bundle dependency license info

[ashleygwilliams]

https://github.com/sstadick/cargo-bundle-licenses

tl;dr generate a file that lists all the licenses of deps.

there are so many third party tools that do this that ideally we can leverage the best in class of them to get full coverage for all project types, but it's possible it's also "easy enough" to reimplement given that we are already excellent at finding and reading project manifest files and that using that graph as input to third party tools might be harder than just reimplementing.

[Gankra]

wrt doing this package-manager-independently, in an ideal world this can be broken down into several separable concerns:

• compute dependency graph (language specific, although we potentially stitch results together into agnostic structure)
• lookup license of a package in insert-packagemanager-here (necessarily language-specific, but produces agnostic output)
• merge per-dep information into whatever format is needed (this part can be totally language agnostic)