I have a package.json with multiple workspaces in them, having for example a package at sample-plugins/sample-namespace/sample-plugin (see below). I do an npm install, producing a package-lock.json. When I run dash-licenses against the package-lock.json, the package at sample-plugins/sample-namespace/sample-plugin is reported as a dependency that needs to be IP-Checked.
My expectation would be that packages that are part of the repo are not reported as dependencies. This is also what happens when I use yarn.lock for the same repo.