NPM Workspace Dev Dependencies Incorrectly Scoped as Dependencies

[voidpetal]

Describe the bug

ORT incorrectly treats dev dependencies of NPM workspace packages as regular dependencies.

To Reproduce

Steps to reproduce the behavior:

1. First clone this repo
2. Then scan it and create a web report
3. Open the tree tab
4. See the tree includes dev depencency typescript-json-schema

Expected behavior

Dev dependencies of workspace packages should be correctly identified and scoped as dev dependencies.

Console / log output

No console output is relevant for this issue.

Environment

• ORT version: 74.1.0
• Java version: 21
• OS: Linux

Additional context

I created a minimal example here for your convenience. There are two packages there:

1. @myorg/theme/package.json - Workspace package with dev dependencies

   • Has csscolorparser as a regular dependency
   • Has typescript-json-schema as a dev dependency

2. package.json - Defines workspace configuration

   • Uses workspaces: ["@myorg/*"]
   • Has geojson-vt as a regular dependency

All packages in the devDependencies section of @myorg/theme are treated as regular dependencies. Contrasting with geojson-vt@3.2.1, whose dev dependencies (rollup, eslint, etc.) are correctly excluded.

Thanks!