Missing metadata for bundled third-party libraries

[frenzymadness]

Some of the bundled libraries don't have metadata files with them, which makes it impossible to get a license or version info from them. I redistribute this package in Fedora Linux, and it's important for me to declare all the licenses used (for the main package and all the bundled ones) as well as the versions of the bundled libs (for the vulnerability scanners).

For example create-react-class is a single minified .js file without any info about it, while I see that the upstream repo contains package.json file. react directory contains more files, but package.json is not there for some reason.

Jupyterlab, for example, provides a single JSON file with metadata for all bundled libraries in static/third-party-licenses.json and I guess it's generated during the build.

See: https://github.com/jupyterlab/jupyterlab/blob/73cca87d4ece9a167b08aad6fd32c8fa28177c93/builder/src/webpack-plugins.ts#L220-L234

Would it make sense to have something like it here as well?

[danyeaw]

Hi @frenzymadness, thanks for the issue report. This would be great to support so that you have a list of licenses. We may need to upgrade our dependencies so that we remove the @bower_components first.

[frenzymadness]

I'm concerned that this requires a deep understanding of the codebase, but is there anything I can assist you with?

[danyeaw]

Hi @frenzymadness, I think moving the dependencies just requires us to do it incrementally one at a time. I could start with one as an example, and I would be glad to have help.

[frenzymadness]

I don't understand why any moving or upgrading is necessary. Cannot we just enhance the build system that bundles the libraries to dump licenses and versions of them somewhere during the build?

[danyeaw]

I don't want to invest effort in to a non-standardized build system. Having @bower_components is mid way through moving from Bower to standard npm dependencies.