feat: use packageurl-js for correct PURL encoding across ecosystems

[Alexandros Kapravelos (kapravel)]

Summary

• Use packageurl-js for PURL construction instead of hand-rolled string building, correctly handling scoped npm packages (%40 encoding), golang namespace/name splitting, and maven groupId:artifactId format
• Fix API response PURL reconstruction to include the namespace field, so scoped packages like @babel/core are no longer truncated to core
• Add integration tests for npm scoped, pypi, golang, maven, nuget, and cargo ecosystems

Test plan

• All 34 tests pass (0 skipped, 0 failed)
• Lint passes
• TypeScript type check passes
• buildPurl unit tests cover all ecosystems (npm scoped/unscoped, pypi, gem, golang, maven, nuget, cargo)
• Integration tests verify scoped npm packages resolve correctly against the live API

Made with Cursor

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​node@​24.10.9 ⏵ 24.12.0			+1
	npm/​packageurl-js@​2.0.1
	npm/​semver@​7.7.3 ⏵ 7.7.4
	npm/​pino@​10.3.0 ⏵ 10.3.1

View full report

[socket-security-staging]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Low adoption: npm @package-json/types Location: Package overview From: pnpm-lock.yaml → npm/neostandard@0.12.2 → npm/@package-json/types@0.0.12 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/@package-json/types@0.0.12. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm node-exports-info Location: Package overview From: pnpm-lock.yaml → npm/neostandard@0.12.2 → npm/node-exports-info@1.6.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/node-exports-info@1.6.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​node@​24.10.9 ⏵ 24.12.0			+1
	npm/​packageurl-js@​2.0.1
	npm/​semver@​7.7.3 ⏵ 7.7.4
	npm/​pino@​10.3.0 ⏵ 10.3.1

View full report