I work with several different JavaScript projects and they all use different package managers. Some projects use npm, others use Yarn, and we also have some pnpm workspaces.
I need to do two main things:
Check for problematic licenses - I want to find any GPL or other restrictive licenses that we cannot use
Generate complete dependency reports - I need a full list of every package and its license for compliance tracking
The tricky part is that I need to scan all nested dependencies as well. For example, if my app uses library X and that library depends on Y, I need to see the license for Y too, not just the direct dependencies.
Tools I have tested:
license-checker package works okay for npm and Yarn but seems to have issues with pnpm nested dependencies
Each package manager has built-in commands like npm ls, yarn licenses, and pnpm licenses list but I would need different scripts for each project type
What I am looking for:
Is there a tool that works the same way across all three package managers? Something that can reliably find nested dependencies in pnpm workspaces and Yarn PnP setups?
How do you handle license auditing when you have mixed package manager environments?
Been fighting this same issue for two years across multiple enterprise projects. Best solution I’ve found is licensee - it analyzes the actual node_modules structure instead of relying on package manager commands. What’s great about licensee is it reads package.json files directly from installed dependencies, so it handles pnpm’s symlinks and Yarn PnP without any setup. I run it in our CI pipeline and it catches nested dependencies other tools miss. For compliance reports, I pair it with a simple script that exports CSV - our legal team wants spreadsheets anyway. It also supports custom license classification, which is crucial when you need to flag specific licenses beyond GPL variants. One heads up - run it after a clean install since it needs the complete dependency tree installed locally.
Honestly, just use nlf (node license finder). Way simpler than other options and you don’t need to sign up for anything. It works with all package managers since it scans node_modules after install. I’ve used it for years without issues, even with nested deps in pnpm workspaces. You can export JSON/CSV for compliance stuff too.
Check out fossa-cli. It’s built for enterprise license compliance and works with all three package managers out of the box. While license-checker just reads lockfiles, fossa actually gets how each package manager resolves dependencies - so it catches transitive deps that other tools miss in pnpm workspaces. The big win is it builds the full dependency graph first, then analyzes licenses. This means it sees exactly what your app will use at runtime. I’ve used it for 18 months across different setups and it consistently catches stuff other scanners miss. You get detailed reports with license obligations, plus you can set it to fail builds on certain license types. Only catch is you need to register for the full reports, but the free tier does basic license detection which might work for you.
I’ve dealt with this nightmare across tons of projects and traditional tools always break somewhere. You’re trying to solve this manually when it should be automated.
I set up an automated workflow that handles all three package managers without remembering different commands or worrying about edge cases. Created a flow in Latenode that:
Detects which package manager each project uses
Runs the right dependency analysis
Combines results into one report format
Flags GPL or restrictive licenses automatically
Sends alerts when problematic licenses pop up
It works consistently across npm, Yarn, and pnpm without maintaining separate scripts. Even handles those tricky pnpm workspace setups and Yarn PnP cases that break other tools.
I run it on every PR and generate compliance reports monthly. Takes 10 minutes to set up, then it just works. No more hunting through different tools or dealing with inconsistent outputs.
Been using this for over a year and it catches everything manual tools miss.
FOSSA CLI’s solid, but I’ve found something that works better - lockfile parsing plus SPDX tools. I manage about 15 codebases with different package managers, and parsing lockfiles directly beats scanning node_modules every time. Here’s why: pnpm’s store structure trips up most tools, and Yarn PnP doesn’t even make traditional node_modules folders. I parse package-lock.json, yarn.lock, and pnpm-lock.yaml files straight up using license-report plus some custom scripts. This catches every transitive dependency since lockfiles have the complete resolved graph. For compliance reports, I output unified JSON with license obligations and export paths. More setup work upfront than one-tool solutions, but it handles edge cases way better - especially scoped packages or private registries that other scanners miss.