License question - commercial use

Hello,
I would like to use Node-RED commercially. According to the license of Node-RED this is possible without any problems. But Node-RED is only one part. Each module used by Node-RED and its modules are under their own license. Most modules specify the MIT license in package.json. That would be ok so far.
But which license / licenses have to be considered when using Node-RED commercially?

But there are also modules which do not specify a license in the used version. So in my opinion it can't be concluded automatically that exactly this version is also under a free license. If you take a close look at the modules, the developers of these modules meanwhile refer to the MIT license. So one can make the assumption that the old version could also be under this license. But this is not sure. Licenses can change from version to version.

Furthermore a module (argparse) is used, which refers to the Python-2.0 license.
I am not sure, but this license binds to the PYTHON SOFTWARE FOUNDATION (PSF). However, the project does not seem to have any ties with the PSF. Here I have the question if this module is allowed to be under this license at all and therefore can be used freely?

+----------------------------+-------------------+
|        License type        | Number of modules |
+----------------------------+-------------------+
| MIT                        |               206 |
| ISC                        |                40 |
| BSD-2-Clause               |                12 |
| Apache-2.0                 |                10 |
| BSD-3-Clause               |                 4 |
| unspecified (possibly MIT) |                 2 |
| Python-2.0                 |                 1 |
| 0BSD                       |                 1 |
+----------------------------+-------------------+

What about all the individual module licenses? Do I as a user have to consider each module license, or is it only the license of Node-RED and the used modules that counts for me?

Can someone please explain me the facts with the licenses around Node-RED and its nodes?
Thanks a lot!

Good question, tricky answer. :slight_smile:

You need to certainly consider each of the things that you install. So Node-RED and each of the custom nodes.

In general, you would normally be fairly safe assuming that node authors have only used compatible licensed sub-packages and if not, they are really at fault. Of course, that might not wash with your legal department.

A number of open source licenses are generally considered too restrictive to allow commercial use and generally, government and enterprises prefer to avoid them. I wrote some notes on this for my day-job, you can find them here: Dependency Management (nhsengland.github.io).

The core node-red code is all released under Apache 2.0 which is a permissive license that allows commercial reuse. For myself, I try to release my contributed nodes under the same license for simplicity. For the NHS and UK Government, we usually dual license under OGL and MIT. OGL being more data focused and MIT code focused. Both are permissive.

I don't think an author could re-license code under a more restrictive license. At least if that were done the tighter restriction, I assume, would only apply to new code. Or am I being naive?

I have seen it before on other projects where between two major releases it has been switched from a free license to a non-free license. This was done to market the project. So I think that for every published version the license must be 100% clear if it is to be used commercially. Otherwise the developer could claim license fees and compensation afterwards.
But I'm not a lawyer and I don't know much about this field.

Thanks for the comments and the link. I will have a look at your paper.

I don't believe that every developer who releases a package also checks the licenses of the dependencies. Good developers do that. But in the case of Node-RED, because of the large dependency tree, it just takes a lot of work to always examine all the license and dependency changes in each dependent package and check for compatibility.

It would be safer if the number of dependencies were kept as low as possible and came only from certain trusted developers. However, this is difficult to implement.

The libraries.io site can help you explore repositories and their dependencies Dependency Tree for node-red 3.0.0 on npm - Libraries.io

1 Like

I used this tool to evaluate the dependencies and their licenses:

The tool you are using does not list the dependencies correctly. Probably because fields are missing in the package.json of the respective modules.

1 Like

Strange, it thinks that uibuilder has no dependencies.

Wow, that's pretty amazing.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.