Matt Donoughe

Reserved characters are not the characters that are supposed to be encoded. Wikipedia isn't really the best source, but it says "Other characters in a URI must be percent-encoded." and...

This is not a bug. The spec does not say to escape ':', and the test suite gives examples of not escaping ':'.

The spec says "the ':' scheme and type separator does not need to and must NOT be encoded. It is unambiguous unencoded elsewhere," meaning it does not need to be...

I think in current OPA it's usually possible to get close enough. All the parameters to `item()` need to be enumerable. Then the rules can be written as: ```rego item[i]...

AFAIK `/` in the name is generally forbidden. Escaping it seems reasonable, but it's not part of the spec. Some implementations support it. ``` althonos/packageurl.rs: pkg:npm/a/b anchore/packageurl-go: pkg:npm/a/b giterlizzi/perl-URI-PackageURL: pkg:npm/a/b...

I mean, I don't think there's a package type which allows slashes in the name, and I don't think it would be a good idea to make a package type...

According to the PURL test suite, the correct behavior is that `/` in a qualifier value should not be escaped (packageurl-python is correct). I've noticed the examples in the package...

URL encoding, aka percent encoding, really only describes how to _decode_ a string. It specifies how to encode individual characters, but it doesn't specify which characters are supposed to be...

The PURL test suite says that packageurl-python is supposed to fail parsing this malformed PURL. Alamofire is incorrectly being parsed as the name when it's part of the namespace. PURLs...

`pkg:npm/@aws-crypto/[email protected]` is technically an invalid PURL that most implementations should be able to handle anyway. The spec says "the '@' version separator must be encoded as %40 elsewhere". The correct...