Release v2.6.0

Overview

This release makes two changes:

• more control over how licenses are validated
• performance improvements

Control over license validation

A new function was added, ValidateLicensesWithOptions, that uses options to allow the caller to specify what to consider invalid.
All of these are valid by default which is consistent the with current behavior of ValidateLicenses.

• FailComplexExpressions - rejects license that includes a conjunctive (e.g. "MIT AND Apache-2.0")
• FailDeprecatedLicenses - rejects deprecated SPDX license identifiers (e.g. "eCos-2.0")
• FailAllLicenseRefs - rejects all SPDX license references (e.g. "LicenseRef-MyLicense")
• FailAllDocumentRefs - rejects all SPDX document references (e.g. "DocumentRef-MyDocument")

Usage

// equivalent to calling `ValidateLicenses`
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{})

// reject only expressions that have a conjunctive
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{FailComplexExpressions: true})

// reject expressions that have a conjunctive and deprecated licenses
valid, invalidLicenses := ValidateLicenses(licenses, ValidateLicensesOptions{FailComplexExpressions: true, FailDeprecatedLicenses: true})

What's Changed

• add options for validating licenses that limits what is considered valid (#144) @elrayle

Full Changelog: v2.5.0...v2.6.0

v2.5.0

What's Changed

• Add simple cli to validate expressions by @ahpook in #137
• Make ExtractLicenses handle large expressions by @dangoor in #139
• Update SPDX license files (2026-04-10 05:06 UTC) by @github-actions[bot] in #135

Full Changelog: v2.4.0...v2.5.0

Release v2.4.0

What's Changed

• performance improvements for Satisfies and ValidateLicenses (#132) @elrayle
• fix panic in parseWith (#129) @phameratl
• add licenses and exceptions (#130) actions

Full Changelog: v2.3.6...v2.4.0

Release v2.3.6

What's Changed

• Bug fix for redundant + operator being added in licenses ending in -or-later
• Updated dependencies

Full Changelog: v2.3.5...v2.3.6

Release v2.3.5

What's Changed

• add licenses and exceptions
• bump dependencies

Full Changelog: v2.3.4...v2.3.5

Release v2.3.4

What's Changed

• update licenses
• bump dependencies

Full Changelog: v2.3.3...v2.3.4

Release v2.3.3

What's Changed

• update licenses
• bump dependencies
• update maintainer list

Full Changelog: v2.3.2...v2.3.3

Update SPDX identifiers as of 2024-09-18

The only shipped change in this release is an update to the known SPDX identifiers, current as of 2024-09-18.

Release v2.3.1

Overview

This retracts release v2.3.0 due to compatibility issues upgrading to Go 1.22. This release returns to Go 1.21.

See release notes for v2.3.0 for all other changes in the go-spdx v2.3 update.

Release v2.3.0

Overview

The process for updating SPDX licenses is now an automated process that runs nightly (ET). The script writes directly to the functions used to get the list of licenses, exceptions, and deprecations.

Updates licenses to latest SPDX license list which is v3.24.0 released on 2024-05-22 at the time of this PR.

Required Action for Upgrading

Run the following to update to this release.

go get github.com/github/go-spdx@v2.3.0

What's Changed

Minor changes

• Update SPDX license files (#75) (@github-actions, @elrayle)
• add workflow to fetch spdx licenses (#62) (@elrayle)
• Write updated licenses from SPDX directly to spdxlicenses package (#70) (@elrayle)
• Move license functions returning SPDX licenses to spdxlicenses package (#68) (@elrayle)

Patch changes

• add logging after writing license function files (#73) (@elrayle)
• gitignore local copy of official spdx repo (#72) (@elrayle)
• gitignore the path used to connect to the SPDX repo when fetching updated licenses (#67) (@elrayle)
• Set up test workflow to be used for PR check (#63) (@elrayle)
• plus dependency updates (see Full Changelog below)

Full Changelog: v2.2.0...v2.3.0