When indexing image namloc2001/nodesem:a, Clair claims there is both the semver Node.js package with version 7.3.8 and another one with version 7.5.2. semver 7.3.8 was actually deleted in favor of 7.5.2.

This is because the Node.js package was overwritten with the new contents, and ClairCore does not account for this possibility in the coalescer. This seems to affect all language coalescers.

Note: I was unable to reproduce this locally, as I build the image with Docker, which opts to include an opaque directory to indicate the entire npm directory is changed.

See https://github.com/stackrox/stackrox/issues/7033 for related information for how this affected StackRox Scanner V2.