There has been a bout of “commercialization” of nuget packages in the dotnet world lately. There are now so many going that way I struggle to remember what’s useable and what isn’t.
I used to be able to grab the nearest nuget lib and with a quick glance at the license get coding, but now one has to tread carefully not to fall foul of license changes.
The .NET ecosystem has seen a notable shift with several NuGet libraries transitioning from open source to commercial models. This has impacted developers who now need to be more vigilant about the libraries they choose to incorporate into their projects. Below is a list of major NuGet libraries that have gone commercial, along with some alternatives.
This is definitely something to watch when using AIs/LLMs for [Vibe] coding as they will happily add libraries for which you would be in violation of their license.
Note: being commercially licensed is not necessarily a reason not to use a library. For example, you probably don’t want to write an entire OpenId identity server from scratch just to avoid your company paying for Duende. This post is more about not walking unawares into something that at some point was FOSS, but has now shifted to something that might be difficult or impossible to use in the particular project you are working on. Some of these are more surprising than others depending on how long you have been around and how much you’ve been keeping up with the dramas of dotnet recently. The scope of this list is specifically dotnet projects that gained some traction while they were fully FOSS which later changed their license (or behaviour in the case of Moq) in ways that make them less universally usable.
The NuGet Hall of Former Glory
Moq
Introduced the SponsorLink spyware dependency, causing uproar and mass exodus.
- Reddit discussion
- GitHub issue
- Alternatives:
GitInfo
GitInfo followed a similar path to Moq, and users should be cautious of libraries from the same author (devlooped, aka @kzu) who has lost much trust after the SponsorLink debacle.
“This project uses SponsorLink to attribute sponsor status”
MassTransit as of v9
MassTransit’s commercialization was announced with version 9, prompting users to seek alternatives.
- Reddit discussion
- Official announcement
- Alternatives:
- Brighter/Darker
- Rebus - MIT license, though the original author joined the NServiceBus owners in 2013 apparently
- Raw Service Bus SDK
No better: NServiceBus (see below)
NServiceBus
- strange non-FOSS dual licensing with restricted functionality. Avoid. Apparently was once Apache licensed but changed circa 2011
MediatR & Automapper
Both libraries have moved towards a commercial model, as announced by their creator Jimmy Bogard.
FluentAssertions
FluentAssertions also changed their licensing model, but a community fork remains available under Apache 2.
- Community fork
- Alternatives:
Duende OpenId server
- “This new product will remain open source but will be offered with a dual license (RPL and commercial)”
- Alternatives
- KeyCloak - a Java based self-hostable open source identity server.
This one doesn’t really deserve the “avoid” label these days, as it’s been pretty clear for many years that this is a commercial offering, however it’s included here because I think it is interesting that a move from Apache to dual licensing is part of its history.
ImageSharp
A word on licenses
Several of these re-licensed projects were under the MIT license. While you can still get and use the code as it was at the point the license was changed, there is nothing in the MIT license to stop a library author accepting thousands of hours of effort in contributions and then flipping the license to something profiteering.
This should be a warning to all who care about the future benefit and use of their work to think carefully about what license to choose for their work, and the license of projects they contribute to. Notably this kind of relicense would be impossible with a GPL license without gaining consent from every single contributor as to do so would be removing rights, which is explicitly disallowed by the GPL.
This site has good explanations of choosing licenses: https://choosealicense.com/, plus a handy tool to pull-request a license to your github repo.
RPL (Reciprocal Public License)
The RPL license (RPL on Wikipedia) is a lesser-known license that you have to watch out for. It seems to be common in dual licensing because it effectively forbids commercial use due to the derivate works clauses. If you add an RPL library to a commercial project you’ll potentially be in big trouble.
It’s interesting to note that GNU considers RPL non-free due to restrictions it imposes.
Contributions welcome
If you know of any that have gone south that I’ve missed here, and of good alternatives by all means open a PR for this post. I’m hoping there won’t be too many more that do this in the coming years.