work over there kicked back off, so if you are interested please contribute over here: https://github.com/pkgjs/create-package-json |
Beta Was this translation helpful? Give feedback.
-
I just googled "why is npms default license ISC" and wound up here because I 100% agree with the title's description of this as "extremely dangerous". I have not ever made the mistake of accidentally distributing code under the ISC license, so I feel that my judgement on this is unbiased. Also surprised about how few people have commented on this. |
Beta Was this translation helpful? Give feedback.
-
People in this discussion seemingly fail to realize that permissive licenses are the foundation of the open source culture that made projects like npm and GitHub flourish in the first place. Of course they are the default, how could it be otherwise? I feel sorry for you if you released something under a permissive license by accident, but the notions of "extremely dangerous" and "mimicking the real world's setting" are clearly misguided and overlooking that simple fact. |
Beta Was this translation helpful? Give feedback.
-
To clarify: the danger here has nothing to do with choosing the wrong license. If you've actively chosen a license, then that's your choice. The danger is in publishing something as ISC, and then realizing that you didn't choose a license, and then changing it to something incompatible with ISC, like GPL. A court might interpret that as "your intention was GPL, therefore it was GPL the whole time, and anybody using ISC can now be sued". They might interpret that as "your intention is irrelevant, it was published under ISC and not GPL, and so that version is forever ISC and can be used without the constraints GPL enforces". Those are just two possible court interpretations that "screw over" different cohorts of people. The point of having a license is to avoid potential court interpretations that deviate from the author's intentions. Thus, the solution would be to default to "unlicensed" or similar, to avoid the risk of any court at any time in the future deciding something about your intentions and the license of the ISC code. (additionally, it casts doubt on ANY package that's ISC, because, was that intentional? or was it just the default?) |
Beta Was this translation helpful? Give feedback.
-
I'm surprised there's no way to change th default license for new packages. Extremely annoying in a monorepo, where new packages are created frequently. Why not make it public domain instead? |
Beta Was this translation helpful? Give feedback.
-
When running npm init, it defaults to ISC for a license (even though most other fields are left blank).
If someone isn't paying attention to it, or doesn't know what it means, then they could apply this license unintentionally. Then if they publish the repo, it's published with that license, which could be very bad if they didn't intend to license it publicly.
For the safety of your users, there should be no default license.
Beta Was this translation helpful? Give feedback.
All reactions