-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osshealth: NPM purl convention is incomplete, excludes most packages #418
Comments
Thanks @0x73746F66! The npm.org was just a typo, fixed in #419. Regarding the package namespaces, if I remember correctly, the challenge we had early on was that the PackageURL parser didn't handle the In the meantime, you can encode
Will track as #420 |
@0x73746F66 a string like Like other URL schemes, certain characters in Package URLs have special meaning - as @scovetta noted, the Package URL spec defines For the examples you provided, the correct forms would be Does that help clarify the errors you were seeing? I hear you that this is not particularly intuitive, but it's part of how the Package URL spec ensures that Package URLs are unambiguous. |
Yes it helps, me No this doesn't appear to be the way NPM supports the naming convention No it doesn't appear that this project adhered to the NPM naming convention No the other user's will not know how to use this tool with NPM unless they find this issue (which may be closed) because the encoding requirements of this pack is not obvious or documented or hinted by the error message |
I made the change to allow raw @ for the namespace is oss-download (see #433) but have not carried that over to oss-health. @pmalmsten Do you have any concerns with adding the same handling to CLI calls to oss-health (not carried over into calls to any lib methods as before). |
@gfs Nope, no concerns on our end for |
@pmalmsten I opened #434 which covers doing this escaping in OSS-Health. For DRY purposes, I've made the namespace escaping method a protected static helper method on the base OSSGadget class used for CLIs, but it is not implicitly called - each CLI needs to call it explicitly only where appropriate, for now that is just OSS-Download and OSS-Health. |
aside: you reference
npm.org
and as the owner of NPM we might assume you would know that is referencingThe National Association of Pastoral Musicians (NPM)
not your own NPMSimilarly the issue is regarding npmjs.com that Microsoft owns and would be aware that the naming convention for packages has not been simply
<package name>
for many years now, it is@<org or namespace>/<package name>
Using the
/
in apurl
breaks the NPM support;Using
docker run --rm -it -e GITHUB_ACCESS_TOKEN=$GITHUB_TOKEN --entrypoint /usr/bin/oss-health ossgadget 'pkg:npm/@microsoft/fast-web-utilities
Produces
It's not just that this doesn't support
@microsoft/<package name>
it this naming convention is becoming defacto now and a majority off mature packages are using it nowWe have our own use case too;
pkg:npm/@magda/authentication-plugin-sdk
I saw no closed or open issues mentioning that NPM is essentially broken for most packages, and wondered if perhaps I am missing a feature to make this naming convention operate properly
The text was updated successfully, but these errors were encountered: