What happened:
When using syft, we are occasionally seeing multiple copies of NPM packages in the output, referencing versions that do not exist.

How to reproduce it (as minimally and precisely as possible):
Steps to Reproduce
This assumes that one has node.js and npm 6.x or 7.x installed on their machine. These steps were run on macOS 11.2.3, but I have no reason to believe that this is platform-dependent:

npm install react-native
syft packages dir:node_modules

Expected Result
array-unique 0.3.2 npm

Actual Behavior
array-unique 0.2.4 npm
array-unique 0.3.2 npm
array-unique 4.10.1 npm

Errata
This behavior is not limited to the array-unique package, but it is being used as an example.

There are no such versions of the array-unique package as 0.2.4 and 4.10.1. Those version strings DO exist in the yarn.lock file, but attached to completely different packages.

Environment:

• Output of syft version:
  Application: syft
  Version: 0.16.1
  BuildDate: 2021-05-25T22:04:01Z
  GitCommit: 8be0d98
  GitTreeState: clean
  Platform: darwin/amd64
  GoVersion: go1.16.4
  Compiler: gc
• OS (e.g: cat /etc/os-release or similar):
  sw_vers
  ProductName: macOS
  ProductVersion: 11.2.3
  BuildVersion: 20D91