Feluda – A CLI tool to detect restrictive licenses in dependencies
17 comments
·January 31, 2025anistark
eadmund
The GPL and AGPL are not restrictive: they ensure that you do not restrict your users.
Freedom looks like tyranny, to a tyrant.
mubou
"Restrictive" in the context of licenses has a specific meaning: it's the opposite of "permissive" e.g. MIT and Apache. You can't ensure your licensees don't restrict their users without placing restrictions on what they can do with their work. The users aren't the ones agreeing to the license, after all; it's the people using GPL code to whom it's restrictive.
sunshowers
GPL and AGPL libraries are impossible to use in vast chunks of the free software ecosystem.
I think you're looking for MPL 2.0, which is copyleft while also permitting use by the entire free software ecosystem.
eadmund
It’s completely possible to combine GPL and AGPL software with, e.g., BSD- or MIT-licensed software. The resulting software is GPL- or AGP-licensed, and the users are not restricted from doing anything.
I honestly thought that this was a license scanner for actually restrictive — i.e. non-free-software — licenses until I visited the repo. It would be good to know if I accidentally use some piece of software with some source-available license.
henvic
As a critic of such licenses (https://medium.com/@henvic/opensource-and-go-what-license-f6...), I love it!
pabs3
GPL/AGPL don't limit commercial use.
korkybuchek
Shout out to my dawg Satyajit Ray
G1N
Would you be open to a PR adding support for installing from npm? Not sure if you guys are willing/ comfortable to publish there as well, but did notice you already have Node support for scanning
cglong
Any reason the repo license is MIT but the crate is CC-BY-NC-ND-4.0? The latter is ironic, given this project's scope :)
pabs3
The MIT with Commons Clause license is pretty restrictive, does this crate flag itself?
arunabha
Additional context: The name(probably) comes from https://en.wikipedia.org/wiki/Feluda
alain_gilbert
I think you have some bugs. I ran it on my project which has 60 direct dependencies in my "go.mod" file, and feluda's output says `Total dependencies scanned: 2`
EDIT: there was a package.json in the same folder, that's what caused the "bug"
JackYoustra
Amazing project! Any reason why the path is -p and not just the first argument after like most cli tools?
wanderingmind
Amazing work. Does something similar exist for Python? Would love to have something similar integrated for Python dependencies from pypi as well.
G1N
Seems like Python support is up next for this project: https://github.com/anistark/feluda/pull/18
Hey folks,
I built Feluda, a Rust-based CLI tool that scans your project's dependencies and flags restrictive licenses before they become a problem.
It currently supports Rust, Node.js, and Go projects. It checks for GPL, AGPL, SSPL, and other restrictive licenses that may limit how you use your project commercially.
Try it out:
``` cargo install feluda feluda ```
I’d love feedback! Are there specific license edge cases you'd like covered? Features you'd want in a CI/CD setup? Happy to discuss and iterate!