Version bumps in software licenses rarely get much attention, but the jump from GPLv2 to GPLv3 in 2007 changed real legal terms that still show up in dependency audits today. In short, the GPLv3 license added an explicit patent grant, an anti-tivoization clause preventing hardware locks on modified software, and broader compatibility with other open-source licenses — changes the Free Software Foundation made specifically in response to legal and hardware disputes that emerged after GPLv2 was written in 1991. For teams doing license compliance on their dependency tree, knowing which version of the GPL a package uses is not a formality — the obligations differ meaningfully between them.
What is the general public license, in plain terms?
The general public license (GPL) is a copyleft open-source license that requires anyone who distributes a modified version of the software to also make their modified source code available under the same license. This is the defining trait of copyleft: unlike permissive licenses such as MIT or Apache 2.0, the GPL's obligations follow the code forward — if you build on GPL-licensed software and distribute the result, your changes generally need to be released under the GPL too. That "share-alike" mechanism is what the Free Software Foundation designed it to enforce, and it's why GPL-licensed dependencies get extra scrutiny in commercial codebases where companies don't want to open-source their own proprietary code.
What specific changes did GPLv3 make over GPLv2?
GPLv3 introduced an explicit patent grant, meaning contributors license their patents covering the software to anyone who uses it, closing a gap where GPLv2 relied on more implicit patent protection. It also added the anti-tivoization clause — named after the DVR maker Tivo, which used GPL-licensed Linux code but locked its hardware so modified firmware wouldn't run — requiring that if you distribute GPLv3 code in a device, you must also provide the means for the user to install their own modified version on that hardware. GPLv3 additionally improved compatibility with other free software licenses, allowing GPLv3 code to be combined with a wider set of otherwise-incompatible licenses than GPLv2 permitted, and it clarified terms around license termination, giving violators a defined cure period rather than immediate and permanent termination of their rights.
How does the GNU Affero General Public License differ from GPLv3?
The GNU Affero General Public License (AGPL) is a variant of GPLv3 that closes what's sometimes called the "SaaS loophole" — under ordinary GPLv3, running modified software as a network service without distributing the binary doesn't trigger the source-disclosure obligation, since no "distribution" of the software itself has technically occurred. The AGPL adds a requirement that anyone who runs a modified version of the software to provide a service over a network must also make the modified source available to users of that service. This matters a lot for SaaS companies evaluating dependencies, since an AGPL-licensed library embedded in a hosted product can trigger obligations that an equivalent GPLv3 library wouldn't.
Why does GPL version matter for dependency compliance scans?
GPL version matters because the obligations genuinely differ — a codebase mixing GPLv2-only components with GPLv3 components can actually be legally incompatible to combine, since GPLv2 doesn't include the compatibility provisions GPLv3 added. License scanning tools need to identify not just "this is GPL" but which specific version and whether the license text includes the "or later" clause that lets a package's license effectively upgrade over time. This level of detail is exactly the kind of thing that gets missed in a manual dependency review but is straightforward for automated SCA tooling to flag consistently across a large dependency tree.
FAQ
Can GPLv2 and GPLv3 code be combined in one project?
Not always — it depends on whether the GPLv2 components are licensed as "GPLv2 or later," which permits an effective upgrade path. Pure GPLv2-only code without that clause is not compatible with GPLv3 code in a single combined work.
Does using a GPLv3 library always force you to open-source your entire application?
It depends on how the library is used and distributed. Static or dynamic linking and the definition of a "derivative work" affect scope, and it's worth getting counsel involved for commercial products rather than assuming the strictest interpretation always applies.
Is AGPL more restrictive than GPLv3 for SaaS companies?
Yes, specifically for network-service use cases. AGPL closes the gap where running modified software as an online service, without distributing the binary, would otherwise not trigger source-disclosure obligations under plain GPLv3.
How do I check which GPL version a dependency actually uses?
Check the license header or LICENSE file in the package itself rather than trusting a package manager's license field alone, since that metadata is sometimes incomplete or outdated; automated SCA scanning that parses actual license text reduces this risk at scale.