Having just done this for a large project, I can say it turns out this process is more of a headache to automate fully than you might think. It's easy to get many of them with some of the tricks listed here, but NPM package licenses are not published consistently, and can appear
* In the NPM package.json file, or
* In the README file (sometimes just the name, like "MIT license", and sometimes full license text in a section), or
* In a separate LICENSE or COPYING file.
In addition, you sometimes have to read a licenses to tell which well-known open source license it corresponds to.
The best tool I know to do this, that (unlike some of the other answers here) covers all these cases is the **licensecheck** package:
[To see links please register here]
It looks at package.json as well as common license files, and does a signature match against known licenses, so it accurately recognizes more licenses automatically. It also "normalizes" licenses against the standard SPDX list of licenses (
[To see links please register here]
).
Finally, Licensecheck also lets you save any remaining packages you needed to manually verify in your own license.json file (since you can't count on an external maintainer to change their package).
Taken together, this is a pretty robust solution.