-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add npm name validation and make lower casing names adaptive #80
Conversation
This fixes the part where old names are incorrectly lowercased, but in a very complicated way. The PURL spec is wrong here and says to just always lowercase so if this library is going to fix the problem ahead of the spec, like it does for Go, it can't match the spec. However, I don't think this is really right and I don't think it's something that would ever be included in the PURL spec. NPM package names are case sensitive. PURL does not normally validate the package name and version, and I think this is a good thing. It's complicated and error prone to incorporate into the PURL spec rules like "the name must not be case-insensitively equal to favicon.ico" or "if there is a namespace then the lengths of the namespace and name together must be no more than 213 characters" and have those rules consistently implemented across PURL libraries. If the ecosystem ever changes the rules, updating the spec and rolling out those changes to all PURL implementations can be a slow process. I guess if the validation was opt-in it wouldn't be so bad, but I'm worried that extensive validation logic in this library beyond what is documented in the PURL spec will create interoperability problems where a valid PURL will be rejected by an application using this library because this library thinks the PURL can never refer to a real package. |
@matt-phylum I hear you. The spec does mandate validation of several type's namespaces, names, and versions with the "MUST" and "MUST NOT" language. Some are rather complex and in realms I'm not familiar with which is why I've "TODO"'d them. For example, the cpan purl type spec does toggle behavior when there is or is not a namespace using "MUST" and "MUST NOT" language. The npm validation logic is rather solid and hasn't changed for nearly 10 years. I think it's fine to incorporate some validation for their packages. The JS implementation is of the npm ecosystem so having extra attention for it seems reasonable.
Updated: Now uses pre-computed list of names to make the exception for else it behaves as spec'd. The code is written in a way that is browser bundle friendly and keeps the data loaded to a minimum. |
56af5fe
to
55b9df1
Compare
55b9df1
to
8c5bdd3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM, pending other's approval of spec-conformation.
@steven-esser at Socket when using a variation of this the new validation uncovered non-compliant names. We have a concept of an We have an opportunity to revise with a major version bump the constructor to provide an options object. The ergonomics of the args passed to the constructor also urk me a bit as it currently goes |
@jdalton I have no problem with supporting that feature, it's almost a necessity to be more flexible on the parsing side when using this in the wild. An option would save the couple lines of exception handling. Would support the change to options object as well. Might be an annoyance to some to have to fix their tests/builds, but it's incredibly ugly and non-conforming to the majority of JS/TS packages. |
Is an unknown type useful? If The way optional package type validation is handled for the Rust |
@matt-phylum @steven-esser |
I don't understand what |
@matt-phylum Sometimes you only want to handle valid purls in those cases the |
From experience, I expect that users won't detect or filter invalid PURLs until they've started seeing bugs related to unexpected |
@matt-phylum That's fine. That's why it's an option and not the default. |
Fix for #79.