chore(deps): bump packageurl-js from 1.2.1 to 2.0.1

.github/workflows/nodejs.yml

@@ -391,7 +391,7 @@ jobs:
         js-type: [ 'cjs', 'mjs' ]
         include:
           - # lowest reasonable number that works
-            typescript-version: '^3.8'
+            typescript-version: '^4.0'
             nodeTypes-version: '^14'
             js-type: 'cjs'
     env:

HISTORY.md

@@ -18,7 +18,9 @@ All notable changes to this project will be documented in this file.
   * Serializers and `Bom`-Normalizers will take changed `Models.Bom.tools` into account ([#1152] via [#1163])
 * Dependencies
   * Support `libxmljs2@^0.35` (via [#1173])
+  * Use `packageurl-js@^2.0.1`, was `@>=0.0.6 <0.0.8 || ^1` (via [#1142])
 
+[#1142]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1142
 [#1152]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1152
 [#1163]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1163
 [#1173]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1173

package.json

@@ -80,7 +80,7 @@
     "node": ">=14.0.0"
   },
   "dependencies": {
-    "packageurl-js": ">=0.0.6 <0.0.8 || ^1",
+    "packageurl-js": "^2.0.1",
     "spdx-expression-parse": "^3.0.1 || ^4"
   },
   "optionalDependencies": {

src/factories/fromNodePackageJson.node.ts

@@ -27,11 +27,11 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 
 import type { PackageURL } from 'packageurl-js'
+import { PurlQualifierNames } from 'packageurl-js'
 
 import {tryCanonicalizeGitUrl} from "../_helpers/gitUrl"
 import { isNotUndefined } from '../_helpers/notUndefined'
 import type { PackageJson } from '../_helpers/packageJson'
-import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { Component } from '../models/component'
 import { ExternalReference } from '../models/externalReference'
@@ -137,20 +137,24 @@ export class PackageUrlFactory extends PlainPackageUrlFactory<'npm'> {
   #finalizeQualifiers (purl: PackageURL): PackageURL {
     const qualifiers = new Map(Object.entries(purl.qualifiers ?? {}))
 
-    const downloadUrl = qualifiers.get(PackageUrlQualifierNames.DownloadURL)
+    const downloadUrl = qualifiers.get(PurlQualifierNames.DownloadUrl)
     if (downloadUrl !== undefined) {
-      qualifiers.delete(PackageUrlQualifierNames.VcsUrl)
+      qualifiers.delete(PurlQualifierNames.VcsUrl)
       if (npmDefaultRepositoryMatcher.test(downloadUrl)) {
-        qualifiers.delete(PackageUrlQualifierNames.DownloadURL)
+        qualifiers.delete(PurlQualifierNames.DownloadUrl)
       }
     }
-    if (!qualifiers.has(PackageUrlQualifierNames.DownloadURL) && !qualifiers.has(PackageUrlQualifierNames.VcsUrl)) {
+    if (!qualifiers.has(PurlQualifierNames.DownloadUrl) && !qualifiers.has(PurlQualifierNames.VcsUrl)) {
       // nothing to base a checksum on
-      qualifiers.delete(PackageUrlQualifierNames.Checksum)
+      qualifiers.delete(PurlQualifierNames.Checksum)
+    }
+    if (qualifiers.size > 0) {
+      purl.qualifiers = Object.fromEntries(qualifiers.entries())
+      /* @ts-expect-error TS2322 */
+      purl.qualifiers.__proto__ = null /* eslint-disable-line no-proto -- intended */
+    } else {
+      purl.qualifiers = undefined
     }
-    purl.qualifiers = qualifiers.size > 0
-      ? Object.fromEntries(qualifiers.entries())
-      : undefined
 
     return purl
   }

src/factories/packageUrl.ts

@@ -17,9 +17,8 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import { PackageURL } from 'packageurl-js'
+import { PackageURL, PurlQualifierNames } from 'packageurl-js'
 
-import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { Component } from '../models/component'
 
@@ -37,6 +36,8 @@ export class PackageUrlFactory<PurlType extends PackageURL['type'] = PackageURL[
   /* eslint-disable-next-line @typescript-eslint/no-inferrable-types -- docs */
   makeFromComponent (component: Component, sort: boolean = false): PackageURL | undefined {
     const qualifiers: PackageURL['qualifiers'] = {}
+    /* @ts-expect-error TS2322 */
+    qualifiers.__proto__ = null /* eslint-disable-line no-proto -- intended */
     let subpath: PackageURL['subpath'] = undefined
 
     // sorting to allow reproducibility: use the last instance for a `extRef.type`, if multiples exist
@@ -55,17 +56,17 @@ export class PackageUrlFactory<PurlType extends PackageURL['type'] = PackageURL[
       /* eslint-disable-next-line @typescript-eslint/switch-exhaustiveness-check -- intended */
       switch (extRef.type) {
         case ExternalReferenceType.VCS:
-          [qualifiers[PackageUrlQualifierNames.VcsUrl], subpath] = url.split('#', 2)
+          [qualifiers[PurlQualifierNames.VcsUrl], subpath] = url.split('#', 2)
           break
         case ExternalReferenceType.Distribution:
-          qualifiers[PackageUrlQualifierNames.DownloadURL] = url
+          qualifiers[PurlQualifierNames.DownloadUrl] = url
           break
       }
     }
 
     const hashes = component.hashes
     if (hashes.size > 0) {
-      qualifiers[PackageUrlQualifierNames.Checksum] = Array.from(
+      qualifiers[PurlQualifierNames.Checksum] = Array.from(
         sort
           ? hashes.sorted()
           : hashes,

tests/integration/Factories.FromNodePackageJson.PackageUrlFactory.test.js

@@ -251,7 +251,7 @@ suite('integration: Factories.FromNodePackageJson.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual = sut.makeFromComponent(component, true)
 
@@ -287,7 +287,7 @@ suite('integration: Factories.FromNodePackageJson.PackageUrlFactory', () => {
           download_url: 'https://foo.bar/download-2'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?download_url=https%3A//foo.bar/download-2'
+      const expectedString = 'pkg:testing/name?download_url=https%3A%2F%2Ffoo.bar%2Fdownload-2'
 
       const actual1 = sut.makeFromComponent(component1, true)
       const actual2 = sut.makeFromComponent(component2, true)

tests/integration/Factories.PackageUrlFactory.test.js

@@ -174,7 +174,7 @@ suite('integration: Factories.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&download_url=https%3A//foo.bar/download&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&download_url=https%3A%2F%2Ffoo.bar%2Fdownload&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual = sut.makeFromComponent(component, true)
 
@@ -213,7 +213,7 @@ suite('integration: Factories.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?download_url=https%3A//foo.bar/download-2&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?download_url=https%3A%2F%2Ffoo.bar%2Fdownload-2&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual1 = sut.makeFromComponent(component1, true)
       const actual2 = sut.makeFromComponent(component2, true)