npmx-dev · thealxlabs · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026
diff --git a/app/components/Package/Dependencies.vue b/app/components/Package/Dependencies.vue
@@ -94,6 +94,18 @@ const numberFormatter = useNumberFormatter()
 
 <template>
   <div class="space-y-8">
+    <!-- Empty state when no dependencies at all -->
+    <p
+      v-if="
+        sortedDependencies.length === 0 &&
+        sortedPeerDependencies.length === 0 &&
+        sortedOptionalDependencies.length === 0
+      "
+      class="text-sm text-fg-subtle"
+    >
+      {{ $t('package.dependencies.none') }}
+    </p>
+
     <!-- Dependencies -->
     <CollapsibleSection
       v-if="sortedDependencies.length > 0"

diff --git a/app/pages/package/[[org]]/[name].vue b/app/pages/package/[[org]]/[name].vue
@@ -108,11 +108,27 @@
 }
 
 async function copyReadmeHandler() {
-  await fetchReadmeMarkdown()
+  // Safari requires navigator.clipboard.write() to be called synchronously within
+  // the user gesture, but accepts a Promise inside ClipboardItem.
+  // This pattern works in Safari 13.1+, Chrome, and Firefox.
+  if (typeof ClipboardItem !== 'undefined' && navigator.clipboard?.write) {
+    const blobPromise = (async () => {
+      await fetchReadmeMarkdown()
+      const markdown = readmeMarkdownData.value?.markdown ?? ''
+      return new Blob([markdown], { type: 'text/plain' })
+    })()
+    try {
+      await navigator.clipboard.write([new ClipboardItem({ 'text/plain': blobPromise })])
+      return
+    } catch {
+      // Fall through to legacy approach
+    }
+  }
 
+  // Legacy fallback (non-Safari, or older browsers)
+  await fetchReadmeMarkdown()
   const markdown = readmeMarkdownData.value?.markdown
   if (!markdown) return
-
   await copyReadme(markdown)
 }
 
@@ -305,6 +321,16 @@
   return pkg.value.versions[latestTag] ?? null
 })
 
+// SlimVersion does not carry license, so we compare against the package-level license
+const licenseChanged = computed(() => {
+  const currentLicense = displayVersion.value?.license
+  const latestLicense = pkg.value?.license
+  if (!currentLicense || !latestLicense) return false
+  const normalize = (l: unknown): string =>
+    typeof l === 'string' ? l : ((l as { type?: string })?.type ?? '')
+  return normalize(currentLicense) !== normalize(latestLicense)
+})
+
 const deprecationNotice = computed(() => {
   if (!displayVersion.value?.deprecated) return null
 
@@ -367,18 +393,6 @@
   return chunks.filter(Boolean).join('\n')
 })
 
-const hasDependencies = computed(() => {
-  if (!displayVersion.value) return false
-  const deps = displayVersion.value.dependencies
-  const peerDeps = displayVersion.value.peerDependencies
-  const optionalDeps = displayVersion.value.optionalDependencies
-  return (
-    (deps && Object.keys(deps).length > 0) ||
-    (peerDeps && Object.keys(peerDeps).length > 0) ||
-    (optionalDeps && Object.keys(optionalDeps).length > 0)
-  )
-})
-
 // Vulnerability count for the stats banner
 const vulnCount = computed(() => vulnTree.value?.totalCounts.total ?? 0)
 const hasVulnerabilities = computed(() => vulnCount.value > 0)
@@ -582,9 +596,24 @@
               <dt class="text-xs text-fg-subtle uppercase tracking-wider">
                 {{ $t('package.stats.license') }}
               </dt>
-              <dd class="font-mono text-sm text-fg">
-                <LicenseDisplay v-if="pkg.license" :license="pkg.license" />
+              <dd class="font-mono text-sm text-fg flex items-center gap-2 flex-wrap">
+                <LicenseDisplay
+                  v-if="displayVersion?.license ?? pkg.license"
+                  :license="(displayVersion?.license ?? pkg.license) as string"
+                />
                 <span v-else>{{ $t('package.license.none') }}</span>
+                <TooltipApp
+                  v-if="licenseChanged"
+                  :text="$t('package.license.changed', { latest: pkg.license })"
+                  position="bottom"
+                >
+                  <span
+                    class="inline-flex items-center gap-1 px-1.5 py-0.5 text-2xs font-sans rounded bg-amber-500/15 text-amber-700 dark:text-amber-400 border border-amber-500/30 cursor-help"
+                  >
+                    <span class="i-lucide:triangle-alert w-3 h-3" aria-hidden="true" />
+                    {{ $t('package.license.changed_badge') }}
+                  </span>
+                </TooltipApp>
               </dd>
             </div>
 
