Read npm’s companion announcement here.

Introducing FOSSA’s npm Enterprise add-on

Today we’re introducing the FOSSA Licenses add-on, a plugin for npm Enterprise (npmE) that adds automated open source license compliance to the fast and powerful JavaScript workflow. This is part of a broader partnership with npm to reduce barriers to JavaScript adoption in the enterprise.

FOSSA’s Licenses add-on proactively assesses both public and proprietary packages in a company’s npmE registry to identify licensing issues and obligations. npmE users will be able to view an at-a-glance summary of a package’s licensing impact online before deciding to download and integrate into their products.

FOSSA’s Licenses add-on proactively assesses both public and proprietary packages in a company’s npmE registry

For proprietary code on npm Enterprise, FOSSA will maintain ongoing scans that span every line of code across a package’s deepest dependencies and notify its team of licensing issues in real-time. For any discoveries, FOSSA provides:

  • Rich workflows to guide users step-by-step in fixing problems
  • Context-aware suggestions on how to fix issues
  • Email reporting and summaries per-commit or publish
  • Syncing and assigning companion tickets in JIRA and GitHub

When code is shipped, FOSSA generates Bill of Materials, attribution files and other materials to help you comply with license obligations. Companies can configure FOSSA’s analysis to ensure developers only use code governed by certain terms, policies, or pass a battery of licensing integrity tests.

To learn more about FOSSA’s features, visit our homepage.

Installing this add-on is easy — simply ssh into your npm Enterprise node and run:

npm addon http://{fossa_host}/api/services/npm

And this is just a start: we look forward expanding upon npm Enterprise with more features and tighter integrations over time to make JavaScript evermore enterprise-ready.

The need for compliance tooling in JavaScript

JavaScript development moves uniquely fast due to a huge part of the developer workflow relying on high-quality code sharing. At the center of this is npm, the largest software registry in the world with over 300,000 community-built modules and almost 5B downloads each month. In npm, modules are often small, self-contained, and single-purposed, allowing developers to maximize code sharing and reuse. JavaScript development takes advantage of this third-party code to solve common problems and assemble high-quality features at great speed. This happens to such an extent that many JavaScript apps are comprised mostly of open source and third-party code.

Reusing third-party code on such a large scale means that developers’ projects are constantly inheriting intellectual property and licensing obligations from hundreds of different sources, even by including only a few modules. Many of these components don’t properly document, track, or assess the licensing implications of the code they reuse, which surfaces problems for companies as they fundraise, close deals, sell, or go through litigation. Managing this complexity is an immense, ongoing challenge. Large organizations dedicate attorney time to manual, retroactive audits which slow development, incur high costs, are prone to error and scale poorly. Smaller companies simply can’t afford to do this and end up discovering problems during critical moments of growth.

The rate and scale at which developers include third-party code in JavaScript is too great for manual labor to handle effectively. Balancing rapid development with a business’s strict legal needs requires proactive and integrated tooling that scales with the demands of large projects yet is smart and approachable enough to engage developers.

That’s why we built FOSSA — a tool to condense compliance work into just a few clicks in the web browser. FOSSA sits on top of your code to proactively analyze your open source dependencies and maintain a plain-English checklist of license obligations. Our goal is to enable simple, scalable compliance behind the developer workflow with smart features to help you find and fix licensing issues.

More on FOSSA

FOSSA is currently in private beta, with the npm Enterprise add-on available today to our current customers. We’ll go into wider availability and share more about our company in the months ahead.

If you’d like to try FOSSA in the cloud today or learn more about our on-prem solution, contact support@fossa.com with a bit of detail about your company’s goals. To stay in the loop with e-mail updates, sign up below.

FOSSA was built by the team behind TLDRLegal and is working with some great lawyers like Heather Meeker (author of MPL and Mozilla ToS).