a) What do I actually need to write in reviewer notes if I got the libraries via npm, assuming no minified versions were used and no bundlers, so library files are included as is? And do I need to include package.json / package-lock.json in the addon?
b) What about the licenses? Do I need to collect a license file from each library and include it in the addon? Do all used libraries need to be mentioned in addon description? Do their licences need to be linked there?
A) If you’re using a standard npm-based workflow where you install dependencies via npm install or npm ci, you don’t need to do anything special to call out the source of those dependencies. You may still need instructions on how to build the extension in order to move those dependencies from your node_modules directory to the final location inside your extension.
B) That depends on the individual license requirements of each of your dependencies. You will need to read through licenses and possibly consult the relevant project’s documentation for guidance. Depending on your needs, you may also want to consult with a lawyer.