@@ -959,7 +988,7 @@
 
             <!-- Dependencies -->
             <PackageDependencies
-              v-if="hasDependencies && resolvedVersion && displayVersion"
+              v-if="resolvedVersion && displayVersion"
               :package-name="pkg.name"
               :version="resolvedVersion"
               :dependencies="displayVersion.dependencies"
@@ -1107,7 +1136,7 @@
       'install sidebar'
       'vulns   sidebar'
       'readme  sidebar';
-    grid-template-rows: auto auto auto auto 1fr;
+    grid-template-rows: auto auto auto auto;
   }
 }
 
@@ -1159,6 +1188,7 @@
 
 .areaSidebar {
   grid-area: sidebar;
+  align-self: start;
 }
 
 @media (max-width: 639.9px) {

diff --git a/i18n/locales/en.json b/i18n/locales/en.json
@@ -454,7 +454,8 @@
       "outdated_minor": "{count} minor version behind (latest: {latest}) | {count} minor versions behind (latest: {latest})",
       "outdated_patch": "Patch update available (latest: {latest})",
       "has_replacement": "This dependency has suggested replacements",
-      "vulnerabilities_count": "{count} vulnerability | {count} vulnerabilities"
+      "vulnerabilities_count": "{count} vulnerability | {count} vulnerabilities",
+      "none": "No dependencies"
     },
     "peer_dependencies": {
       "title": "Peer Dependency ({count}) | Peer Dependencies ({count})",
@@ -564,7 +565,9 @@
     },
     "license": {
       "view_spdx": "View license text on SPDX",
-      "none": "None"
+      "none": "None",
+      "changed_badge": "changed",
+      "changed": "License changed from {latest} in the latest version"
     },
     "vulnerabilities": {
       "tree_found": "{vulns} vulnerability in {packages}/{total} packages | {vulns} vulnerabilities in {packages}/{total} packages",

diff --git a/i18n/schema.json b/i18n/schema.json
@@ -1368,6 +1368,9 @@
             },
             "vulnerabilities_count": {
               "type": "string"
+            },
+            "none": {
+              "type": "string"
             }
           },
           "additionalProperties": false
@@ -1698,6 +1701,12 @@
             },
             "none": {
               "type": "string"
+            },
+            "changed_badge": {
+              "type": "string"
+            },
+            "changed": {
+              "type": "string"
             }
           },
           "additionalProperties": false

diff --git a/test/unit/app/utils/license-change.spec.ts b/test/unit/app/utils/license-change.spec.ts
@@ -0,0 +1,61 @@
+import { describe, expect, it } from 'vitest'
+
+/**
+ * Tests for the license change detection logic used in app/pages/package/[[org]]/[name].vue.
+ *
+ * The `licenseChanged` computed detects when the license of the currently
+ * viewed version differs from the package-level (latest) license, so an
+ * amber "changed" badge can be shown to alert users.
+ */
+
+type LicenseValue = string | { type?: string } | undefined | null
+
+function normalize(l: LicenseValue): string {
+  if (!l) return ''
+  return typeof l === 'string' ? l : ((l as { type?: string })?.type ?? '')
+}
+
+function licenseChanged(currentLicense: LicenseValue, packageLicense: LicenseValue): boolean {
+  if (!currentLicense || !packageLicense) return false
+  return normalize(currentLicense) !== normalize(packageLicense)
+}
+
+describe('licenseChanged detection', () => {
+  it('returns false when both licenses are the same string', () => {
+    expect(licenseChanged('MIT', 'MIT')).toBe(false)
+  })
+
+  it('returns true when a non-latest version has a different license', () => {
+    // e.g. old version had GPL, latest has MIT
+    expect(licenseChanged('GPL-2.0-only', 'MIT')).toBe(true)
+  })
+
+  it('returns false when current license is missing', () => {
+    expect(licenseChanged(null, 'MIT')).toBe(false)
+    expect(licenseChanged(undefined, 'MIT')).toBe(false)
+  })
+
+  it('returns false when package license is missing', () => {
+    expect(licenseChanged('MIT', null)).toBe(false)
+    expect(licenseChanged('MIT', undefined)).toBe(false)
+  })
+
+  it('returns false when both licenses are missing', () => {
+    expect(licenseChanged(null, null)).toBe(false)
+  })
+
+  it('normalizes object-shaped licenses for comparison', () => {
+    // Some old package.json use { type: "MIT" } instead of "MIT"
+    expect(licenseChanged({ type: 'MIT' }, 'MIT')).toBe(false)
+    expect(licenseChanged('MIT', { type: 'MIT' })).toBe(false)
+    expect(licenseChanged({ type: 'GPL-2.0' }, { type: 'MIT' })).toBe(true)
+  })
+
+  it('returns true for Apache-2.0 changed to MIT (real-world case)', () => {
+    expect(licenseChanged('Apache-2.0', 'MIT')).toBe(true)
+  })
+
+  it('returns false for complex SPDX expression that matches', () => {
+    expect(licenseChanged('MIT OR Apache-2.0', 'MIT OR Apache-2.0')).toBe(false)
+  })
+})