diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ff58473 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "monday" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index c278c33..0000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,13 +0,0 @@ -name: Run Unit Tests -on: - pull_request: - branches: - - '**' -jobs: - unit_test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - run: | - npm ci - npm run test \ No newline at end of file diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..5e4e8e0 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,26 @@ +name: Linting + +on: + push: + branches: + - main + tags: + - '*' + pull_request: + branches: + - main + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + linting: + name: "Linting" + uses: SocketDev/workflows/.github/workflows/reusable-base.yml@master + with: + no-lockfile: true + npm-test-script: 'check' diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml new file mode 100644 index 0000000..4988ac7 --- /dev/null +++ b/.github/workflows/provenance.yml @@ -0,0 +1,27 @@ +name: Publish Packages to npm + +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' + cache: npm + scope: "@socketregistry" + - run: npm install -g npm@latest + - run: npm test + - run: npm publish --provenance --tag latest --access public + - run: npm access set mfa=automation @socketregistry/packageurl-js + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..27a4608 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,28 @@ +name: CI + +on: + push: + branches: + - main + tags: + - '*' + pull_request: + branches: + - main + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + test: + name: "Tests" + uses: SocketDev/workflows/.github/workflows/reusable-base.yml@master + with: + no-lockfile: true + npm-test-script: 'test-ci' + node-versions: '18,20,22' + os: 'ubuntu-latest,windows-latest' diff --git a/.github/workflows/types.yml b/.github/workflows/types.yml new file mode 100644 index 0000000..64d13e3 --- /dev/null +++ b/.github/workflows/types.yml @@ -0,0 +1,22 @@ +name: Type Checks + +on: + push: + branches: + - main + tags: + - '*' + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + type-check: + uses: SocketDev/workflows/.github/workflows/type-check.yml@master + with: + no-lockfile: true + ts-versions: ${{ github.event.schedule && 'next' || '5.6,next' }} + ts-libs: 'esnext' diff --git a/.prettierignore b/.prettierignore index ebda0f5..06cd64b 100644 --- a/.prettierignore +++ b/.prettierignore @@ -1,3 +1,2 @@ .github/ *.json -*.md diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index ebc1ede..0000000 --- a/.travis.yml +++ /dev/null @@ -1,11 +0,0 @@ -language: node_js -node_js: - - lts/* - - 17 - - 16 - - 15 - - 14 - - 13 - - 12 - - 11 - - 10 diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index e4067e3..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,97 +0,0 @@ -# 2.0.1 -## Bug Fix -* Fix decoding problems around the `%` character #75 (fix contributed by @jdalton) - -# 2.0.0 -* Significant refactor based on code from @jdalton -* Numerous bug fixes and improvements the community was asking for - * See closed issues and PRs for details (too many to list here) - -# 1.2.1 -## Bug Fixes -* purls with + in versions are now valid #52 (contributed by @satanshiro) -* purl names staring with `:` are now accepted #45 (contributed by @aniruth37) - -# 1.2.0 -## Features -* Add `pub` parsing for Dart and Flutter packages (contributed by @topaztee) - -# 1.1.1 -### Bug Fix -* publish errors - -# 1.1.0 -### Features -* Verify entire version string is properly encoded (contributed by @mcombuechen, @topaztee) - -# 1.0.2 -### Bug Fixes -* Normalize metafiles (contributed by @smorimoto) - -### Chores -* Bumped various dependencies - -# 1.0.1 -### Bug Fixes -* Hardened encoding/decoding of URL special chars like `@` and `#` [#37](https://github.com/package-url/packageurl-js/pull/37) - -# 1.0.0 -### Features -* Add enum-like static readonly property `KnownQualifierNames` to reflect known qualifier names [#34](https://github.com/package-url/packageurl-js/pull/34) - -# 0.0.7 -### Bug Fixes -* Keep license texts in comment headers, even after minification [#27](https://github.com/package-url/packageurl-js/issues/27) -* Fix a bug in golang purls that was adding additional slashes to the string [#30](https://github.com/package-url/packageurl-js/issues/30) - -# 0.0.6 -### Bug Fixes -* Properly replace all underscore values for PyPI packages [#23](https://github.com/package-url/packageurl-js/issues/23) - -# 0.0.5 -### Changes -* update deps via `npm audit fix` - -### Bug Fixes -* Handle forward slash in namespace for go purls - -# 0.0.4 -### Bug Fixes -* Properly handle PyPI `purl` values per the purl-spec [#18](https://github.com/package-url/packageurl-js/pull/18) - -# 0.0.3 -### Bug Fixes -* Properly handle `undefined` or `null` qualifier