License metadata mismatch warnings

[hyandell]

Doing internal reviews on packages, I find myself often going upstream to report that their metadata (package.json, setup.py etc) lacks license metadata and the package lacks a license file; but I usually find that the github repo itself has a license file.

It feels like GitHub being opinionated on LICENSE files has been good, can that be extended to the metadata?

Additionally - on the npm side it would be good to be flagging when there's no LICENSE file in the packages being released [I'm assuming that's not done]

[lumaxis]

It feels like GitHub being opinionated on LICENSE files has been good, can that be extended to the metadata?

Trying to understand how you imagine this working. What would an extension here look like from a GitHub perspective, assuming the packages are hosted on an external package registry especially 🤔

[hyandell]

I was thinking that it was a mix of Dependabot and Licensee.

It's looking at the package.json, setup.py, etc, identifying the license metadata language, and then flagging to the repository owner if the two are out of sync. Definitely issues out there - so many ways in PyPI to define licensing and Maven's parent feature makes things tricky for Dependabot.

Having GitHub know where software is then published would be also be valuable and would allow for an easier way to check the metadata.