They are explicitly allowed by https://docs.npmjs.com/cli/v6/configuring-npm/package-json/#license
"(Xxx OR Yyy)" seems to be somewhat common, so we should parse it; ignoring the rest should be fine. eg. https://github.com/otahou/jszip-utils/blob/a01c0fa02c3b32ec44d6743e3b3d4e563c439271/package.json#L41
Code from the NuGet could be reused, but we'd need to add at least basic support for parentheses to be useful with NPM.