License & Copyright
Updated: 2025-08-19Handling Third-Party Code and License Notices
When incorporating external code (directly or indirectly) into a multi licensed or open source project, the following rules could apply:
File-Level License Headers
- Do not remove or alter existing SPDX headers or copyright notices in third-party source files.
- If you modify such a file, add your own attribution line beneath the original one:
// SPDX-FileCopyrightText: © 2023 Original Author <author@example.com>
// SPDX-FileCopyrightText: © 2025 Your Name <you@example.com>
// SPDX-License-Identifier: \[original license]
- The original license identifier (e.g.
MIT,Apache-2.0,AGPL-3.0-only) must remain unchanged unless the upstream license explicitly permits re-licensing.
Project-Level Notices
- In addition to per-file headers, the project must include a
LICENSEand/orThirdPartyNotices.txtfile that: - Lists all third-party components bundled or redistributed.
- Preserves their license texts (MIT, Apache, BSD, GPL, AGPL, etc.).
- Includes copyright statements where required.
Transitive Dependencies
- License obligations extend to both:
- Direct dependencies you intentionally import.
- Transitive dependencies bundled within them.
- Use tools such as
license-checkeroross-attribution-generatorto generate a completeThirdPartyNotices.txt.
Special Considerations
- Permissive licenses (MIT, BSD, Apache-2.0): generally require only attribution and preservation of notices.
- Copyleft licenses (GPL, AGPL): may obligate distribution of full source code if your package is deployed or accessed over a network.
- SPFx (SharePoint Framework):
- Solutions must ship with a
ThirdPartyNotices.txtinside the.sppkgpackage. - Avoid strong-copyleft libraries (GPL/AGPL) unless you are prepared to release the entire SPFx solution’s source code.