packageurl-js icon indicating copy to clipboard operation
packageurl-js copied to clipboard

Published 20 hours ago verified publisher icon package-url

Invalid purl: version must be percent-encoded

Open kennylam91 opened this issue 1 year ago • 1 comments

Hi, I encounter this error: Invalid purl: version must be percent-encoded when parse the purl pkg:npm/@vue/[email protected] with method PackageURL.fromString(). This purl was validated successfully by other library mvn:[email protected] in the backend.

When I look into the code of packageurl-js, I see this:

if (p.includes('@')) {
    let f = p.indexOf('@'),
      u = p.substring(f + 1)
    a = decodeURIComponent(u)
    let y = encodeURIComponent(a).replace(/%3A/g, ':').replace(/%2B/g, '+')
    if (u !== y)
      throw new Error('Invalid purl: version must be percent-encoded')
    i = p.substring(0, f)
}

I think it could have an issue because method indexOf() return the first matched index, but in this case pkg:npm/@vue/[email protected], it has another @ so f+1 is not the start of version substring.

kennylam91 avatar Dec 20 '23 03:12 kennylam91

@kennylam91 Thanks for the bug report, will take a look.

steven-esser avatar Dec 20 '23 14:12 steven-esser

This is fixed on master branch.

jdalton avatar Aug 13 '24 16:08 jdalton

OK cool, will it be rolled out soon?

kennylam91 avatar Aug 14 '24 01:08 kennylam91

@kennylam91

will it be rolled out soon?

I don't control that but after the next batch of patches lands I'll inquire!

jdalton avatar Aug 14 '24 22:08 jdalton

v2.0.0 has been published 🎉

jdalton avatar Aug 18 '24 01:08 jdalton