Skip to content

feat: use packageurl-js for correct PURL encoding across ecosystems#155

Merged
Alexandros Kapravelos (kapravel) merged 1 commit intomainfrom
feat/purl-encoding-fix
Mar 16, 2026
Merged

feat: use packageurl-js for correct PURL encoding across ecosystems#155
Alexandros Kapravelos (kapravel) merged 1 commit intomainfrom
feat/purl-encoding-fix

Conversation

@kapravel
Copy link
Copy Markdown
Collaborator

@kapravel Alexandros Kapravelos (kapravel) commented Mar 16, 2026

Summary

  • Use packageurl-js for PURL construction instead of hand-rolled string building, correctly handling scoped npm packages (%40 encoding), golang namespace/name splitting, and maven groupId:artifactId format
  • Fix API response PURL reconstruction to include the namespace field, so scoped packages like @babel/core are no longer truncated to core
  • Add integration tests for npm scoped, pypi, golang, maven, nuget, and cargo ecosystems

Test plan

  • All 34 tests pass (0 skipped, 0 failed)
  • Lint passes
  • TypeScript type check passes
  • buildPurl unit tests cover all ecosystems (npm scoped/unscoped, pypi, gem, golang, maven, nuget, cargo)
  • Integration tests verify scoped npm packages resolve correctly against the live API

Made with Cursor

@kapravel
feat: use packageurl-js for correct PURL encoding across ecosystems
14de96b 
Replace hand-rolled PURL string building with packageurl-js to correctly
handle scoped npm packages (%40 encoding), golang namespace/name
splitting, and maven groupId:artifactId format. Also fix API response
PURL reconstruction to include the namespace field, so scoped packages
like @babel/core are not truncated to just "core".

Add integration tests for npm scoped, pypi, golang, maven, nuget, and
cargo ecosystems.

Made-with: Cursor
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Mar 16, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​types/​node@​24.10.9 ⏵ 24.12.010010081 +196100
Addednpm/​packageurl-js@​2.0.110010010082100
Updatednpm/​semver@​7.7.3 ⏵ 7.7.410010010089100
Updatednpm/​pino@​10.3.0 ⏵ 10.3.19410010094100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Mar 16, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Low adoption: npm @package-json/types

Location: Package overview

From: pnpm-lock.yamlnpm/neostandard@0.12.2npm/@package-json/types@0.0.12

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@package-json/types@0.0.12. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm node-exports-info

Location: Package overview

From: pnpm-lock.yamlnpm/neostandard@0.12.2npm/node-exports-info@1.6.0

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/node-exports-info@1.6.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 16, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​types/​node@​24.10.9 ⏵ 24.12.010010081 +196100
Addednpm/​packageurl-js@​2.0.110010010082100
Updatednpm/​semver@​7.7.3 ⏵ 7.7.410010010089100
Updatednpm/​pino@​10.3.0 ⏵ 10.3.19910010094100

View full report

@kapravel Alexandros Kapravelos (kapravel) merged commit eb50c0c into main Mar 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kapravel