The most popular licenses for each language in 2023

The 2023 report of the licenses in use by the biggest package managers highlights the need to educate developers on the importance of licensing information. While many developers know that Open Source software forms the backbone of modern development, the data shows that much of their software is shared (and most likely also used) without a license.

Using data from OSI’s community project ClearlyDefined, Aleksandrs Volodjkins explored the ClearlyDefined dataset from September 21, 2023. ClearlyDefined is a collaborative project providing comprehensive and standardized metadata about software components’ origins and licenses, its data shed light on the prevailing trends that shape the Open Source ecosystem.

Overall, MIT and Apache 2.0 are by far the most popular licenses, although popularity of licenses vary greatly depending on the package manager. The simplicity of these licenses, allowing users to modify and distribute code with minimal restrictions without imposing additional requirements, has undoubtedly contributed to their widespread adoption.

The license terrain is not uniform across all package managers. Each programming language has its own set of license preferences within their ecosystems. For instance, the JavaScript community often leans towards the MIT license, while Python developers show a similar affinity for Apache 2.0. The ISC license, with its simplicity and permissiveness, finds its niche in the JavaScript community. BSD licenses, both 3-Clause and 2-Clause, maintain a steady but comparatively lower adoption rate. The GNU General Public License (GPL), embodying the ethos of free software, enjoys a presence but falls behind MIT and Apache 2.0.

The Challenge of Unlicensed Components

Despite the prevalence of well-established licenses, a concerning revelation emerges from the ClearlyDefined dataset – a substantial percentage of Open Source components lack a designated license or carry the SPDX identifier “NOASSERTION.” This ambiguity introduces uncertainty about the permissible use of such components, potentially hindering collaboration, creating legal complexities, and security concerns for developers.

The Need for Clarity and Standardization

Addressing the issue of unlicensed components is crucial for the continued health of the Open Source community. Developers, organizations, and the community at large benefit from clear and standardized licensing. It not only facilitates collaboration but also ensures legal compliance and protects the intellectual property of contributors. Additionally, it helps developers to keep track of components that might have vulnerabilities.

Towards a collaborative solution

The issue of unlicensed components is a community-wide challenge that needs a community-wide approach. The ClearlyDefined project aims to address this challenge by inviting developers across different organizations to crowdsource a global database of licensing metadata for every software component ever published. It allows developers to fetch a cached copy of licensing metadata for each component through a simple API and contribute back with any missing or wrongly identified licensing metadata, helping to create a database that is accurate for the benefit of all. Check it out!

Javascript (npm)

The npm package manager for JavaScript contains components that mostly use the MIT license (53%), followed by Apache 2.0 (14,76%) and ISC (10,48%). The ISC license was published by the Internet Systems Consortium and, while popular among JavaScript projects, it’s not used much by other programming languages. A small percentage of projects don’t have a license (8%) or a SPDX-identified license / NOASSERTION (5.49%).

.NET (Nuget)

One of the most alarming data for Nuget, the package manager for . NET is that a great percentage of its components either don’t have a license (26.76%) or are found to be NOASSERTION (31.95%). Licenses under MIT or Apache 2.0 are at 21.55% and 13.37% respectively.

Java (Maven)

The great majority of components in Maven, the package manager for Java, use the Apache 2.0 license (69.18%). Components with the second most popular license, the MIT, represent only 7.4%. Components with NOASSERTION are at 14.75%.

Python (Pypi)

For Pypi, the package manager for Python, components under the MIT and Apache 2.0 licenses dominate, at 29.14% and 23.98% respectively. Components under BSD 2-Clause and GPL 3.0 are at 6.25% and 6.11%. A substantial percentage of components don’t have a license (23.69%).

Ruby (Gem)

The great majority of components at Gem, the package manager for Ruby, use the MIT license (63.11%). They are followed by the Apache 2.0 and BSD 3-Clause licenses at 8.22% and 6.66% respectively.

PHP (Composer)

The MIT license is a very popular choice among PHP components of the Composer package manager, at 64.37%. Projects under BSD 3-Clause and Apache 2.0 sit at 5.72% and 3.92% respectively.