NPM detector fails to differentiate packages by namespace in some circumstance #1672
Description
When using NPM components, it is possible to have a lockfile that looks like the following (excerpted):
"license": "MIT",
"dependencies": {
"@pnpm/constants": "1001.3.1",
"@pnpm/dependency-path": "1001.1.9",
"@pnpm/object.key-sorting": "1000.0.1",
"@pnpm/types": "1001.3.0",
"@zkochan/rimraf": "^3.0.2",
"comver-to-semver": "^1.0.0",
"js-yaml": "npm:@zkochan/js-yaml@0.0.9",
"ramda": "npm:@pnpm/ramda@0.28.1",
In this file, Component detection will not use the namespace portion of the js-yaml or ramda packages, and will instead assume the dependencies are the base js-yaml and ramda packages.
It does detect namespaces correct if they are indicated in the name portion of the property, as they are in the @pnpm packages, or in other sections of the file where the direct name of the package contains the namespace, but when used as above, with the npm:@namesapce/packagename format, it will only use the packagename.
The fix would seem to be looking for a @packagename prefix when examining these references, and if found using it with the package name to determine the actual dependency.