MPL2 would be a good choice for me, right?
I think so, yes, given the description of your requirements.
And, related to that, in browser-side JavaScript, in most cases, people use “bundling” to convert their code and all their dependencies into one or multiple output JavaScript files. This means that all the code of the dependencies is “vendored”, right?
Sort of?
Vendoring is a term that applies to a practice used for distribution of source code, not executables, and the line is blurry: how does machine code materially differ from source code? How does minified JavaScript materially differ from the original? Vendoring is a practice that affects source code, linking affects executables (particularly machine code objects which use the linker), bundling is a common verb that is applied to a process which produces minified JavaScript combining many dependencies into one. What does it mean to “link” JavaScript? What does it mean to “bundle” C libraries? All of these are industry jargon with blurry applicability in various situations, and therefore inadequate for describing specific legal scenarios, which is why the word “vendoring” does not actually appear in the MPL even though it’s a useful approximation of a scenario that the MPL is designed to accomodate.
Let’s just read the source text instead. The applicable parts of the MPL text starts with a few definitions:
“Source Code Form” means the form of the work preferred for making modifications.
“Executable Form” means any form of the work other than Source Code Form.
“Covered Software” means Source Code Form to which the initial Contributor has attached the notice in Exhibit A [Exhibit A is a comment added to the source code indicating that it is covered by MPL 2.0], the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.
“Larger Work” means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.
So in this sense we can say, for the purposes of reading the MPL’s legal text, that unminified original JavaScript would be covered under “source code form”, the minified form is covered by the “executable form”, and the bundle is a “larger work”.
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients’ rights in the Source Code Form under this License.
You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).
So, reading this, the assumption holds that you can bundle MPL 2.0-covered JavaScript libraries with webpack provided that you provide the MPL 2.0-covered source code and any modifications to it upon request – just as you might have suspected.