diff --git a/README.md b/README.md
index d0fbb7e..fff1320 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,11 @@ Run Silverstripe CI matrix tests
 Only intended to be used within [gha-ci](https://github.com/silverstripe/gha-ci). The inputs all come from the matrix generated as a part of that workflow.
 
 GitHub job permissions required: `none`
+
+## JS license checking
+
+This action will check the licences of any installed NPM dependencies against a list of allowed SPDX identifiers of open source licences. These are contained in semi-colon delimited list in `allowed-spdx-delimited.txt`. If any insalaled non-dev dependencies are found that are not in the allowed list then the job will fail. See https://spdx.org/licenses/ for a list of SPDX identifiers.
+
+Note that the `Unlicense` is an SPDX identifier for an actual license and not a placeholder for a missing license.
+
+Composer dependences are checked seperately in `ci.yml` of `silverstripe/recipe-kitchen-sink`.
diff --git a/action.yml b/action.yml
index df37a2c..2c5270c 100644
--- a/action.yml
+++ b/action.yml
@@ -281,6 +281,14 @@ runs:
           echo "Running yarn lint"
           yarn run lint
         fi
+        # Validate licenses of all NPM dependencies are allowed
+        echo "Checking licenses of all dependencies"
+        # The following NPM package report as UNKNOWN or UNLICENSED, though have been manually checked they have permissive licenses:
+        EXCLUDE_PACKAGES='glob-to-regexp@0.3.0;jquery.are-you-sure@1.9.0;@silverstripe/react-injector@0.2.1;cwp-watea-theme@4.0.0;cwp-starter-theme@4.0.0'
+        npm install -g license-checker
+        SPDX_ALLOWED_DELIMITED=$(cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n')
+        license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" --excludePackages "$EXCLUDE_PACKAGES"
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP linting"
diff --git a/allowed-spdx-delimited.txt b/allowed-spdx-delimited.txt
new file mode 100644
index 0000000..7a1aedb
--- /dev/null
+++ b/allowed-spdx-delimited.txt
@@ -0,0 +1 @@
+MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense