Handle non-canonical input purls a bit more gracefully#89
Merged
shibumi merged 2 commits intopackage-url:masterfrom Mar 6, 2026
Merged
Conversation
petergardfjall
changed the title
petergardfjall
force-pushed
the
support-input-version-with-slashes
branch
from
9242b46 to
d7b880f
Compare
petergardfjall
force-pushed
the
support-input-version-with-slashes
branch
from
d7b880f to
b99e1b9
Compare
petergardfjall
commented
Mar 5, 2026
Comment on lines
+526
to
+527
| if purlType != TypeNPM && strings.HasPrefix(remainder, "@") { | ||
| return "", "", "", fmt.Errorf("purl is missing name") |
Collaborator
Author
There was a problem hiding this comment.
Note: follows the packageurl-python implementaton: https://github.com/package-url/packageurl-python/blob/a13141e6215cf6e0233df109fbfaae6e1db55893/src/packageurl/__init__.py#L635-L640
petergardfjall
force-pushed
the
support-input-version-with-slashes
branch
from
b99e1b9 to
8f9a644
Compare
petergardfjall
commented
Mar 5, 2026
| // procedure. | ||
| // | ||
| // [HOW-TO-PARSE]: https://github.com/package-url/purl-spec/blob/main/docs/how-to-parse.md | ||
| func separateNamespaceNameVersion(purlType string, remainder string) (ns, name, version string, err error) { |
Collaborator
Author
There was a problem hiding this comment.
This function now follows https://github.com/package-url/purl-spec/blob/5d9516cc661e77a88cf33fadc057d18df963ff3c/docs/how-to-parse.md?plain=1#L52-L76.
With doing that we will start by splitting on @ which then will allow us to correctly parse input like pkg:github/golang/mod@refs/tags/v0.30.0, which we failed to properly parse before.
shibumi
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes the library handle some non-canonical input purls a bit more gracefully:
pkg:github/golang/mod@refs/tags/v0.30.0is now correctly parsed aspkg:github/golang/mod@refs%2Ftags%2Fv0.30.0.pkg:github/golang/mod%40refs/tags/v0.30.0which makes very little sense. This turned out to be due to not following the purl parse procedure very well so I updated the parsing code to more closely follow that. In particular the parsing of namespace, name and version.pkg:generic/grafana@12.0.1?checksum=sha256:18a348109d3f92772bee72a55eabb9d318596add6a70b92adb6ff8e789d587a8&download_url=https://dl.grafana.com/enterprise/release/grafana-enterprise-12.0.1+security-01.linux-amd64.tar.gzparse correctly. A space (which should be rare) can (and should) still be escaped with%20in the input (rather than+).Test-cases have been added for these cases, which go a bit outside the purl-spec testsuite.