Hi @atripp
I think packages has to be iterated instead. I haven't seen dependencies beneath packages.
Further, the "empty" Key has to be ignored as it stands for the root project:
Maybe a little bit parsing would be necessary.
In lockfileVersion 2 a dependency was listed like this:
In lockfileVersion 3 it looks like this:
If desired, we can also upload package-lock.json files for testing via MyInedo.