Package-lock.json git dependencies with buildNpmPackage

I’m trying to build out-of-your-element but am bumping into issues with dependencies specified in package-lock.json that refer to git repositories. In particular, package-lock.json has one dependency that looks like this:

"discord-markdown": "git+https://git.sr.ht/~cadence/nodejs-discord-markdown#2881b447954fcea10510f212fa4c1dbbdc0a57a3",

When I try to build with an expression like this:

buildNpmPackage rec {
  src = fetchgit {
    url = "https://gitdab.com/cadence/out-of-your-element.git";
    rev = "refs/tags/v2.1";
  };
  # Hacked in because npm is trying to run git
  nativeBuildInputs = [ git ];
}

then the build fails while getting dependencies, because NPM tries to go out to the network (I set npmFlags = [ "--verbose" ] to get a little more detail):

Installing dependencies
npm verb cli /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/bin/node /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/
bin/npm
npm info using npm@10.5.0                                             
npm info using node@v20.12.2
npm verb title npm ci                                                 
npm verb argv "ci" "--ignore-scripts" "--loglevel" "verbose"
npm verb logfile logs-max:10 dir:/build/cache/_logs/2024-06-05T03_02_38_410Z-                                                               npm verb logfile /build/cache/_logs/2024-06-05T03_02_38_410Z-debug-0.log
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/tap-out/tar.gz/1b4ec6084aedb9f44ccaa0c7185ff9bfd83da771 262ms (cache stale)
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/mixin-deep/tar.gz/2dd70d6b8644263f7ed2c1620506c9eb3f11d32a 245ms (cache stale)
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/tap-dot/tar.gz/9dd7750ececeae3a96afba91905be812b6b2cc2d 247ms (cache stale)
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/html-template-tag/tar.gz/9b2ec9efd344119997495c7889c11527cc6a35ed 242ms (cache
 stale)  
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/giframe/tar.gz/39b9d9af4184ea9df72c0ccd4db96da51bd1082c 244ms (cache stale)
npm http fetch GET 200 https://codeload.github.com/cloudrac3r/pngjs/tar.gz/0295be509ed56dcf2f1d11b3af0b3108ad699dfe 340ms (cache stale)
npm verb stack Error: An unknown git error occurred
npm verb stack     at makeError (/nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/lib/node_modules/npm/node_modules/@npmcli/git/li
b/make-error.js:28:13)                                                
npm verb stack     at /nix/store/y50zafzgnnkrj4hvmk23icv2ggvys8r9-nodejs-20.12.2/lib/node_modules/npm/node_modules/@npmcli/git/lib/spawn.js:
37:26                                                                                                                                       npm verb cwd /build/out-of-your-element
npm verb Linux 6.6.32                                                 
npm verb node v20.12.2
npm verb npm  v10.5.0                                                                                                                       
npm ERR! code 128                                                                                                                           
npm ERR! An unknown git error occurred                                                                                                      
npm ERR! command git --no-replace-objects ls-remote https://git.sr.ht/~cadence/nodejs-discord-markdown
npm ERR! fatal: unable to access 'https://git.sr.ht/~cadence/nodejs-discord-markdown/': Could not resolve host: git.sr.ht

From looking at the implementation of prefetch-npm-deps I can see that it seems to understand git+https://git.sr.ht source URLs, but also that the package-lock.json provided upstream doesn’t have an integrity line for this package which I think is what allows npm to find the cached package:

    "node_modules/discord-markdown": {
      "version": "2.6.1",
      "resolved": "git+https://git.sr.ht/~cadence/nodejs-discord-markdown#2881b447954fcea10510f212fa4c1dbbdc0a57a3",
      "license": "MIT",
      "dependencies": {
        "simple-markdown": "^0.7.2"
      }
    },

How should I best go about working around this? I imagine one solution would be to patch package-lock.json at build-time to add integrity to it, though it’s not obvious to me how to do something like that either (maybe add a patch to patches that fixes the lockfile?).