Add uv license or similar to audit dependency licenses

[autinerd]

It would be cool to have a possibility to audit licenses of dependencies like pip-license does. (And including the new License-Expression in Metadata 2.4)

[yayami3]

I'm on board!

[ryanleary]

@charliermarsh would an appropriate approach here to include license information in the uv.lock file? I am new to the uv codebase, but exploring the feasibility of adding this capability.

It seems that ideally given a set of dependencies pulled in from a Lockfile that we would then introspect the license and report back. I spent an ~hour exploring the Package and PackageMetadata data models. It seems like most of what is discovered by the resolver is ultimately serialized into uv.lock and I'm not sure that would be appropriate here.

I'm exploring the codepath of uv tree as that seems most conceptually similar. Given a list of Packages, what would the most sensible way be to access either (a) classifiers, and/or (b) pyproject toml license data?