Authenticated Git dependency in package.json parsed as package "git" instead of declared dependency name #4753
Description
Description
ScanCode reports an incorrect dependency name when a package.json dependency uses an authenticated Git URL.
The dependency key defined in package.json is lost and replaced with "git".
Steps to reproduce
- Create package.json:
{
"name": "example",
"version": "1.0.0",
"dependencies": {
"private-lib": "git+ssh://git@github.com:org/repo.git#v1.0.0"
}
}
-
Run:
./scancode -clip --json result.json . -
Inspect dependency output
Observed result
Dependency is reported as:
pkg:npm/git
The declared dependency name "private-lib" is not preserved.
Expected result
Dependency name should remain "private-lib"
and the Git URL should be treated as the requirement for that dependency.
Why this matters
Authenticated Git dependencies are commonly used for private repositories.
Incorrect dependency names break dependency tracking and SBOM generation.