Dependency Graph should not list arbitrary project (name matched) when uncertain about package

[rilehudd]

When a repository has a NuGet package reference which does not link back to a GitHub repository (via NuGet.org or other package source)--The Dependency Graph assigns an incorrect repository link.

You can see an example in protobuf-net here:
https://github.com/protobuf-net/protobuf-net/network/dependencies

Microsoft.Bcl.Immutable is part of a NuGet reserved prefix. So when a reserved prefix reserved NuGet package doesn't list a repository link back to GitHub (used as a part of generating the Dependency Graph), it is uncertain what repository is the correct repository to list in the graph. Rather than choosing what appears to be the first repository by matching name; this case should instead avoid linking to any repository when the result is uncertain. (Especially linking a Prefix Reserved assembly package to either an organization which does not own it or worse a project underneath an individual's account).

While this example of the issue is part of an example project, the underlying process issue is what I'm concerned about and had found other instances which have since been resolved through other means.

The outcome I would hope for when uncertainty like this arises, is to keep the package listing in the Dependency Graph but remove the anchor linking to a GitHub project.

[blakeNaccarato]

Another similar case is with jaraco/keyring, which has almost 60k dependent repositories and 1k dependent packages reported by the GitHub dependency graph, but all of these dependents are linked to avsm/py-keyring-lib, a completely unrelated project.

In this case it is due to the "proper" keyring using a setup.cfg, which isn't handled properly by the dependency graph crawler, while the "unintentional imposter" keyring uses a setup.py.

[haxorof]

I got one more similar case here where Acidburn0zzz/ansible-lint got 6k+ dependents but it should be dependents of ansible/ansible-lint.

[BobDotCom]

Having similar issues with the following:
pytest-asyncio: Should point to pytest-dev/pytest-asyncio but instead points to brettcannon/pytest-asyncio
pylint: Should point to PyCQA/pylint but instead points to channable/pylint

and multiple other libraries