This document tracks all updates, improvements, and bug fixes made to LicensePulse.
Monitor LICENSE file content changes directly in GitHub repositories, catching modifications before package publication.
Command:
licensepulse monitor-file <repo>Features:
- Uses GitHub's official license API for reliable detection
- Falls back to direct file access with 12+ filename variations
- Supports: LICENSE, LICENSE.md, LICENCE, COPYING, and more
- Shows commit history for LICENSE changes
- Detects changes between commit and package publish
Detection Methods:
- GitHub License API (most reliable)
- Direct file access with common variations
- Supports British spelling (LICENCE) and GNU conventions (COPYING)
Analyze complete dependency trees and discover transitive dependencies.
Command:
licensepulse deps <package>
licensepulse deps <package> --ecosystem pypi
licensepulse deps <package> --depth 3Features:
- Shows visual dependency tree
- Lists all unique dependencies
- Configurable depth (default: 2 levels)
- Supports npm and PyPI ecosystems
- Identifies packages with zero dependencies
- Primary method: GitHub's official license API
- Fallback methods: 12+ filename variations including:
- LICENSE, LICENSE.md, LICENSE.txt
- LICENSE-MIT, LICENSE-APACHE
- LICENCE, LICENCE.md (British spelling)
- COPYING, COPYING.md (GNU convention)
- LICENSE-Community.txt
- Clear indication when packages have no dependencies
- Detailed explanations when LICENSE files aren't found
- Shows detection method used (github-license-api or direct-file-access)
- Helpful tips for troubleshooting
- Proper indentation for nested dependencies
- Visual connectors (├── and └──)
- Truncation for large trees (shows first 5 children)
- Count indicators for each node
- New module:
src/license-monitor.js - New module:
src/dependency-graph.js - SHA256 hashing for LICENSE file content
- Recursive dependency tree building
- 141 tests passing (+9 from v1.1)
Identifies which version is safe to use and which version introduced the license change (based on release tags and version history).
Display:
hashicorp/terraform MPL-2.0 → BSL-1.1
Safe up to: v1.5.7 │ Changed in: v1.6.0
Integration:
- Shown in
checkcommand alerts - Shown in
diffcommand details - Works with npm, PyPI, and GitHub tags
Automatically discover and import dependencies from your project.
Command:
licensepulse import
licensepulse import --dry-run
licensepulse import --directory ./pathFeatures:
- Detects package.json (npm)
- Detects requirements.txt (Python)
- Resolves GitHub repos from package registries
- Dry-run mode for preview
- Skips already-monitored repos
Calculate risk scores based on license history and patterns.
Command:
licensepulse risk <repo>Scoring Factors:
- Previous license change: +40 points
- Restrictive license: +30 points
- More restrictive change: +20 points
- Commercial/VC-backed: +10 points
Risk Levels:
- 0-39: LOW (safe)
- 40-69: MEDIUM (monitor)
- 70-100: HIGH (consider alternatives)
Automatic suggestions for open source alternatives with detailed information.
Alternatives Database:
- Terraform → OpenTofu (MPL-2.0)
- Redis → Valkey (BSD-3-Clause)
- Elasticsearch → OpenSearch (Apache-2.0)
- MongoDB → FerretDB (Apache-2.0)
- New module:
src/version-tracker.js - New module:
src/risk-scorer.js - New module:
src/package-importer.js - Added dependency:
semver@^7.5.4 - 132 tests passing (+3 from v1.0)
- Monitor GitHub repositories for license changes
- SPDX license database with 42+ licenses
- Snapshot-based change detection
- Permission-level diff (commercialUse, distribution, etc.)
- Severity classification (CRITICAL, WARNING, INFO)
- Real-world impact explanations
check- Check all repositories oncewatch- Continuous monitoringadd- Add repository to watchlistremove- Remove from watchlistlist- List monitored repositoriesdiff- Show license change detailsreport- Generate JSON report
- Slack webhook integration
- Email via SMTP
- Generic webhook support
- GitHub Actions examples
- Environment variable configuration
- Automated scheduling
- Fixed dependency tree indentation
- Improved LICENSE file detection reliability
- Added support for 12+ LICENSE filename variations
- Better error messages for missing LICENSE files
- Added detection method tracking
- Fixed version cutoff integration in check command
- Improved alternative suggestion system
- Enhanced risk scoring accuracy
- Better handling of unknown licenses
- Initial stable release
- Comprehensive test coverage
- Production-ready codebase
No breaking changes. All v1.1 commands work identically.
New commands available:
monitor-file <repo>- Monitor LICENSE file directlydeps <package>- Analyze dependency tree
No breaking changes. All v1.0 commands work identically.
New commands available:
import- Auto-import dependenciesrisk <repo>- Risk analysis
Enhanced commands:
check- Now shows version cutoff in alertsdiff- Now shows version information
- v1.2.0: 141 tests, 12 test suites
- v1.1.0: 132 tests, 10 test suites
- v1.0.0: 129 tests, 9 test suites
- Average test suite: ~11 seconds
- Single check command: <2 seconds per repo
- Import command: ~5 seconds for 20 dependencies
- GitHub API calls per check: 1 per repo
- Rate limit: 5000/hour with token
- Retry logic: 3 attempts with exponential backoff
- PyPI dependencies: Limited metadata in API
- Private repos: Requires appropriate token permissions
- Subdirectory licenses: May not detect in all cases
- Version cutoff: Heuristic-based, may not be 100% accurate
See the Roadmap section in README.md for future enhancements.
- Documentation: README.md
- Contributing: CONTRIBUTING.md
- GitHub Issues: https://github.com/diegosantdev/licensepulse/issues
- Feature Requests: Use GitHub Discussions
- See CONTRIBUTING.md
- All contributions welcome
- Community-driven development
Last Updated: March 31, 2026
Current Version: 1.2.0
License: MIT