Automatically exclude dev-tool transitive dependencies from license checks

[manzoorwanijk]

See #74310 (comment)

What problem does this address?

The bin/check-licenses.mjs script currently requires manually maintaining an ignore list for packages like @ampproject/remapping, webpack, bser, fb-watchman, and walker (Jest internals with Apache-2.0 license). Some of these packages appear in the license check because:

1. @wordpress/scripts has jest as a production dependency (because it's a tooling package that provides Jest to consumers)
2. The npm query .workspace:attr([wpScript],[wpScriptModuleExports]) :is(.prod) includes all transitive dependencies
3. Jest's internal packages have Apache-2.0 license which isn't GPL2-compatible

These packages are only used for testing and are not distributed with WordPress, so they shouldn't require GPL2 compatibility checks. Currently, we manually add them to the ignored array, but this approach doesn't scale well as new dev-tool dependencies are added.

What is your proposed solution?

Automatically filter out transitive dependencies that come exclusively from dev-only packages (like @wordpress/scripts).

Implementation approach:

1. Add a devOnlyPackages configuration listing packages whose transitive deps should be excluded:

   const devOnlyPackages = [ '@wordpress/scripts' ];

2. Run two npm queries:

   • Get all prod deps of packages with wpScript/wpScriptModuleExports
   • Get all deps of dev-only packages

3. Filter out packages that are only reachable through dev-only packages:

   function filterDevOnlyDeps( allDeps, devOnlyDeps ) {
       const devOnlyNames = new Set( devOnlyDeps.map( ( dep ) => dep.name ) );
       return allDeps.filter( ( dep ) => ! devOnlyNames.has( dep.name ) );
   }

4. Add unit tests for the filtering function

Benefits:

• No need to manually add Jest packages (or other dev-tool deps) to the ignore list
• Future dev-tool dependencies are automatically handled
• More maintainable and less error-prone