Possible accidentally-public internal project
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
Three weak hints compound into one worth a look: no "private": true, no license field, and no LICENSE file. Any one alone is common and often fine; all three together is the shape of an internal project that was never meant to be published or made public.
Why it matters
Each of these three findings alone is unremarkable: plenty of packages skip "private": true, plenty skip a license field temporarily, and plenty of internal tools never get a LICENSE file. All three together is the exact shape of an internal-only project that was scaffolded like any other npm package and never had its publish settings locked down, so an npm publish or an accidental public push could ship it before anyone intended.
How to fix it
If this project is genuinely internal and should never be published to a registry, add "private": true to package.json, which makes npm refuse to publish it even by accident. If it is meant to be public, add a real "license" field and a matching LICENSE file so its terms are actually defined.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo