LICENSE file content does not match declared license
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The SPDX identifier in package.json and the actual boilerplate text in the root LICENSE file name different license families (for example package.json says MIT while the file reads as GPL). This is a text-signature heuristic, not a legal reading of the file, but a mismatch here means the metadata and the actual grant disagree.
Why it matters
When package.json states one license and the actual LICENSE file text reads as a different one, the two most consulted sources of truth for what this license allows disagree with each other, and different tools in a pipeline may pick up either one. This usually happens when a license is changed in package.json during a relicense but the old LICENSE file text is never replaced, or the reverse.
How to fix it
Decide which of the two is correct, usually the more recently intended license, and update the other to match: either change package.json's "license" field to the SPDX identifier for the license text actually in the file, or replace the file's text with the standard boilerplate for the license package.json declares.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo