package.json uses the deprecated licenses array
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
npm deprecated the multi-license "licenses": [{...}] array in favor of a single SPDX "license" string years ago; many tools that read package.json metadata no longer look for the old array shape at all.
Why it matters
The "licenses": [...] array form was deprecated by npm years ago in favor of a single SPDX "license" string, and modern tooling, including npm itself and most SCA scanners, only reads the newer field. A package that only has the old array effectively looks unlicensed to anything built after the deprecation.
How to fix it
Replace the "licenses" array with a single "license" field holding an SPDX identifier. If the array listed exactly one license, that is a direct one-line replacement; if it genuinely listed multiple licenses, use a parenthesized SPDX expression such as "(MIT OR Apache-2.0)" instead.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo