NPM aliased packages are not handled correctly

[michaelkedar]

In NPM, you can install packages under a different name e.g. from @isaacs/cliui:

"dependencies": {
  "string-width": "^5.1.2",
  "string-width-cjs": "npm:string-width@^4.2.0",
  "strip-ansi": "^7.0.1",
  "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
  "wrap-ansi": "^8.1.0",
  "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
},

Which seems to show up in the package-lock.json as

"node_modules/string-width-cjs": {
  "name": "string-width",
  "version": "4.2.3",
  "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
  ...
},

(not sure what it looks like in the v1 format) Edit: seems like it shows up in the old format as

"string-width-cjs": {
  "version": "npm:string-width@4.2.3",
  "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
  ...
},

(but I don't think version of npm that only use this format actually allows aliases...)

I believe osv-scanner will use the aliased name when looking for vulnerabilities, which can potentially cause false negatives (or false positives maybe, if the alias is a vulnerable package?)

We should also look into if other ecosystems have a similar issue.

[oliverchang]

@cuixq this is a simple first issue if you're looking for a smaller code task to tackle.