Closed alilleybrinker closed 1 month ago
Do we need to worry about parsing a pURL
given with the type flag, or only if that flag is not provided? I have been working on the assumption that this is an either-or thing, but I could see a user providing a pURL with a type flag, and we might want to handle that case correctly.
Testing an implementation of this for GitHub repos PyPi packages, and NPM packages. Maven packages will take more work because we will need to convert a pURL into a Maven URI as Hipcheck currently works (unlike PyPi and NPM, which can check against just a package name and version).
Added Maven package support, but by assuming that all packages are hosted at https://repo1.maven.org/maven2/
Package URLs (pURLs) are a specification for a generic mechanism for specifying packages across different package hosting platforms. Today, Hipcheck permits specifying packages, but only as package name with an optional version, with the
--type
flag specifying what package host is used (NPM, PyPI, and Maven are supported). Package URLs would allow for unambiguous specification of packages, so users could avoid using the--type
flag. I also expect more tools will want to work with Package URLs in the future, so it would be good to support them.https://github.com/package-url/purl-spec