Skip to content

fix(purl): pin packageurl-js serializer dependency#29

Merged
facundo-herodevs merged 3 commits into
mainfrom
fix/pin-packageurl-js
Jun 25, 2026
Merged

fix(purl): pin packageurl-js serializer dependency#29
facundo-herodevs merged 3 commits into
mainfrom
fix/pin-packageurl-js

Conversation

@facundo-herodevs

Copy link
Copy Markdown
Member

Summary

  • Pins packageurl-js to exactly 2.0.1 so canonicalizePurl has one stable serializer/validator implementation across downstream consumers.
  • Updates canonicalization docs/tests wording from absolute byte-preservation to version value preservation, allowing serializer-level reserved-character canonicalization.
  • Supersedes the already-created v0.1.21 tag for downstream adoption; after this merges, cut v0.1.22 and have eol-engine/eol-api consume that tag.

Why

canonicalizePurl is an identity function used to build OpenSearch docIds, routing keys, and DB keys. A caret dependency (^2.0.1) could allow future packageurl-js 2.x serializer behavior to change the canonical string, which is exactly the identity drift this change is meant to prevent.

Changes

File Change
package.json Pin packageurl-js from ^2.0.1 to 2.0.1
package-lock.json Reflect exact dependency requirement
src/eol/utils.ts Clarify version value preservation / encoding canonicalization wording
src/eol/utils.test.ts Align test descriptions with the corrected version-value contract

Test plan

  • npm run format:check
  • npm run lint — passes with 6 pre-existing warnings in src/spdx-to-cdx.ts
  • npm run type-check
  • npm test — 174 passing

Release note

After merge:

git tag v0.1.22
git push origin v0.1.22

Downstream consumers should use:

"@herodevs/eol-shared": "github:herodevs/eol-shared#v0.1.22"

@facundo-herodevs facundo-herodevs marked this pull request as ready for review June 24, 2026 23:42
@facundo-herodevs facundo-herodevs enabled auto-merge (squash) June 25, 2026 13:18
@facundo-herodevs facundo-herodevs enabled auto-merge (squash) June 25, 2026 14:40
@facundo-herodevs facundo-herodevs merged commit 884bf8a into main Jun 25, 2026
7 checks passed
@facundo-herodevs facundo-herodevs deleted the fix/pin-packageurl-js branch June 25, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants