package.json has no license field
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
package.json declares no "license" field at all (and no legacy "licenses" array either), so npm, registries, and dependency scanners have no machine-readable answer to "what license is this published under."
Why it matters
Without a license field, npm and other registries list the package as unlicensed, which defaults to all rights reserved under most jurisdictions copyright law regardless of the project being visible on GitHub. Companies with open-source approval processes often reject a dependency outright rather than guess at its terms, and automated SBOM or license-compliance tooling has nothing to resolve.
How to fix it
Add a "license" field with a valid SPDX identifier (for example "MIT" or "Apache-2.0") that matches the license you actually intend, and make sure a matching LICENSE file exists at the repo root with the corresponding text. If the project is genuinely closed-source and not for redistribution, use "UNLICENSED" instead of leaving the field out.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo