Will It Vibe logoWill It Vibe?
LICENSE-009Low severity-4 points

LICENSE file content does not match declared license

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

The SPDX identifier in package.json and the actual boilerplate text in the root LICENSE file name different license families (for example package.json says MIT while the file reads as GPL). This is a text-signature heuristic, not a legal reading of the file, but a mismatch here means the metadata and the actual grant disagree.

Why it matters

When package.json states one license and the actual LICENSE file text reads as a different one, the two most consulted sources of truth for what this license allows disagree with each other, and different tools in a pipeline may pick up either one. This usually happens when a license is changed in package.json during a relicense but the old LICENSE file text is never replaced, or the reverse.

How to fix it

Decide which of the two is correct, usually the more recently intended license, and update the other to match: either change package.json's "license" field to the SPDX identifier for the license text actually in the file, or replace the file's text with the standard boilerplate for the license package.json declares.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks