Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add function to return pacakge purl #122

Merged
merged 1 commit into from
Dec 1, 2022
Merged

add function to return pacakge purl #122

merged 1 commit into from
Dec 1, 2022

Conversation

bdehamer
Copy link
Contributor

Adds a new toPurl function which translates a package name/version into a its purl (Package URL) form.

> npa.toPurl('foo', '0.1.0')
'pkg:npm/foo@0.1.0'

> npa.toPurl('@foo/bar', '1.0.0-alpha.1')
'pkg:npm/%40foo/bar@1.0.0-alpha.1'

> npa.toPurl('foo:bar', 'a.b.c')
Uncaught:
Error: Invalid package name "foo:bar" of package "foo:bar@a.b.c": name can only contain URL-friendly characters.
    at invalidPackageName (/Users/bdehamer/dev/npm-package-arg/lib/npa.js:110:15)
    at Function.toPurl (/Users/bdehamer/dev/npm-package-arg/lib/npa.js:96:11) {
  code: 'EINVALIDPACKAGENAME'
}

@bdehamer bdehamer requested a review from a team as a code owner November 29, 2022 16:13
@ljharb
Copy link
Contributor

ljharb commented Nov 29, 2022

How can this work (purls, i mean) without indicating the registry? A package’s name and version isn’t sufficient to identify a package; you also need to know what registry it comes from.

wraithgar
wraithgar reviewed Nov 29, 2022
View reviewed changes
lib/npa.js Outdated Show resolved Hide resolved
@bdehamer bdehamer force-pushed the purl branch 4 times, most recently from 262b573 to 2da0729 Compare November 29, 2022 18:55
@bdehamer bdehamer requested a review from wraithgar November 29, 2022 19:00
@ljharb
Copy link
Contributor

ljharb commented Nov 29, 2022

@bdehamer can you help me understand how a purl for an npm package can possibly be valid without a registry address?

@bdehamer
Copy link
Contributor Author

How can this work (purls, i mean) without indicating the registry? A package’s name and version isn’t sufficient to identify a package; you also need to know what registry it comes from.

There is a notion of a default repository for each package type. However, that doesn't address the case where a different registry is used. I added support for an optional reg parameter that can be used specify a non-default registry:

> npa.toPurl('@foo/bar@v1.0.0', 'npm.pkg.github.com')
'pkg:npm/%40foo/bar@v1.0.0?repository_url=npm.pkg.github.com'

@ljharb
Copy link
Contributor

ljharb commented Nov 29, 2022

Thanks, that addresses my feedback, assuming that the registry is omitted from the purl by the implementation whenever it equals the default (not just when it's absent)

ljharb
ljharb reviewed Nov 29, 2022
View reviewed changes
lib/npa.js Outdated Show resolved Hide resolved
lib/npa.js Outdated Show resolved Hide resolved
wraithgar
wraithgar reviewed Dec 1, 2022
View reviewed changes
README.md Outdated Show resolved Hide resolved
@bdehamer @ljharb
feat: add function to return pacakge purl
adb0187 
Co-authored-by: Jordan Harband <ljharb@gmail.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@wraithgar wraithgar self-requested a review December 1, 2022 21:54
@wraithgar wraithgar merged commit f2c243c into npm:main Dec 1, 2022
@github-actions github-actions bot mentioned this pull request Dec 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb left review comments

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdehamer @ljharb @wraithgar