Simple NPM project fails with "The following references do not actually refer to packages"

[malmor]

Describe the bug

When running ORT on a simple example repo with only two dependencies, the analyze phase throws an exception:

Exception in thread "main" java.lang.IllegalArgumentException: The following references do not actually refer to packages: 'NPM:@sap:cds-fiori:2.1.1'.
	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.checkReferences(DependencyGraphBuilder.kt:207)
	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build(DependencyGraphBuilder.kt:177)
	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build$default(DependencyGraphBuilder.kt:176)
	at org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManager.createPackageManagerResult(NodePackageManager.kt:111)
	at org.ossreviewtoolkit.analyzer.PackageManager.resolveDependencies(PackageManager.kt:351)
	at org.ossreviewtoolkit.analyzer.PackageManagerRunner$run$3.invokeSuspend(Analyzer.kt:354)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:34)
	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:124)
	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:89)
	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:586)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:820)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)

We have enabled DEBUG logging, but this does not really give any hints on why this would fail.

We already did some testing, and here it gets really strange:

• Our example project with both dependencies @sap/cds and @sap/cds-dk fails with the exception
• If you analyze them separately (only one at a time, or put them into their own package.json files), there is no issue
• If you downgrade both packages to version 9.6.0, the analysis works again - but as far as I can tell, there have been no changes in the metadata etc. between these latest patch versions

Running an npm install shows no issues, and all of the commands ORT executes (e.g. npm list and npm info) report no issues.

To Reproduce

Steps to reproduce the behavior:

1. Run analyze phase on the following package.json

{
	"name": "my-example-project",
	"version": "1.0.0",
	"engines": {
		"node": "22"
	},
	"scripts": {
		"start": "cds run"
	},
	"dependencies": {
		"@sap/cds": "9.6.4",
		"@sap/cds-dk": "9.6.1"
	}
}

Expected behavior

ORT should be able to analyze the example project. If there are any issues with one of the packages (e.g. missing metadata), which prevents a clean analysis, some information about this would be useful, so that one can contact the package owner.

