fix(diff): detect version upgrades when purls include the version#44
Open
dmchaledev wants to merge 1 commit into
Open
fix(diff): detect version upgrades when purls include the version#44dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Real-world SBOM generators (syft, cdxgen, trivy) embed the version in the purl, e.g. "pkg:npm/lodash@4.17.21". buildComponentMap keyed components on the full purl, so an upgraded package received two different keys and was reported as a spurious removed + added pair instead of an upgrade — leaving the `upgraded` list effectively always empty for real SBOMs, which defeats the tool's core purpose. Key components on a version-independent purl coordinate (purl with the `@version` segment stripped, bounded by any ?qualifiers/#subpath), so the same package matches across SBOMs and genuine version changes are detected. Handles scoped npm namespaces (%40) and purl qualifiers. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TbSanSfxx5hSGA6prTYxfs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Detecting version upgrades is the tool's flagship feature, but it is broken for real-world SBOMs.
buildComponentMapkeyed components on the full purl (comp.purl ?? comp.name). Every mainstream SBOM generator — syft, cdxgen, trivy — embeds the version in the purl, e.g.pkg:npm/lodash@4.17.21. So when a package is upgraded, its old and new entries get two different keys, and the diff reports a spurious removed + added pair instead of an upgrade. In practice theupgradedlist is almost always empty for real SBOMs.The old test acknowledged and rationalized this (
"different purls are different packages"), but for a dependency-diffing tool that is exactly the case that must be caught.Before this fix
A routine
lodash 4.17.20 → 4.17.21,react 17 → 18bump reported:After
Change
@versionsegment stripped, bounded by any?qualifiers/#subpathsuffix. The same package now matches across SBOMs, so genuine version changes flow through the existing upgrade path (includingisMajorBump).pkg:npm/%40angular/core@16.0.0— the scope's@is%40-encoded, so only the version@is unescaped) and purl qualifiers.namewhen no purl is present (unchanged behavior).Tests
🤖 Generated with Claude Code
https://claude.ai/code/session_01TbSanSfxx5hSGA6prTYxfs
Generated by Claude Code