When a package-lock.json has a license with a list, the package-lock is skipped

[jtorres-sia-es]

Description

The error message:
Walk error file_path="package-lock.json" err="parse error: failed to parse package-lock.json: decode error: json: cannot unmarshal JSON array into Go string within "/packages/node_modules~1pause-stream/license""
When the package-lock.json has this dependency with a list of licenses:
"node_modules/pause-stream": {
"version": "0.0.11",
"resolved": "https://registry.npmjs.org/pause-stream/-/pause-stream-0.0.11.tgz",
"integrity": "sha512-e3FBlXLmN/D1S+zHzanP4E/4Z60oFAa3O051qt1pxa7DEJWKAyil6upYVXCWadEnuoqa4Pkc9oUx9zsxYeRv8A==",
"license": [
"MIT",
"Apache2"
],
"dependencies": {
"through": "~2.3"
}
},

Desired Behavior

The package-lock.json is processed.

Actual Behavior

The package-lock.json is not processed, and therefore no dependencies with known vulnerabilities are reported.

Reproduction Steps

1.
2.
3.
...

Target

None

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

....
2026-02-12T12:48:55+01:00       INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand    dir="node_modules"
2026-02-12T12:48:55+01:00       DEBUG   Walk error      file_path="package-lock.json" err="parse error: failed to parse package-lock.json: decode error: json: cannot unmarshal JSON array into Go string within \"/packages/node_modules~1pause-stream/license\""
....

Operating System

Linux

Version

0.69.0-SNAPSHOT-0f0d6dbff

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Duplicate of #10119