Closed alilleybrinker closed 1 month ago
mchernicoff
commented
1 month ago Do we need to worry about parsing a pURL given with the type flag, or only if that flag is not provided? I have been working on the assumption that this is an either-or thing, but I could see a user providing a pURL with a type flag, and we might want to handle that case correctly.
mchernicoff
commented
1 month ago Testing an implementation of this for GitHub repos PyPi packages, and NPM packages. Maven packages will take more work because we will need to convert a pURL into a Maven URI as Hipcheck currently works (unlike PyPi and NPM, which can check against just a package name and version).
mchernicoff
commented
1 month ago Added Maven package support, but by assuming that all packages are hosted at https://repo1.maven.org/maven2/
Package URLs (pURLs) are a specification for a generic mechanism for specifying packages across different package hosting platforms. Today, Hipcheck permits specifying packages, but only as package name with an optional version, with the
--typeflag specifying what package host is used (NPM, PyPI, and Maven are supported). Package URLs would allow for unambiguous specification of packages, so users could avoid using the--typeflag. I also expect more tools will want to work with Package URLs in the future, so it would be good to support them.https://github.com/package-url/purl-spec