[BUG] npm sbom does not handle legacy licenses array property in package.json

[aarondpn]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When creation sbom in the spfx format for my project, multiple licenses get not correctly identified and are marked as NOASSERTION.

Old packages which use the depreacted licenses array all get NOASSERTION as declared license.
Example-Project: https://github.com/mattyork/fuzzy/blob/master/package.json#L18

The depreacted behaviour is also documented in npms documentation: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#license

Expected Behavior

The licenses property in the package.json for old packages is correctly identified.

Steps To Reproduce

1. npm i fuzzy
2. npm sbom --sbom-format spdx > spdx.json
3. view licenseDeclared for package fuzzy

Stackblitz: https://stackblitz.com/edit/stackblitz-starters-roohbvc1?file=spdx.json

Environment

• npm: also tested with npm 11.7.0
• npm config:

❯ npm config ls
; "user" config from /home/.npmrc

global-pnpmfile = "~/.pnpm/.pnpmfile.cjs"
ignore-dep-scripts = true
prefer-symlinked-executables = true
update-notifier = false
verify-store-integrity = false

; node bin location = /usr/local/bin/node
; node version = v20.19.1
; npm local prefix = /home/projects/stackblitz-starters-roohbvc1
; npm version = 10.8.2
; cwd = /home/projects/stackblitz-starters-roohbvc1
; HOME = /home
; Run `npm config ls -l` to show all defaults.