Package URL Python Library

Warnings

• breaking Support for Python 3.7 was dropped in version 0.16.0. Users on Python 3.7 or older must upgrade their Python environment to at least 3.8 before upgrading to `packageurl-python` 0.16.0 or newer.
  Fix: Upgrade Python to 3.8 or newer, or pin `packageurl-python<0.16.0`.
• breaking The `purl2url` utility's support for generating download URLs for `qpkg` package types was removed in version 0.17.5. Code relying on this specific conversion will break.
  Fix: Review `purl2url` usage, especially for `qpkg` types. Alternative methods for generating `qpkg` download URLs may be required.
• gotcha Prior to version 0.17.0, parsing of package names and namespaces containing colons might have been incorrect. Ensure that PURLs with colons are parsed as expected, especially if migrating from older versions.
  Fix: Upgrade to `packageurl-python` 0.17.0 or newer to correctly handle colons in names and namespaces.
• gotcha The `url2purl` and `purl2url` utility functions frequently receive updates and behavior changes across minor versions (e.g., adding support for new URL patterns, removing support for others). Relying heavily on their exact output for all possible inputs may lead to unexpected results on upgrades.
  Fix: Thoroughly test `url2purl` and `purl2url` behavior after any `packageurl-python` upgrade, particularly for critical parsing or generation flows.
• gotcha Version 0.17.2 introduced an `encode` keyword argument to the `.to_string()` method. If you rely on specific encoding behavior for your PURL strings, you might need to explicitly set this argument for consistency or to handle special characters.
  Fix: Consider explicitly using the `encode` argument in `.to_string()` for predictable output, e.g., `purl.to_string(encode=True)`.

Install

• pip install packageurl-python Install latest version

Imports

• PackageURL

  from packageurl import PackageURL

Quickstart

Demonstrates how to parse a Package URL string into a PackageURL object, access its individual components, and then convert it back to a dictionary or string. It also shows how to construct a PackageURL object from its constituent parts.

from packageurl import PackageURL

# Create a PackageURL from a string
purl_string = "pkg:maven/org.apache.commons/io@1.3.4?checksum=25b8109d"
purl = PackageURL.from_string(purl_string)

# Access components
print(f"Type: {purl.type}")
print(f"Namespace: {purl.namespace}")
print(f"Name: {purl.name}")
print(f"Version: {purl.version}")
print(f"Qualifiers: {purl.qualifiers}")
print(f"Subpath: {purl.subpath}")

# Convert to dictionary or string
print(f"As dict: {purl.to_dict()}")
print(f"As string: {purl.to_string()}")

# Build a PackageURL from components
new_purl = PackageURL(type='npm', name='react', version='18.2.0', qualifiers={'foo': 'bar'})
print(f"New PURL: {new_purl.to_string()}")