values [#16](https://github.com/package-url/packageurl-js/issues/16) - -# 0.0.2 - -### Features -* TypeScript: type-definitions [#6](https://github.com/package-url/packageurl-js/issues/6) - -Bug fixes -* fromString(): version is used outside of block scope [#5](https://github.com/package-url/packageurl-js/issues/5) -* fromString(): qualifiers extracted as string, constructor expects object [#7](https://github.com/package-url/packageurl-js/issues/7) - -### BREAKING CHANGES - -* the main module previously exported the PackageURL class directly -* this prevents that additional classes can be added in the future and doesn't work nicely together with the ES6 module system -* the root module now exports an object containing the classes - -Before -```js -const PackageURL = require('packageurl-js'); -``` - -After -```js -const PackageURL = require('packageurl-js').PackageURL; -// or -const { PackageURL } = require('packageurl-js'); -// or ES6 / Typescript -import { PackageURL } from 'packageurl-js'; -``` - -# 0.0.1 - -* Initial release diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index f0c20bd..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,18 +0,0 @@ -# Contributing - -Contributions are welcome and appreciated! -Every little bit helps, and credit will always be given. - -When contributing to purl (such as code, bugs, documentation, etc.) you -agree to the Developer Certificate of Origin http://developercertificate.org/ -and its license (see the mit.LICENSE file). The same approach is used -by the Linux Kernel developers and several other projects. - -For commits, it is best to simply add a line like this to your commit message, -with your name and email: -``` - Signed-off-by: Jane Doe -``` - -Please try to write a good commit message. -See: https://chris.beams.io/posts/git-commit/ diff --git a/LICENSE b/LICENSE index 0b5633b..602b3ec 100644 --- a/LICENSE +++ b/LICENSE @@ -1,18 +1,21 @@ -Copyright (c) the purl authors +MIT License -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: +Copyright (c) 2024 Socket Inc + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/LICENSE.original b/LICENSE.original new file mode 100644 index 0000000..0b5633b --- /dev/null +++ b/LICENSE.original @@ -0,0 +1,18 @@ +Copyright (c) the purl authors + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index 423c675..8f551a8 100644 --- a/README.md +++ b/README.md @@ -1,28 +1,47 @@ -# packageurl-js +# @socketregistry/packageurl-js -### Installing +[![Socket Badge](https://socket.dev/api/badge/npm/package/@socketregistry/packageurl-js)](https://socket.dev/npm/package/@socketregistry/packageurl-js) +[![CI - @socketregistry/packageurl-js](https://github.com/SocketDev/socket-registry/actions/workflows/test.yml/badge.svg)](https://github.com/SocketDev/socket-registry/actions/workflows/test.yml) +[![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity) -To install `packageurl-js` in your project, simply run: -```bash -npm install packageurl-js -``` +> An enhanced and tested zero dependency drop-in replacement of +> [`packageurl-js`](https://socket.dev/npm/package/packageurl-js) complete with +> TypeScript types. -This command will download the `packageurl-js` npm package for use in your application. +## Installation -### Local Development +### Install as a package override -Clone the `packageurl-js` repo and `cd` into the directory. +[`socket`](https://socket.dev/npm/package/socket) CLI will automagically ✨ +populate +[overrides](https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides) +and [resolutions](https://yarnpkg.com/configuration/manifest#resolutions) of +your `package.json`. -Then run: -```bash -npm install +```sh +npx socket optimize ``` -### Testing +Prefer to do it yourself? Add `@socketregistry/packageurl-js` to your +`package.json`. + +```json +{ + "overrides": { + "packageurl-js": "npm:@socketregistry/packageurl-js@^1" + }, + "resolutions": { + "packageurl-js": "npm:@socketregistry/packageurl-js@^1" + } +} +``` + +### Install as a plain dependency + +Install with your favorite package manager. -To run the test suite: -```bash -npm test +```sh +npm install @socketregistry/packageurl-js ``` ### Usage Examples @@ -30,11 +49,13 @@ npm test #### Importing As an ES6 module + ```js import { PackageURL } from 'packageurl-js' ``` As a CommonJS module + ```js const { PackageURL } = require('packageurl-js') ``` @@ -42,7 +63,8 @@ const { PackageURL } = require('packageurl-js') #### Parsing ```js -const purlStr = 'pkg:maven/org.springframework.integration/spring-integration-jms@5.5.5' +const purlStr = + 'pkg:maven/org.springframework.integration/spring-integration-jms@5.5.5' console.log(PackageURL.fromString(purlStr)) console.log(new PackageURL(...PackageURL.parseString(purlStr))) ``` @@ -51,12 +73,12 @@ will both log ``` PackageURL { - type: 'maven', - name: 