Failure to parse package-lock.json file including legacy license array format

[WhatIsACore]

Description

If Trivy attempts to scan a package-lock.json where any dependency uses an array for its license field (instead of a string), Trivy will fail to scan any part of the file, fail to output a WARNing or other indication of failure (unless running in --debug), and return an empty results array.

Though this format is deprecated, per https://docs.npmjs.com/cli/v10/configuring-npm/package-json:

Some old packages used license objects or a "licenses" property containing an array of license objects:

// Not valid metadata
{
  "license" : {
    "type" : "ISC",
    "url" : "https://opensource.org/licenses/ISC"
  }
}

// Not valid metadata
{
  "licenses" : [
    {
      "type": "MIT",
      "url": "https://www.opensource.org/licenses/mit-license.php"
    },
    {
      "type": "Apache-2.0",
      "url": "https://opensource.org/licenses/apache2.0.php"
    }
  ]
}

Those styles are now deprecated.

Old dependencies that have not been updated in a while can have this format in their package.json, and the modern npm will still transfer this into a downstream v3 package-lock.json, albeit with a warning. Though deprecated, the resulting lockfile is still considered legal. If a single dependency anywhere in the tree uses this format, the scan fails, making this issue more common than expected.

Desired Behavior

Trivy either successfully parses the package-lock.json, or ignores that particular license field, or logs an WARN when it fails to scan something that looks scannable.

Actual Behavior

Trivy ignores the entire package-lock.json file.

Reproduction Steps

1. minimal failing `package-lock.json` example:

{
    "name": "repro",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "packages": {
      "": {
        "name": "repro",
        "version": "1.0.0",
        "dependencies": {
          "tv4": "1.3.0"
        }
      },
      "node_modules/tv4": {
        "version": "1.3.0",
        "license": [
          {"type": "Public Domain", "url": "http://example.com/LICENSE.txt"},
          {"type": "MIT", "url": "http://example.com/MIT.txt"}
        ]
      }
    }
  }


2. trivy fs --scanners vuln --format json .
...

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

➜  trivy-bug trivy fs --scanners vuln --debug .
2026-03-11T02:10:43-07:00	DEBUG	No plugins loaded
2026-03-11T02:10:43-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2026-03-11T02:10:43-07:00	DEBUG	Cache dir	dir="/Users/zekixu/Library/Caches/trivy"
2026-03-11T02:10:43-07:00	DEBUG	Cache dir	dir="/Users/zekixu/Library/Caches/trivy"
2026-03-11T02:10:43-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-03-11T02:10:43-07:00	DEBUG	Ignore statuses	statuses=[]
2026-03-11T02:10:43-07:00	DEBUG	DB update was skipped because the local DB is the latest
2026-03-11T02:10:43-07:00	DEBUG	DB info	schema=2 updated_at=2026-03-11T06:44:42.547245918Z next_update=2026-03-12T06:44:42.547245628Z downloaded_at=2026-03-11T08:08:28.766526Z
2026-03-11T02:10:43-07:00	DEBUG	[pkg] Package types	types=[os library]
2026-03-11T02:10:43-07:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2026-03-11T02:10:43-07:00	INFO	[vuln] Vulnerability scanning is enabled
2026-03-11T02:10:43-07:00	DEBUG	[notification] Running version check
2026-03-11T02:10:43-07:00	DEBUG	Initializing scan cache...	type="memory"
2026-03-11T02:10:43-07:00	DEBUG	[fs] Analyzing...	root="."
2026-03-11T02:10:43-07:00	DEBUG	Created process-specific temp directory	path="/var/folders/1x/pc8ldbh12p3_g_7fthwgm9m80000gn/T/trivy-79845"
2026-03-11T02:10:43-07:00	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2026-03-11T02:10:43-07:00	DEBUG	Walk error	file_path="package-lock.json" err="parse error: failed to parse package-lock.json: decode error: jsontext: invalid character '\\\\' after object value (expecting ',' or '}') within \"/packages/node_modules~1tv4/license/0\" after offset 380"
2026-03-11T02:10:43-07:00	DEBUG	OS is not detected.
2026-03-11T02:10:43-07:00	DEBUG	Detected OS: unknown
2026-03-11T02:10:43-07:00	INFO	Number of language-specific files	num=0
2026-03-11T02:10:43-07:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2026-03-11T02:10:43-07:00	DEBUG	[vex] VEX filtering is disabled
2026-03-11T02:10:43-07:00	WARN	[report] Supported files for scanner(s) not found.	scanners=[vuln]

Report Summary

┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│   -    │  -   │        -        │
└────────┴──────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-03-11T02:10:43-07:00	DEBUG	Cleaning up temp directory	path="/var/folders/1x/pc8ldbh12p3_g_7fthwgm9m80000gn/T/trivy-79845"

Operating System

macOs Tahoe 26.3

Version

Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-11 06:44:42.547245918 +0000 UTC
  NextUpdate: 2026-03-12 06:44:42.547245628 +0000 UTC
  DownloadedAt: 2026-03-11 08:08:28.766526 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

duplicate of #10119