Package-lock.json git dependencies with buildNpmPackage

I’m trying to build out-of-your-element but am bumping into issues with dependencies specified in package-lock.json that refer to git repositories. In particular, package-lock.json has one dependency that looks like this:

"discord-markdown": "git+",

When I try to build with an expression like this:

buildNpmPackage rec {
  src = fetchgit {
    url = "";
    rev = "refs/tags/v2.1";
  # Hacked in because npm is trying to run git
  nativeBuildInputs = [ git ];

then the build fails while getting dependencies, because NPM tries to go out to the network (I set npmFlags = [ "--verbose" ] to get a little more detail):

Installing dependencies
npm verb cli /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/bin/node /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/
npm info using npm@10.5.0                                             
npm info using node@v20.12.2
npm verb title npm ci                                                 
npm verb argv "ci" "--ignore-scripts" "--loglevel" "verbose"
npm verb logfile logs-max:10 dir:/build/cache/_logs/2024-06-05T03_02_38_410Z-                                                               npm verb logfile /build/cache/_logs/2024-06-05T03_02_38_410Z-debug-0.log
npm http fetch GET 200 262ms (cache stale)
npm http fetch GET 200 245ms (cache stale)
npm http fetch GET 200 247ms (cache stale)
npm http fetch GET 200 242ms (cache
npm http fetch GET 200 244ms (cache stale)
npm http fetch GET 200 340ms (cache stale)
npm verb stack Error: An unknown git error occurred
npm verb stack     at makeError (/nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/lib/node_modules/npm/node_modules/@npmcli/git/li
npm verb stack     at /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/lib/node_modules/npm/node_modules/@npmcli/git/lib/spawn.js:
37:26                                                                                                                                       npm verb cwd /build/out-of-your-element
npm verb Linux 6.6.32                                                 
npm verb node v20.12.2
npm verb npm  v10.5.0                                                                                                                       
npm ERR! code 128                                                                                                                           
npm ERR! An unknown git error occurred                                                                                                      
npm ERR! command git --no-replace-objects ls-remote
npm ERR! fatal: unable to access '': Could not resolve host:

From looking at the implementation of prefetch-npm-deps I can see that it seems to understand git+ source URLs, but also that the package-lock.json provided upstream doesn’t have an integrity line for this package which I think is what allows npm to find the cached package:

    "node_modules/discord-markdown": {
      "version": "2.6.1",
      "resolved": "git+",
      "license": "MIT",
      "dependencies": {
        "simple-markdown": "^0.7.2"

How should I best go about working around this? I imagine one solution would be to patch package-lock.json at build-time to add integrity to it, though it’s not obvious to me how to do something like that either (maybe add a patch to patches that fixes the lockfile?).