'spring-integration-jms', - namespace: 'org.springframework.integration', - version: '5.5.5', - qualifiers: undefined, - subpath: undefined + type: 'maven', + name: 'spring-integration-jms', + namespace: 'org.springframework.integration', + version: '5.5.5', + qualifiers: undefined, + subpath: undefined } ``` @@ -64,10 +86,10 @@ PackageURL { ```js const pkg = new PackageURL( - 'maven', - 'org.springframework.integration', - 'spring-integration-jms', - '5.5.5' + 'maven', + 'org.springframework.integration', + 'spring-integration-jms', + '5.5.5' ) console.log(pkg.toString()) ``` @@ -82,9 +104,9 @@ pkg:maven/org.springframework.integration/spring-integration-jms@5.5.5 ```js try { - PackageURL.fromString('not-a-purl') + PackageURL.fromString('not-a-purl') } catch (e) { - console.error(e.message) + console.error(e.message) } ``` @@ -99,12 +121,9 @@ Invalid purl: missing required "pkg" scheme component Helpers for encoding, normalizing, and validating purl components and types can be imported directly from the module or found on the PackageURL class as static properties. + ```js -import { - PackageURL, - PurlComponent, - PurlType -} from 'packageurl-js' +import { PackageURL, PurlComponent, PurlType } from 'packageurl-js' PurlComponent === PackageURL.Component // => true PurlType === PackageURL.Type // => true @@ -112,41 +131,47 @@ PurlType === PackageURL.Type // => true #### PurlComponent -Contains the following properties each with their own `encode`, `normalize`, -and `validate` methods, e.g. `PurlComponent.name.validate(nameStr)`: - - type - - namespace - - name - - version - - qualifiers - - qualifierKey - - qualifierValue - - subpath +Contains the following properties each with their own `encode`, `normalize`, and +`validate` methods, e.g. `PurlComponent.name.validate(nameStr)`: + +- type +- namespace +- name +- version +- qualifiers +- qualifierKey +- qualifierValue +- subpath #### PurlType -Contains the following properties each with their own `normalize`, and `validate` -methods, e.g. `PurlType.npm.validate(purlObj)`: - - alpm - - apk - - bitbucket - - bitnami - - composer - - conan - - cran - - deb - - github - - gitlab - - golang - - hex - - huggingface - - luarocks - - maven - - mlflow - - npm - - oci - - pub - - pypi - - qpkg - - rpm - - swift +Contains the following properties each with their own `normalize`, and +`validate` methods, e.g. `PurlType.npm.validate(purlObj)`: + +- alpm +- apk +- bitbucket +- bitnami +- composer +- conan +- cran +- deb +- github +- gitlab +- golang +- hex +- huggingface +- luarocks +- maven +- mlflow +- npm +- oci +- pub +- pypi +- qpkg +- rpm +- swift + +## Requirements + +Node >= `18.20.4` diff --git a/package.json b/package.json index 2807b9a..cb3bd95 100644 --- a/package.json +++ b/package.json @@ -1,22 +1,42 @@ { - "name": "packageurl-js", - "version": "2.0.1", - "description": "JavaScript library to parse and build \"purl\" aka. package URLs. This is a microlibrary implementing the purl spec at https://github.com/package-url", + "name": "@socketregistry/packageurl-js", + "version": "1.0.0", + "license": "MIT", + "description": "Socket.dev optimized package override for packageurl-js", "keywords": [ - "package", - "url" + "Socket.dev", + "package-overrides" ], - "homepage": "https://github.com/package-url/packageurl-js#readme", - "bugs": { - "url": "https://github.com/package-url/packageurl-js/issues" - }, - "license": "MIT", - "author": "the purl authors", - "main": "index.js", + "homepage": "https://github.com/SocketDev/packageurl-js", "repository": { "type": "git", - "url": "git+https://github.com/package-url/packageurl-js.git" + "url": "git+https://github.com/SocketDev/packageurl-js.git" }, + "exports": { + ".": { + "types": "./index.d.ts", + "default": "./index.js" + }, + "./src/constants": "./src/constants.js", + "./src/decode": "./src/decode.js", + "./src/encode": "./src/encode.js", + "./src/error": "./src/error.js", + "./src/helpers": "./src/helpers.js", + "./src/lang": "./src/lang.js", + "./src/normalize": "./src/normalize.js", + "./src/objects": "./src/objects.js", + "./src/package-url": { + "types": "./src/package-url.d.ts", + "default": "./src/package-url.js" + }, + "./src/purl-component": "./src/purl-component.js", + "./src/purl-qualifier-names": "./src/purl-qualifier-names.js", + "./src/purl-type": "./src/purl-type.js", + "./src/strings": "./src/strings.js", + "./src/validate": "./src/validate.js", + "./package.json": "./package.json" + }, + "sideEffects": false, "scripts": { "check": "run-p -c --aggregate-output check:*", "check:lint": "eslint --report-unused-disable-directives .", @@ -51,11 +71,19 @@ "tap": "^21.0.1", "validate-npm-package-name": "^6.0.0" }, + "engines": { + "node": ">=18.20.4" + }, "files": [ "*{.js,.ts}", "data/**/*.json", "src/**/*{.js,.ts}", "LICENSE", "README.md" - ] + ], + "socket": { + "categories": [ + "levelup" + ] + } }