package.json license field is empty
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The "license" key exists in package.json but its value is an empty string, which is worse than omitting the field: it looks intentional but conveys nothing.
Why it matters
An empty "license" string looks deliberate to a human skimming the file but conveys nothing to tooling, so it behaves exactly like a missing field for license scanners while giving the false impression that the question was already answered. It is usually a leftover placeholder from a scaffolding template that was cleared but never filled in.
How to fix it
Replace the empty string with a real SPDX identifier that matches the project's actual license (or "UNLICENSED" for closed-source work), and confirm a matching LICENSE file exists at the repo root.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo