License Policy

Enforce allowed and denied SPDX licenses on proxied packages using deps.dev metadata.

Configuration

toml

[settings]
license_policy_enabled = true
license_policy_unknown_action = "warn"  # allow, deny, or warn
license_cache_ttl = 86400               # 24 hours

[[license_policy.allowed]]
spdx = "MIT"

[[license_policy.allowed]]
spdx = "Apache-2.0"

[[license_policy.denied]]
spdx = "GPL-3.0-only"

Environment Variables

bash

export MISE_SERVER_LICENSE_POLICY_ENABLED=true
export MISE_SERVER_LICENSE_POLICY_UNKNOWN_ACTION=warn
export MISE_SERVER_LICENSE_CACHE_TTL=86400

Unknown License Action

Controls what happens when a package's license cannot be determined:

Action	Behavior
`allow`	Allow the package (default)
`deny`	Block the package
`warn`	Allow but log a warning

How It Works

When a package is requested, mise-server checks its license via deps.dev
License lookups are cached for license_cache_ttl seconds (default: 24 hours)
The license is checked against the allowed/denied lists
If denied, the request is rejected with an error

License Policy ​

Configuration ​

Environment Variables ​

Unknown License Action ​

How It Works ​

License Policy

Configuration

Environment Variables

Unknown License Action

How It Works