fix(diff): detect upgrades when the purl carries the version#37
Open
dmchaledev wants to merge 1 commit into
Open
fix(diff): detect upgrades when the purl carries the version#37dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Component matching keyed on the full purl, which almost always embeds the version (e.g. pkg:npm/lodash@4.17.21). A real-world upgrade therefore produced two different keys and was reported as a removal plus an addition, hiding it from the "upgraded" report entirely — the tool's headline feature. Key components on the version-stripped purl identity (pkg:type/namespace/name), also dropping qualifiers/subpath which can vary between builds, so upgrades are detected whether or not the purl carries a version. Falls back to name when no purl is present. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_014QNV8jcejY3qt1rMd7w7Q2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Component matching in
diff()keys each component on its full purl, which in practice almost always embeds the version — e.g.pkg:npm/lodash@4.17.21. This is exactly the form the README's own examples and real CycloneDX/SPDX generators (Syft, Trivy, cdxgen, …) produce.Because the version is part of the key, an upgraded dependency gets two different keys across the two SBOMs and is reported as a removal plus an addition rather than an upgrade — silently hiding it from the
upgradedreport, the tool's headline feature. Theupgradedpath only ever fired for the uncommon case of a purl-less component matched by name (which is what the existing tests happened to cover).The prior test suite even rationalized the broken behavior as intended:
Two versions of the same package are not two different packages.
Fix
Key components on a version-independent purl identity — the
pkg:type/namespace/nameportion — by stripping the version (@…) plus any qualifiers (?…) and subpath (#…), which can also vary between builds. Components without a purl still fall back to their name. Version comparison for the upgrade itself continues to use the parsedversionfield, so upgrades are now detected whether or not the purl carries a version.Percent-encoding makes this safe for scoped packages: an npm scope like
@angularappears as%40angularin a purl, so the first literal@reliably marks the version boundary.Verification
npm test— 30 passing (was 29). The misleading upgrade test is rewritten to assert a real upgrade is detected from version-bearing purls, and a scoped-package (%40angular/core, with a?type=modulequalifier) major-bump case is added.npm run lint/npm run typecheck— clean.lodash@4.17.20→4.17.21): now reportsUpgraded: 1instead of the previousAdded: 1 / Removed: 1.Before
After
🤖 Generated with Claude Code
https://claude.ai/code/session_014QNV8jcejY3qt1rMd7w7Q2
Generated by Claude Code