Skip to content

fix(purl): url-encoded slashes in purl#5592

Open
jess-lowe wants to merge 1 commit into
google:masterfrom
jess-lowe:fix/packagist-purl
Open

fix(purl): url-encoded slashes in purl#5592
jess-lowe wants to merge 1 commit into
google:masterfrom
jess-lowe:fix/packagist-purl

Conversation

@jess-lowe

Copy link
Copy Markdown
Contributor

fixes #5590

When the database worker was migrated from Python to Go, it began using Go's purl.Generate function to generate PURLs. In Go, ecosystems like Packagist, npm, Hex, and SwiftURL were registered to use simpleGenerator which did not separate package name into namespace and name components. As a result, the entire package name (e.g. drupal/colorbox) was passed as the package name parameter. The underlying Go package-url library correctly URL-encoded the slash, producing pkg:composer/drupal%2Fcolorbox.

@jess-lowe jess-lowe requested a review from michaelkedar July 3, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Data quality issue - various vulnerability now have PURLs which includes encoded / for packagist ecosystem

2 participants