It has recently been discussed here that npm should have case_sensitive as True in the spec, as npm has case-sensitive packages historically: package-url/purl-spec#136
This would mean that the current implementation to lowercase npm package names is incorrect, because it can result in a case-insensitive collision: https://github.com/package-url/packageurl-python/blob/main/src/packageurl/__init__.py#L202
Example:
https://www.npmjs.com/package/orchestrator
https://www.npmjs.com/package/Orchestrator
As another question, would this list of packages that have lower() done on their name, ever be sourced from the case_sensitive properties in the purl-spec repo itself, rather than in here as a hardcoded duplicate list?
It has recently been discussed here that npm should have
case_sensitiveas True in the spec, as npm has case-sensitive packages historically: package-url/purl-spec#136This would mean that the current implementation to lowercase npm package names is incorrect, because it can result in a case-insensitive collision: https://github.com/package-url/packageurl-python/blob/main/src/packageurl/__init__.py#L202
Example:
https://www.npmjs.com/package/orchestrator
https://www.npmjs.com/package/Orchestrator
As another question, would this list of packages that have
lower()done on their name, ever be sourced from thecase_sensitiveproperties in the purl-spec repo itself, rather than in here as a hardcoded duplicate list?