Will It Vibe logoWill It Vibe?
LICENSE-008Low severity-4 points

Inconsistent license across a monorepo/workspace

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A nested package.json (a workspace package, or another npm project vendored into a subdirectory) declares a different SPDX license than the root project. This is a best-practice heuristic: an intentionally differently-licensed sub-package is legitimate, but an unnoticed mismatch usually is not.

Why it matters

When a nested package inside a monorepo declares a different license than the root project, anyone reading only the root package.json, a registry page, or a license-compliance report generated at the repo level gets the wrong answer for that sub-package. This is sometimes intentional, such as vendoring a differently-licensed tool, but it is just as easy for it to be a stale leftover from a copy-paste scaffold nobody updated.

How to fix it

Confirm whether the different license on the nested package is deliberate. If it is, add a short note in the sub-package's own README or the monorepo's root docs explaining why it differs, so the next person does not have to rediscover this. If it was accidental, update the nested package.json's "license" field to match the root project, or to whatever its actual intended license is.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks