diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
index e938f815a..72919e068 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.json
@@ -144,9 +144,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b-off",
+      "name": "my-local-b",
       "version": "0.0.0",
-      "bom-ref": "my-local-b-off@0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
       "description": "demo: my-local-b-off - a package with a different name than its dir",
       "licenses": [
         {
@@ -156,7 +156,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "purl": "pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
       "externalReferences": [
         {
           "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
@@ -240,11 +240,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b-off@0.0.0"
+        "my-local-b@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b-off@0.0.0"
+      "ref": "my-local-b@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
index d6a294021..1b89af221 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_from-setup.snap.xml
@@ -105,8 +105,8 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
-    <component type="library" bom-ref="my-local-b-off@0.0.0">
-      <name>my-local-b-off</name>
+    <component type="library" bom-ref="my-local-b@0.0.0">
+      <name>my-local-b</name>
       <version>0.0.0</version>
       <description>demo: my-local-b-off - a package with a different name than its dir</description>
       <licenses>
@@ -114,7 +114,7 @@
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
+      <purl>pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/CycloneDX/cyclonedx-node-npm/issues</url>
@@ -170,9 +170,9 @@
       <dependency ref="my-noname@0.0.0"/>
     </dependency>
     <dependency ref="my-local-a@0.0.0">
-      <dependency ref="my-local-b-off@0.0.0"/>
+      <dependency ref="my-local-b@0.0.0"/>
     </dependency>
-    <dependency ref="my-local-b-off@0.0.0"/>
+    <dependency ref="my-local-b@0.0.0"/>
     <dependency ref="my-noname@0.0.0"/>
   </dependencies>
 </bom>
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_macos-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_macos-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_ubuntu-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_windows-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node18_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node22_windows-latest.snap.json
new file mode 100644
index 000000000..2b70b939a
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm10_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_ubuntu-latest.snap.json
index 1f522596a..d82e79d89 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -139,7 +156,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_windows-latest.snap.json
index 1f522596a..d82e79d89 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -139,7 +156,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node16_macos-latest.snap.json
new file mode 100644
index 000000000..d82e79d89
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node16_macos-latest.snap.json
@@ -0,0 +1,216 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "description": "demo: my-local-a",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "description": "demo: my-local-b-off - a package with a different name than its dir",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "DummyComponent.InterferedDependency.my-noname",
+      "bom-ref": "DummyComponent.InterferedDependency.my-noname",
+      "description": "This is a dummy component \"InterferedDependency.my-noname\" that fills the gap where the actual built failed."
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "DummyComponent.InterferedDependency.my-noname",
+        "my-local-a@0.0.0"
+      ]
+    },
+    {
+      "ref": "DummyComponent.InterferedDependency.my-noname"
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node22_windows-latest.snap.json
new file mode 100644
index 000000000..d82e79d89
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm6_node22_windows-latest.snap.json
@@ -0,0 +1,216 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "description": "demo: my-local-a",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "description": "demo: my-local-b-off - a package with a different name than its dir",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "DummyComponent.InterferedDependency.my-noname",
+      "bom-ref": "DummyComponent.InterferedDependency.my-noname",
+      "description": "This is a dummy component \"InterferedDependency.my-noname\" that fills the gap where the actual built failed."
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "DummyComponent.InterferedDependency.my-noname",
+        "my-local-a@0.0.0"
+      ]
+    },
+    {
+      "ref": "DummyComponent.InterferedDependency.my-noname"
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node16_macos-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node16_macos-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm7_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node16_macos-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node16_macos-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm8_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_macos-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_macos-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node16_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-dependencies_npm9_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.json
index d8fccdaf6..25ca1ae69 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.json
@@ -187,6 +187,39 @@
           "value": "true"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "description": "demo: my-local-e - a standalone package that is not dependency of root nor any other workspace",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0?vcs_url=git%2Bhttps%3A//gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e",
+      "externalReferences": [
+        {
+          "url": "git+https://gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -195,7 +228,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -213,6 +247,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.xml b/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.xml
index 66d93361d..328cd4d94 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_from-setup.snap.xml
@@ -131,12 +131,34 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
+    <component type="library" bom-ref="my-local-e@0.1.0">
+      <name>my-local-e</name>
+      <version>0.1.0</version>
+      <description>demo: my-local-e - a standalone package that is not dependency of root nor any other workspace</description>
+      <licenses>
+        <license acknowledgement="declared">
+          <id>Apache-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:npm/my-local-e@0.1.0?vcs_url=git%2Bhttps%3A//gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e</purl>
+      <externalReferences>
+        <reference type="vcs">
+          <url>git+https://gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e</url>
+          <comment>as detected from PackageJson property "repository.url" and "repository.directory"</comment>
+        </reference>
+      </externalReferences>
+      <properties>
+        <property name="cdx:npm:package:path">node_modules/my-local-e</property>
+        <property name="cdx:npm:package:private">true</property>
+      </properties>
+    </component>
   </components>
   <dependencies>
     <dependency ref="demo-workspaces@0.0.0">
       <dependency ref="my-local-a@0.1.0"/>
       <dependency ref="my-local-b-off@0.0.0"/>
       <dependency ref="my-local-c@0.23.42"/>
+      <dependency ref="my-local-e@0.1.0"/>
     </dependency>
     <dependency ref="my-local-a@0.1.0">
       <dependency ref="my-local-b-off@0.0.0"/>
@@ -146,5 +168,6 @@
       <dependency ref="my-local-a@0.1.0"/>
       <dependency ref="my-local-b-off@0.0.0"/>
     </dependency>
+    <dependency ref="my-local-e@0.1.0"/>
   </dependencies>
 </bom>
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_macos-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_macos-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node18_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm10_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node14_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node16_macos-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node16_macos-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm7_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node14_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node16_macos-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node16_macos-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm8_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_macos-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_macos-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node16_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/bare/local-workspaces_npm9_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
index e938f815a..72919e068 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.json
@@ -144,9 +144,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b-off",
+      "name": "my-local-b",
       "version": "0.0.0",
-      "bom-ref": "my-local-b-off@0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
       "description": "demo: my-local-b-off - a package with a different name than its dir",
       "licenses": [
         {
@@ -156,7 +156,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "purl": "pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
       "externalReferences": [
         {
           "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
@@ -240,11 +240,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b-off@0.0.0"
+        "my-local-b@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b-off@0.0.0"
+      "ref": "my-local-b@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
index d6a294021..1b89af221 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_from-setup.snap.xml
@@ -105,8 +105,8 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
-    <component type="library" bom-ref="my-local-b-off@0.0.0">
-      <name>my-local-b-off</name>
+    <component type="library" bom-ref="my-local-b@0.0.0">
+      <name>my-local-b</name>
       <version>0.0.0</version>
       <description>demo: my-local-b-off - a package with a different name than its dir</description>
       <licenses>
@@ -114,7 +114,7 @@
           <id>Apache-2.0</id>
         </license>
       </licenses>
-      <purl>pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
+      <purl>pkg:npm/my-local-b@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b</purl>
       <externalReferences>
         <reference type="issue-tracker">
           <url>https://github.com/CycloneDX/cyclonedx-node-npm/issues</url>
@@ -170,9 +170,9 @@
       <dependency ref="my-noname@0.0.0"/>
     </dependency>
     <dependency ref="my-local-a@0.0.0">
-      <dependency ref="my-local-b-off@0.0.0"/>
+      <dependency ref="my-local-b@0.0.0"/>
     </dependency>
-    <dependency ref="my-local-b-off@0.0.0"/>
+    <dependency ref="my-local-b@0.0.0"/>
     <dependency ref="my-noname@0.0.0"/>
   </dependencies>
 </bom>
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_macos-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_macos-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_ubuntu-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_windows-latest.snap.json
index d48eb1d17..2b70b939a 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node18_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -105,9 +122,9 @@
     },
     {
       "type": "library",
-      "name": "my-local-b",
+      "name": "my-local-b-off",
       "version": "0.0.0",
-      "bom-ref": "my-local-b@0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
       "licenses": [
         {
           "license": {
@@ -116,7 +133,7 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -157,11 +174,11 @@
     {
       "ref": "my-local-a@0.0.0",
       "dependsOn": [
-        "my-local-b@0.0.0"
+        "my-local-b-off@0.0.0"
       ]
     },
     {
-      "ref": "my-local-b@0.0.0"
+      "ref": "my-local-b-off@0.0.0"
     },
     {
       "ref": "my-noname@0.0.0"
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node22_windows-latest.snap.json
new file mode 100644
index 000000000..2b70b939a
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm10_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_ubuntu-latest.snap.json
index 1f522596a..d82e79d89 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -139,7 +156,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_windows-latest.snap.json
index 1f522596a..d82e79d89 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -139,7 +156,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node16_macos-latest.snap.json
new file mode 100644
index 000000000..d82e79d89
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node16_macos-latest.snap.json
@@ -0,0 +1,216 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "description": "demo: my-local-a",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "description": "demo: my-local-b-off - a package with a different name than its dir",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "DummyComponent.InterferedDependency.my-noname",
+      "bom-ref": "DummyComponent.InterferedDependency.my-noname",
+      "description": "This is a dummy component \"InterferedDependency.my-noname\" that fills the gap where the actual built failed."
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "DummyComponent.InterferedDependency.my-noname",
+        "my-local-a@0.0.0"
+      ]
+    },
+    {
+      "ref": "DummyComponent.InterferedDependency.my-noname"
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node22_windows-latest.snap.json
new file mode 100644
index 000000000..d82e79d89
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm6_node22_windows-latest.snap.json
@@ -0,0 +1,216 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "description": "demo: my-local-a",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-deps/project/packages/my-local-a",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "description": "demo: my-local-b-off - a package with a different name than its dir",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0?vcs_url=git%2Bssh%3A//git%40github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+ssh://git@github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project/packages/my-local-b",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "DummyComponent.InterferedDependency.my-noname",
+      "bom-ref": "DummyComponent.InterferedDependency.my-noname",
+      "description": "This is a dummy component \"InterferedDependency.my-noname\" that fills the gap where the actual built failed."
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "DummyComponent.InterferedDependency.my-noname",
+        "my-local-a@0.0.0"
+      ]
+    },
+    {
+      "ref": "DummyComponent.InterferedDependency.my-noname"
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node16_macos-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node16_macos-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm7_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node14_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node16_macos-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node16_macos-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm8_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_macos-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_macos-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_ubuntu-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_ubuntu-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_windows-latest.snap.json
index d48eb1d17..98ba30079 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node16_windows-latest.snap.json
@@ -68,7 +68,24 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-local-deps@0.0.0",
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node22_windows-latest.snap.json
new file mode 100644
index 000000000..98ba30079
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-dependencies_npm9_node22_windows-latest.snap.json
@@ -0,0 +1,187 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-local-deps",
+      "version": "0.0.0",
+      "bom-ref": "demo-local-deps@0.0.0",
+      "description": "demo: demo-local-deps -- showcase how local dependencies look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-local-deps@0.0.0?vcs_url=git%2Bhttps%3A//github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+      "externalReferences": [
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+          "type": "issue-tracker",
+          "comment": "as detected from PackageJson property \"bugs.url\""
+        },
+        {
+          "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git#demo/local-dependencies/project",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        },
+        {
+          "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+          "type": "website",
+          "comment": "as detected from PackageJson property \"homepage\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.0.0",
+      "bom-ref": "my-local-a@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-noname",
+      "version": "0.0.0",
+      "bom-ref": "my-noname@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-noname@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-noname"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-local-deps@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.0.0",
+        "my-noname@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.0.0",
+      "dependsOn": [
+        "my-local-b@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b@0.0.0"
+    },
+    {
+      "ref": "my-noname@0.0.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.json
index d8fccdaf6..25ca1ae69 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.json
@@ -187,6 +187,39 @@
           "value": "true"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "description": "demo: my-local-e - a standalone package that is not dependency of root nor any other workspace",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0?vcs_url=git%2Bhttps%3A//gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e",
+      "externalReferences": [
+        {
+          "url": "git+https://gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\" and \"repository.directory\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -195,7 +228,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -213,6 +247,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.xml b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.xml
index 66d93361d..328cd4d94 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.xml
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_from-setup.snap.xml
@@ -131,12 +131,34 @@
         <property name="cdx:npm:package:private">true</property>
       </properties>
     </component>
+    <component type="library" bom-ref="my-local-e@0.1.0">
+      <name>my-local-e</name>
+      <version>0.1.0</version>
+      <description>demo: my-local-e - a standalone package that is not dependency of root nor any other workspace</description>
+      <licenses>
+        <license acknowledgement="declared">
+          <id>Apache-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:npm/my-local-e@0.1.0?vcs_url=git%2Bhttps%3A//gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e</purl>
+      <externalReferences>
+        <reference type="vcs">
+          <url>git+https://gitlab.example.com/my-packages/demo-workspaces.git#workspaces/my-local-e</url>
+          <comment>as detected from PackageJson property "repository.url" and "repository.directory"</comment>
+        </reference>
+      </externalReferences>
+      <properties>
+        <property name="cdx:npm:package:path">node_modules/my-local-e</property>
+        <property name="cdx:npm:package:private">true</property>
+      </properties>
+    </component>
   </components>
   <dependencies>
     <dependency ref="demo-workspaces@0.0.0">
       <dependency ref="my-local-a@0.1.0"/>
       <dependency ref="my-local-b-off@0.0.0"/>
       <dependency ref="my-local-c@0.23.42"/>
+      <dependency ref="my-local-e@0.1.0"/>
     </dependency>
     <dependency ref="my-local-a@0.1.0">
       <dependency ref="my-local-b-off@0.0.0"/>
@@ -146,5 +168,6 @@
       <dependency ref="my-local-a@0.1.0"/>
       <dependency ref="my-local-b-off@0.0.0"/>
     </dependency>
+    <dependency ref="my-local-e@0.1.0"/>
   </dependencies>
 </bom>
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_macos-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_macos-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node18_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm10_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node14_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node16_macos-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node16_macos-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm7_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node14_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node16_macos-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node16_macos-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm8_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_macos-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_macos-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_macos-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_macos-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_ubuntu-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_ubuntu-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_ubuntu-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_ubuntu-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_windows-latest.snap.json
index ba6ae4823..584ae3395 100644
--- a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_windows-latest.snap.json
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node16_windows-latest.snap.json
@@ -68,7 +68,14 @@
           }
         }
       ],
-      "purl": "pkg:npm/demo-workspaces@0.0.0",
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -144,6 +151,27 @@
           "value": "node_modules/my-local-c"
         }
       ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
     }
   ],
   "dependencies": [
@@ -152,7 +180,8 @@
       "dependsOn": [
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0",
-        "my-local-c@0.23.42"
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
       ]
     },
     {
@@ -170,6 +199,9 @@
         "my-local-a@0.1.0",
         "my-local-b-off@0.0.0"
       ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
     }
   ]
 }
\ No newline at end of file
diff --git a/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node22_windows-latest.snap.json b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node22_windows-latest.snap.json
new file mode 100644
index 000000000..584ae3395
--- /dev/null
+++ b/tests/_data/sbom_demo-results/flatten-components/local-workspaces_npm9_node22_windows-latest.snap.json
@@ -0,0 +1,207 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "npm",
+        "version": "npmVersion-testing"
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-library",
+        "version": "libVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      },
+      {
+        "vendor": "@cyclonedx",
+        "name": "cyclonedx-npm",
+        "version": "thisVersion-testing",
+        "externalReferences": [
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
+            "type": "issue-tracker",
+            "comment": "as detected from PackageJson property \"bugs.url\""
+          },
+          {
+            "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
+            "type": "vcs",
+            "comment": "as detected from PackageJson property \"repository.url\""
+          },
+          {
+            "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
+            "type": "website",
+            "comment": "as detected from PackageJson property \"homepage\""
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "application",
+      "name": "demo-workspaces",
+      "version": "0.0.0",
+      "bom-ref": "demo-workspaces@0.0.0",
+      "description": "demo: demo-workspaces -- showcase how workspaces look like",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/demo-workspaces@0.0.0?vcs_url=git%2Bssh%3A//git%40gitlab.example.com/my-packages/demo-workspaces.git",
+      "externalReferences": [
+        {
+          "url": "git+ssh://git@gitlab.example.com/my-packages/demo-workspaces.git",
+          "type": "vcs",
+          "comment": "as detected from PackageJson property \"repository.url\""
+        }
+      ],
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        },
+        {
+          "name": "cdx:npm:package:private",
+          "value": "true"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "my-local-a",
+      "version": "0.1.0",
+      "bom-ref": "my-local-a@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-a@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-a"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-b-off",
+      "version": "0.0.0",
+      "bom-ref": "my-local-b-off@0.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-b-off@0.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-b-off"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-c",
+      "version": "0.23.42",
+      "bom-ref": "my-local-c@0.23.42",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-c@0.23.42",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-c"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "my-local-e",
+      "version": "0.1.0",
+      "bom-ref": "my-local-e@0.1.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "acknowledgement": "declared"
+          }
+        }
+      ],
+      "purl": "pkg:npm/my-local-e@0.1.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/my-local-e"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "demo-workspaces@0.0.0",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0",
+        "my-local-c@0.23.42",
+        "my-local-e@0.1.0"
+      ]
+    },
+    {
+      "ref": "my-local-a@0.1.0",
+      "dependsOn": [
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-b-off@0.0.0"
+    },
+    {
+      "ref": "my-local-c@0.23.42",
+      "dependsOn": [
+        "my-local-a@0.1.0",
+        "my-local-b-off@0.0.0"
+      ]
+    },
+    {
+      "ref": "my-local-e@0.1.0"
+    }
+  ]
+}
\ No newline at end of file