pnpm lock file cataloger produces unstable output

**What happened**:

Run syft-json multiple times against the same lockfile. And yet it generates different output - flip-flopping artifact IDs.

```diff
          "foundBy" : "javascript-lock-cataloger",
-         "id" : "4e5335e9ddd15392",
+         "id" : "ecf707795b695f42",
          "language" : "javascript",
          "licenses" : [],
          "locations" : [
             {
                "accessPath" : "/pnpm-lock.yaml",
                "annotations" : {
                   "evidence" : "primary"
                },
                "path" : "/pnpm-lock.yaml"
             }
          ],
          "metadata" : {
             "dependencies" : {
-               "acorn" : "8.15.0"
+               "acorn" : "8.14.1"
             },
             "resolution" : {
                "integrity" : "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ=="
             }
          },
          "metadataType" : "javascript-pnpm-lock-entry",
          "name" : "acorn-jsx",
          "purl" : "pkg:npm/acorn-jsx@5.3.2",
          "type" : "npm",
          "version" : "5.3.2"
       },
```

**What you expected to happen**:

The same syft json to be produced, all the time, producibly.

**Steps to reproduce the issue**:

1. git clone https://github.com/keycloak/keycloak -b 26.3.2
2. run: syft -o syft-json keycloak/js/pnpm-lock.yaml | sha256sum
3. observe unstable output

```
$ syft -o syft-json keycloak/js/pnpm-lock.yaml 2>/dev/null| sha256sum
5d3279d9189d4643fbb7f3f3aab7ad9ce2946a704c35813ba59f11b3bd590d84  -

$ syft -o syft-json keycloak/js/pnpm-lock.yaml 2>/dev/null| sha256sum
af2fab9c4fe4dd6423f2f49cc63f514737aec798dc35941aaa246206a77f048c  -

$ syft -o syft-json keycloak/js/pnpm-lock.yaml 2>/dev/null| sha256sum
af2fab9c4fe4dd6423f2f49cc63f514737aec798dc35941aaa246206a77f048c  -

$ syft -o syft-json keycloak/js/pnpm-lock.yaml 2>/dev/null| sha256sum
5d3279d9189d4643fbb7f3f3aab7ad9ce2946a704c35813ba59f11b3bd590d84  -
```

**Anything else we need to know?**:

The delta appears to be in metadata dependencies which might not be resolved deterministically.

Note similar flip flops are observed for other javascript packages too, for example babel dependencies.

**Environment**:
- Output of `syft version`:

$ syft version
Application:   syft
Version:       1.42.1
BuildDate:     2026-02-18T17:42:49Z
GitCommit:     0a3f7bb06ee168495ee54b8b66fccb22a056fe99
GitDescription: v1.42.1
Platform:      linux/amd64
GoVersion:     go1.25.7
Compiler:      gc
SchemaVersion: 16.1.3


- OS (e.g: `cat /etc/os-release` or similar): Ubuntu


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pnpm lock file cataloger produces unstable output #4648

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

pnpm lock file cataloger produces unstable output #4648

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions