Do you have an openly available example repository to reproduce this on? In my experience, syft works well with package.json (not sure if I tried it with package.lock). However, note that syft by default does not include development dependencies. That was one pitfall I encountered. There is a configuration variable for toggling that behaviour, if you need it.