Console / log output

[...]
2026-01-28T08:36:45.684652Z 01O  ______________________________                                                
2026-01-28T08:36:45.684665Z 01O /        \_______   \__    ___/     The OSS Review Toolkit, version 72.1.0,    
2026-01-28T08:36:45.684671Z 01O |    |   | |       _/ |    |        built with JDK 21.0.9+10-LTS, running under
2026-01-28T08:36:45.684679Z 01O |    |   | |    |   \ |    |        Executing 'analyze' as 'ort' on Linux      
2026-01-28T08:36:45.684686Z 01O \________/ |____|___/ |____|        with 16 CPUs and a maximum of 8192 MiB of m
2026-01-28T08:36:45.684691Z 01O                                                                                
2026-01-28T08:36:45.684698Z 01O Environment variables:                                                        
2026-01-28T08:36:45.684703Z 01O ORT_DATA_DIR = /builds/example-repo/.ort       
2026-01-28T08:36:45.684708Z 01O ORT_CONFIG_DIR = /home/ort/.ort/config                                        
2026-01-28T08:36:45.684714Z 01O HOME = /home/ort                                                              
2026-01-28T08:36:45.684717Z 01O JAVA_HOME = /opt/java/openjdk                                                 
2026-01-28T08:36:45.684722Z 01O ANDROID_HOME = /opt/android-sdk                                               
2026-01-28T08:36:45.684729Z 01O                                                                               
2026-01-28T08:36:45.684734Z 01O Looking for ORT configuration in the following file:
2026-01-28T08:36:45.684739Z 01O         /home/ort/.ort/config/config.yml
2026-01-28T08:36:45.684745Z 01O 
2026-01-28T08:36:45.684750Z 01O Looking for analyzer-specific configuration in the following files and directories:
2026-01-28T08:36:45.684754Z 01O         /builds/example-repo/.ort.yml
2026-01-28T08:36:45.684770Z 01O         /home/ort/.ort/config/resolutions.yml
2026-01-28T08:36:46.186298Z 01O The following 16 package manager(s) are enabled:
2026-01-28T08:36:46.186309Z 01O         Bundler, Cargo, CocoaPods, Composer, Conan, GoMod, Gradle, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Yarn, Yarn 2+
2026-01-28T08:36:46.711780Z 01O The following 4 package curation provider(s) are enabled:
2026-01-28T08:36:46.711809Z 01O         RepositoryConfiguration, DefaultDir, DefaultFile, Spring
2026-01-28T08:36:46.711813Z 01O Analyzing project path:
2026-01-28T08:36:46.711818Z 01O         /builds/example-repo
2026-01-28T08:36:46.711863Z 01O 08:36:46.572 [main] DEBUG org.ossreviewtoolkit.analyzer.Analyzer - Using the following configuration settings:
2026-01-28T08:36:46.711867Z 01O ---
2026-01-28T08:36:46.711871Z 01O analyzer:
2026-01-28T08:36:46.711873Z 01O   allow_dynamic_versions: true
2026-01-28T08:36:46.711875Z 01O   skip_excluded: true
2026-01-28T08:36:46.711883Z 01O excludes:
2026-01-28T08:36:46.711885Z 01O   paths:
2026-01-28T08:36:46.711888Z 01O   - pattern: ".github/**"
2026-01-28T08:36:46.711892Z 01O     reason: "DOCUMENTATION_OF"
2026-01-28T08:36:46.711895Z 01O     comment: "Exclude repository documentation and CI configs from ORT scans."
2026-01-28T08:36:46.711897Z 01O   scopes:
2026-01-28T08:36:46.711901Z 01O   - pattern: "devDependencies"
2026-01-28T08:36:46.711903Z 01O     reason: "DEV_DEPENDENCY_OF"
2026-01-28T08:36:46.711915Z 01O     comment: "Packages for development only."
2026-01-28T08:36:46.711919Z 01O resolutions:
2026-01-28T08:36:46.711921Z 01O   rule_violations:
2026-01-28T08:36:46.711925Z 01O   - message: ".*LicenseRef-ort-SAP-Developer-License-Agreement-3.*"
2026-01-28T08:36:46.711928Z 01O     reason: "CANT_FIX_EXCEPTION"
2026-01-28T08:36:46.711931Z 01O     comment: "The use of packages underlying the SAP DEVELOPER LICENSE AGREEMENT v3.x\
2026-01-28T08:36:46.711934Z 01O       \ is acceptable in this case. Affected packages are not delivered by us\
2026-01-28T08:36:46.711940Z 01O       \ but installed on the customers SAP BTP instance. Details: https://issuetracking.company.internal/browse/SAP-132"
2026-01-28T08:36:46.711942Z 01O license_choices:
2026-01-28T08:36:46.711944Z 01O   repository_license_choices:
2026-01-28T08:36:46.711948Z 01O   - given: "BSD-3-Clause OR GPL-2.0-only"
2026-01-28T08:36:46.711950Z 01O     choice: "BSD-3-Clause"
[...]
2026-01-28T08:36:57.722803Z 01O 08:36:57.345 [DefaultDispatcher-worker-3] INFO  org.ossreviewtoolkit.analyzer.PackageManager - NPM resolved dependencies for path 'example/package.json' in 9.223349995s.
2026-01-28T08:36:57.722816Z 01O Exception in thread "main" java.lang.IllegalArgumentException: The following references do not actually refer to packages: 'NPM:@sap:cds-fiori:2.1.1'.
2026-01-28T08:36:57.722822Z 01O 	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.checkReferences(DependencyGraphBuilder.kt:207)
2026-01-28T08:36:57.722828Z 01O 	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build(DependencyGraphBuilder.kt:177)
2026-01-28T08:36:57.722832Z 01O 	at org.ossreviewtoolkit.model.utils.DependencyGraphBuilder.build$default(DependencyGraphBuilder.kt:176)
2026-01-28T08:36:57.722838Z 01O 	at org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManager.createPackageManagerResult(NodePackageManager.kt:111)
2026-01-28T08:36:57.722845Z 01O 	at org.ossreviewtoolkit.analyzer.PackageManager.resolveDependencies(PackageManager.kt:351)
2026-01-28T08:36:57.722848Z 01O 	at org.ossreviewtoolkit.analyzer.PackageManagerRunner$run$3.invokeSuspend(Analyzer.kt:354)
2026-01-28T08:36:57.722851Z 01O 	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:34)
2026-01-28T08:36:57.722861Z 01O 	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:100)
2026-01-28T08:36:57.722864Z 01O 	at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:124)
2026-01-28T08:36:57.722868Z 01O 	at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:89)
2026-01-28T08:36:57.722873Z 01O 	at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:586)
2026-01-28T08:36:57.722876Z 01O 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:820)
2026-01-28T08:36:57.722880Z 01O 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:717)
2026-01-28T08:36:57.722885Z 01O 	at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:704)
[...]

Environment

• ORT version: 72.1.0
• Java version: JDK 21
• OS: Linux (Official Docker container)

[malmor]

I can also reproduce this issue with the latest version of ORT, this does not only refer to v72.1.0.