Improve license compliance handling

[stefan6419846]

Product

axe-core

Description

Currently, checking the licenses and copyrights for axe-core distributions is a bit of a pain. According to the given license files, there are 21 external dependencies included into the distribution, apart from the primary license of the package.

When looking at the package-lock.json for version 4.11.1, there are 1107 packages which might be related, all of them marked as dev: true. There is no easy way for me as an outside user or as someone involved with license compliance checking to identify which of the declared dependencies is actually included in the generated axe.js.

#4305 aims to keep the bundled dependency headers, but this might only be sufficient if all of the external packages are indeed using appropriate headers and build processes. #4305 (comment) refers to auto-generating the plain-text file, including the bundled versions, but this is not covered in the original goal/request of the linked issue, while not really being in an accepted machine-readable format as well.

For now, it seems like manually matching the package names from the LICENSE-3RD-PARTY.txt file with their counterparts in package-lock.json could be a viable approach, but this relies on this file being up-to-date as well.

At least for version 4.11.1, I could observe some discrepancies/outdated data inside this file, while only looking at the license files itself (and not possibly individual source files with different metadata):

• core-js-pure 3.44.0 is Copyright (c) 2014-2025 Denis Pushkarev instead of Copyright (c) 2014-2023 Denis Pushkarev
• d 1.0.2 is Copyright (c) 2013-2024, Mariusz Nowak, @medikoo, medikoo.com instead of Copyright (c) 2013-2019, Mariusz Nowak, @medikoo, medikoo.com
• es5-ext 0.10.64 is Copyright (c) 2011-2024, Mariusz Nowak, @medikoo, medikoo.com instead of Copyright (c) 2011-2022, Mariusz Nowak, @medikoo, medikoo.com
• memoizee 0.4.17 is Copyright (c) 2012-2024, Mariusz Nowak, @medikoo, medikoo.com instead of Copyright (c) 2012-2018, Mariusz Nowak, @medikoo, medikoo.com
• type 2.7.3 is Copyright (c) 2019-2024, Mariusz Nowak, @medikoo, medikoo.com instead of Copyright (c) 2019, Mariusz Nowak, @medikoo, medikoo.com

For these reasons, I would like to see some (preferably machine-readable) list of dependencies as bundled within the axe.js distribution, which allows proper analysis/verification of the supplied data. (Please note that my knowledge of the JavaScript ecosystem is rather limited and my main approach to this topic is from the licensing/license compliance perspective.)