Published on npm as @socketregistry/packageurl-js — a Socket Optimized override of the upstream packageurl-js.
npm install @socketregistry/packageurl-js
Topics
Understand the pkg:type/ns/name@version?q#sub shape and how it maps to the PackageURL class.
Build PURLs with the fluent PurlBuilder API; serialize back to canonical pkg:... string form.
Percent-encoding, name/namespace normalization, and the known-qualifiers catalogue.
Shape + format validation, the Result<T, E> functional error pattern (Ok/Err/ResultUtils), typed errors (PurlError, PurlInjectionError), and per-ecosystem rule plumbing.
Convert between repository/download URLs and PURLs — ~25 ecosystem URL parsers.
Per-ecosystem normalize/validate/encode rules across all 41 supported package ecosystems.
Compare + equal + match PURLs with wildcard patterns (ReDoS-protected); registry existence checks.
Injection-character detection for safe PURL handling, safe object freezing, and VERS — the pre-standard version-range specifier slated for ECMA submission in late 2026.
Module map, data flow, and the key abstractions that keep the library small.
The PurlBuilder fluent API — construct a PackageURL step by step with per-field setters and per-ecosystem factories.
Dev setup, test layout, the parallel-sessions git workflow, and the full pre-PR checklist.
URL ↔ PURL conversion across ~25 ecosystems.
How the library treats PURL strings as hostile input — injection-character detection, frozen instances, and a strong protective stance.
Publish flow — npm trusted publishing, provenance attestations, Socket.dev post-publish audit, and common release scenarios.
How the tour site is built, from meander submodule through post-process to GitHub Pages deploy.
Version-range specifiers — the pre-standard grammar slated for ECMA submission in late 2026.