fix(diff): detect upgrades when purls embed the version#42
Open
dmchaledev wants to merge 1 commit into
Open
Conversation
Component identity was keyed on the raw purl, but real CycloneDX/SPDX SBOMs embed the version in the purl (e.g. "pkg:npm/lodash@4.17.21"). A version bump therefore produced two distinct keys, so it was reported as one added + one removed component and the "upgraded" bucket (and its isMajorBump logic) stayed empty for virtually every real SBOM. Key components by a version-independent identity: the purl with the "@Version" segment stripped (qualifiers/subpath removed first, and only a literal "@" — not a "%40"-encoded npm scope — treated as the delimiter), falling back to name when no purl is present. Add regression tests for plain, scoped, and distinct-package cases; update the test that had codified the old add/remove behavior as expected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01G3ef36saEoGYf6ZhTiDDYc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Detecting upgraded dependencies is the tool's marquee feature (
report.upgraded,isMajorBump), but it never fires for real-world SBOMs.Component identity is keyed on the raw
purlinbuildComponentMap. Real CycloneDX/SPDX SBOMs embed the version in the purl (e.g.pkg:npm/lodash@4.17.21), so a version bump yields two distinct keys — the old version becomes a "removed" component and the new one an "added" component, and theupgradedbucket stays empty.Before this change, a routine
lodash 4.17.20 → 4.17.21bump reported:Upgrades were only detected for components with no purl (matched by name) — the uncommon case. The existing
detects version upgradestest even codified the add/remove behavior as "correct."Fix
Key components by a version-independent identity: the purl with the
@versionsegment stripped (pkg:npm/lodash), falling back toname:<name>when no purl is present.stripPurlVersiondrops qualifiers (?…) and subpath (#…) first, then removes the segment after the first literal@following the type/name. An@inside an npm scope is percent-encoded as%40, so a literal@unambiguously begins the version.After the fix the same bump reports:
Tests
%40angular/core) upgrade including major-bump detection, and two distinct packages that must not be collapsed into an upgrade.All 31 tests pass; lint and typecheck clean. No public API or type changes.
🤖 Generated with Claude Code
https://claude.ai/code/session_01G3ef36saEoGYf6ZhTiDDYc
Generated by Claude Code