Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: Add version ranges #93

Closed
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ The defintion for each components is:
- **namespace**: some name prefix such as a Maven groupid, a Docker image owner,
a GitHub user or organization. Optional and type-specific.
- **name**: the name of the package. Required.
- **version**: the version of the package. Optional.
- **version**: the version or version specifier of the package. Optional.
- **qualifiers**: extra qualifying data for a package such as an OS,
architecture, a distro, etc. Optional and type-specific.
- **subpath**: extra subpath within a package, relative to the package root.
Expand Down Expand Up @@ -257,6 +257,14 @@ The rules for each component are:
conventions such as semver for NPMs or nevra conventions for RPMS. A `type`
may define a procedure to compare and sort versions, but there is no
reliable and uniform way to do such comparison consistently.
- Version ranges may also be provided for search capabilities.
For example, in a vulnerability report it
may be important to say "versions 1.1.3 through 4.2.6 are vulnerable".
Ranges may be specified following
[node-semver](https://github.com/npm/node-semver)i syntax; note that
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in favor of this choice. Makes my life much easier 😂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@isaacs I eventually merged https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst which is already in use in CycloneDX and CSAF. We needed to design something that works beyond npm, node-semver ranges.

spaces must be encoded as `%20%`.
Note that version ranges are only intended for use in searches, and
should NOT be used when specifying the content of an actual package.


- **qualifiers**:
Expand Down