Copyleft dependency in a permissively-licensed project
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A dependency known to ship a pure GPL/AGPL-family license (no permissive dual-license option) appears in a project that declares its own license as MIT/Apache/BSD/ISC. This is a coarse, honest heuristic against a small hardcoded package list, not full SPDX license-compatibility resolution: use a dedicated SCA/license tool for exhaustive coverage.
Why it matters
A dependency that ships a pure GPL or AGPL license carries real obligations: linking it into an application can require the combined work to also be distributed under GPL terms, and AGPL specifically extends that requirement to software offered only over a network, with no local distribution at all. Shipping that alongside a project declared MIT or Apache creates a genuine, unresolved conflict between what is promised to downstream users and what the dependency actually requires.
How to fix it
Get a real answer, not a guess: consult counsel or a dedicated license-compatibility tool such as FOSSA, Snyk License Compliance, or the REUSE tool before making any change, since the right fix depends on exactly how the dependency is used (statically linked, dynamically invoked, or run as a separate process). If it turns out to be a genuine conflict, either replace the dependency with a permissively-licensed alternative or relicense the parts of the project that combine with it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo