fix(diff): detect version upgrades for version-qualified purls#31
Open
dmchaledev wants to merge 1 commit into
Open
fix(diff): detect version upgrades for version-qualified purls#31dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…e detected buildComponentMap keyed on the raw purl, which embeds the version (e.g. "pkg:npm/lodash@4.17.21"). Real-world CycloneDX/SPDX SBOMs almost always emit version-qualified purls, so an upgrade produced two distinct keys and was reported as a spurious remove + add — the `upgraded` array only ever populated for the rare purl-less, name-matched case. This silently broke the tool's headline feature (upgraded-dependency detection). Introduce componentKey()/purlIdentity(): strip the "@Version" segment from the purl while preserving any ?qualifiers/#subpath, and fall back to an ecosystem-qualified name when no purl is present. Scoped npm purls (leading @ encoded as %40) resolve correctly since the version "@" is the first literal "@". Update the misleading test that asserted the broken behavior and add coverage for scoped and qualifier-bearing purls. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013JKKFxnxFWMNXYnbW3wM4q
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Upgrade detection — the tool's headline feature ("Highlights added, removed, upgraded dependencies") — never triggered for real-world SBOMs.
buildComponentMapused the raw purl as the component match key:But a purl embeds the version (
pkg:npm/lodash@4.17.21). CycloneDX and SPDX tooling almost always emits version-qualified purls, so a simple version bump produced two different keys in the two SBOMs and was reported as a spurious remove + add. Theupgradedarray only ever populated in the rare case where a component had no purl at all and was matched by bare name.The existing test even documented the broken behavior as intended:
Fix
Introduce a version-independent identity key:
componentKey()— uses the purl identity when present, else an ecosystem-qualified name.purlIdentity()— strips the@versionsegment while preserving any trailing?qualifiers/#subpath.Scoped npm purls resolve correctly because their leading
@is percent-encoded (%40), so the version's@is the first literal@in the string.Before / after
Same two SBOMs where
lodashandreactare bumped andmoment→expressswapped:[MAJOR])Tests
detects version upgradestest to assert a single upgrade (0 added, 0 removed).%40angular/core) and purls carrying?arch=qualifiers.🤖 Generated with Claude Code
Generated by Claude Code