I have a project with includes a build tool compromising about 88 MB of bundled JavaScript in 187 different modules and thousands of files. Almost all of them are under some variant of MIT or BSD license, but the issue is how to spin this with REUSE. I can't really modify the contents of node_modules since updating any of those packages in the future, which will certainly happen not infrequently, will clobber the modifications. That seems to leave two options:

• Some TBD script of hideous complexity which will attempt to turn the LICENSE files in each module into patterns in .reuse/dep5
• Creating a pseudo-license (LicenseRef-JSModules?) which is applied to everything under node_modules and whose "license text" acknowledges that there are a large variety of OSS licenses in use which are not properly captured by REUSE.

Has anyone done this and can discuss / link to their solution, or have another plausible solution to the problem?

(Someone is going to say, just require your users to download everything via npm themselves, and there are reasons we're not going to do that.)

Well, each module has at least one license and one copyright holder you'd have to mention to become REUSE compliant. You'd simply provide wrong information if you put everything under a pseudo license and pseudo copyright holder.

Actually, thanks to the nature of BSD/MIT, you have the additional issue that these may differ from each other as they may contain individual copyright information. So a MIT with "Jane Doe" mentioned as copyright holder actually has to be treated as a separate license from the one with "John Doe" as copyright. See https://reuse.software/faq/#license-templates

A technical way would be to provide the external modules as submodules. REUSE detects them as external and therefore you don't have to make them REUSE compliant.

If that doesn't work, I wouldn't know a better way than to manage them correctly in the DEP5 file.