Malformed SPDX license expression
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
The "license" field joins two or more licenses with a lowercase or mixed-case "or"/"and" (for example "MIT or Apache-2.0") instead of the SPDX-required uppercase operator (for example "(MIT OR Apache-2.0)"), so SPDX-aware tooling cannot parse the expression.
Why it matters
SPDX license expressions require the literal uppercase operators OR, AND, and WITH; a lowercase or mixed-case "or"/"and" is not valid SPDX syntax, so any tool that actually parses the expression rather than just displaying the string will fail to resolve it and may report the package as having an unrecognized or missing license.
How to fix it
Rewrite the expression using the uppercase SPDX operator and wrap it in parentheses, for example change "MIT or Apache-2.0" to "(MIT OR Apache-2.0)". If only one license actually applies and the "or" was a mistake, simplify to that single SPDX identifier instead.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo