Note that it's not required to include license notices (not to be
confused with the license itself) in the header (or as metadata) of each
source file. It's a recommendation, such that if someone gets only that
specific file, then that person can easily know and have proof that such
file is under that license.
For this specific/current paragraph, I also want to point out that these
are own ways of checking the license notices of works, and I'm not a
lawyer. If there is no license notice in a given file, then the sibling
or parent README files (or similar in non-English languages) dictate
where to find the license notices, or provide the license notices
there. Failing this, then one must check for the source file with the
same name of the project or some name similar to "main" (assumed to be
in English, but this name can also change according to the language).
Files similar to COPYING, LICENSE, or [License name, or abbreviation
indicating exceptions and if "or later"/"+" applies] files (or similar
ones for each of those in non-English languages) are not that useful if
there is no match for what was described in the last paragraph.
Annoying fact: I just read the package.json npm specification syntax
documentation and it says to follow the "SPDX" specification when
specifying the licenses. However, the current "SPDX" specification no
longer seems to accept licenses with "+" ("or later"), there is no way
to tell that there is a proxy involved (such as what can be specified
when one adapts a CC BY-SA 4.0 work into another one under GNU GPL 3+,
according to [[https://www.gnu.org/licenses/license-list.html#ccbysa]]),
there is no exception for website management systems and associated
templates (such as what can be found in
[[https://www.gnu.org/licenses/gpl-faq.html#WMS]]), and there is
exception for source files written in JavaScript
([[https://www.gnu.org/software/librejs/free-your-javascript.html]], in
section 3.2.1 of this reference).
