Skip to content
Latchkey

license-checker "Found license defects" fails the build in CI

license-checker walked node_modules, found at least one package whose detected license is not in your allowed set (or matches your --failOn list), printed "Found license defects" and exited 1 to stop the pipeline.

What this error means

license-checker prints "Error: Found license defects" and lists the offending package@version and its license (often GPL or LGPL). The step exits 1 even though tests passed.

Terminal
error: Found license defects. Discovered the following packages with an incompatible license:
some-lib@1.4.0 (GPL-3.0-only)
Error: Found license defects.

Common causes

A dependency introduced a disallowed license

A new or upgraded transitive package ships under a license (for example GPL-3.0-only) that is not in your --onlyAllow list, so license-checker treats it as a defect.

A --failOn pattern matched

You ran with --failOn "GPL" (or a semicolon list). Any package whose license string matches that pattern fails the run regardless of the rest of the tree.

How to fix it

Identify the package and decide allow vs replace

  1. Re-run license-checker --summary to list every license present.
  2. Confirm the exact package and license from the "Discovered the following packages" line.
  3. Either replace the dependency, or add the license to --onlyAllow if legal sign-off permits it.
Terminal
# list what is actually in the tree
npx license-checker --summary
# gate on an explicit allow list (semicolon separated)
npx license-checker --onlyAllow "MIT;ISC;Apache-2.0;BSD-2-Clause;BSD-3-Clause"

Exclude a vetted package by name

If legal has cleared a specific package, use --excludePackages so it no longer trips the gate while the rest of the policy stays strict.

Terminal
npx license-checker --onlyAllow "MIT;ISC;Apache-2.0" \
  --excludePackages "some-lib@1.4.0"

How to prevent it

  • Pin the allow list in a script or npm run target so local and CI use the same policy.
  • Run license-checker on every PR so a new license is caught before merge, not at release.
  • Keep a documented exception list rather than loosening the whole allow set.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →