packageurl-js icon indicating copy to clipboard operation
packageurl-js copied to clipboard

Published 20 hours ago verified publisher icon package-url

Splitting purl remainder from right on '@' to extract version

Open Moullisha opened this issue 1 year ago • 6 comments

NPM purls contain namespaces starting with @ pkg:npm/@aws-crypto/[email protected]

Moullisha avatar Feb 15 '24 19:02 Moullisha

Fix for issue #64 @steven-esser @matt-phylum Please review!

Moullisha avatar Feb 15 '24 19:02 Moullisha

pkg:npm/@aws-crypto/[email protected] is technically an invalid PURL that most implementations should be able to handle anyway. The spec says "the '@' version separator must be encoded as %40 elsewhere". The correct PURL is pkg:npm/%40aws-crypto/[email protected], even if it looks ugly.

However, this PR does fix a spec conformance problem. The spec also says "Split the remainder once from right on '@'", which is not what the previous code was doing.

matt-phylum avatar Feb 15 '24 19:02 matt-phylum

@matt-phylum The purl string pkg:npm/@aws-crypto/[email protected] was being accurately parsed using the python version of the module but js version was throwing error. But as you mentioned the python version does extract the version by splitting from the right on '@' (as required by the purl spec), thus the purl passed even without being percent-encoded.

Moullisha avatar Feb 19 '24 16:02 Moullisha

Yeah I think this is the right thing to do, even if the % was supposed to be escaped.

matt-phylum avatar Feb 19 '24 18:02 matt-phylum

@matt-phylum If everything looks good, can you approve this PR?

Moullisha avatar Mar 05 '24 06:03 Moullisha

I'm not a maintainer on this project so my approval doesn't mean anything.

matt-phylum avatar Mar 05 '24 13:03 matt-phylum

Closing as covered by https://github.com/package-url/packageurl-js/pull/71

jdalton avatar Aug 01 '24 17:08 jdalton

v2.0.0 has been published 🎉

jdalton avatar Aug 18 '24 01:08 jdalton