refactor: remove packageurl-python dependency completely

saquibsaifee · claude · saquibsaifee · commit 60e4665d7c1d · 2026-04-22T00:45:37.000-04:00
Completely remove packageurl-python from the project - both runtime and dev
dependencies. The library now treats PURL as an opaque string, aligning with
the CycloneDX specification.

Changes:
- Component.purl strictly accepts and returns Optional[str]
- Removed all packageurl imports from source and test files
- Updated test data to use PURL string format directly
- Regenerated snapshots with updated PURL string representation

BREAKING CHANGE: Component.purl no longer accepts PackageURL objects
- Type changed from Optional[PackageURL] to Optional[str]
- Bom.get_component_by_purl() now requires string argument
- Users must update code to pass PURL as a plain string

Co-Authored-By: Claude Haiku 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py
@@ -1389,7 +1389,7 @@ def purl(self) -> Optional[str]:
 
     @purl.setter
     def purl(self, purl: Optional[str]) -> None:
-        self._purl = None if purl is None else str(purl)
+        self._purl = purl
 
     @property
     @serializable.json_name('omniborId')
diff --git a/pyproject.toml b/pyproject.toml
@@ -84,7 +84,6 @@ json-validation = ["jsonschema", "referencing"]
 xml-validation = ["lxml"]
 
 [tool.poetry.group.dev.dependencies]
-packageurl-python = ">=0.11, <2"
 ddt = "1.7.2"
 coverage = "7.10.7"
 flake8 = "7.3.0"
diff --git a/tests/_data/models.py b/tests/_data/models.py
@@ -24,9 +24,6 @@
 from typing import Any, Optional
 from uuid import UUID
 
-# See https://github.com/package-url/packageurl-python/issues/65
-from packageurl import PackageURL
-
 from cyclonedx.builder.this import this_component, this_tool
 from cyclonedx.model import (
     AttachedText,
@@ -482,9 +479,7 @@ def get_bom_with_component_evidence() -> Bom:
     component = Component(
         name='setuptools', version='50.3.2',
         bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
-        purl=PackageURL(
-            type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
-        ),
+        purl='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
         licenses=[DisjunctiveLicense(id='MIT')],
         author='Test Author'
     )
@@ -845,9 +840,7 @@ def get_component_setuptools_simple(
     return Component(
         name='setuptools', version='50.3.2',
         bom_ref=bom_ref,
-        purl=PackageURL(
-            type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
-        ),
+        purl='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
         licenses=[DisjunctiveLicense(id='MIT')],
         author='Test Author'
     )
@@ -856,9 +849,7 @@ def get_component_setuptools_simple(
 def get_component_setuptools_simple_no_version(bom_ref: Optional[str] = None) -> Component:
     return Component(
         name='setuptools', bom_ref=bom_ref or 'pkg:pypi/setuptools?extension=tar.gz',
-        purl=PackageURL(
-            type='pypi', name='setuptools', qualifiers='extension=tar.gz'
-        ),
+        purl='pkg:pypi/setuptools?extension=tar.gz',
         licenses=[DisjunctiveLicense(id='MIT')],
         author='Test Author'
     )
@@ -867,9 +858,7 @@ def get_component_setuptools_simple_no_version(bom_ref: Optional[str] = None) ->
 def get_component_toml_with_hashes_with_references(bom_ref: Optional[str] = None) -> Component:
     return Component(
         name='toml', version='0.10.2', bom_ref=bom_ref or 'pkg:pypi/toml@0.10.2?extension=tar.gz',
-        purl=PackageURL(
-            type='pypi', name='toml', version='0.10.2', qualifiers='extension=tar.gz'
-        ), hashes=[
+        purl='pkg:pypi/toml@0.10.2?extension=tar.gz', hashes=[
             HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b')
         ], external_references=[
             get_external_reference_1()
@@ -1365,19 +1354,13 @@ def get_bom_for_issue_598_multiple_components_with_purl_qualifiers() -> Bom:
     return _make_bom(components=[
         Component(
             name='dummy', version='2.3.5', bom_ref='dummy-a',
-            purl=PackageURL(
-                type='pypi', namespace=None, name='pathlib2', version='2.3.5', subpath=None,
-                qualifiers={}
-            )
+            purl='pkg:pypi/pathlib2@2.3.5'
         ),
         Component(
             name='dummy', version='2.3.5', bom_ref='dummy-b',
-            purl=PackageURL(
-                type='pypi', namespace=None, name='pathlib2', version='2.3.5', subpath=None,
-                qualifiers={
-                    'vcs_url': 'git+https://github.com/jazzband/pathlib2.git@5a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6'
-                }
-            )
+            purl='pkg:pypi/pathlib2@2.3.5'
+                 '?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git'
+                 '%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6'
         )
     ])
 
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.0.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.0.xml.bin
@@ -10,7 +10,7 @@
     <component type="library">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
       <modified>false</modified>
     </component>
   </components>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.1.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.1.xml.bin
@@ -9,7 +9,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
 </bom>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.4.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.4.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.4.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.4.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.5.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.5.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.5.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.5.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.6.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.6.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.6.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.6.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin
@@ -10,7 +10,7 @@
     {
       "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }
diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin
@@ -12,7 +12,7 @@
     <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>
diff --git a/tests/test_component.py b/tests/test_component.py
@@ -18,9 +18,6 @@
 from os.path import join
 from unittest import TestCase
 
-# See https://github.com/package-url/packageurl-python/issues/65
-from packageurl import PackageURL
-
 from cyclonedx.contrib.component.builders import ComponentBuilder
 from cyclonedx.model.component import Component
 from tests import OWN_DATA_DIRECTORY
@@ -36,29 +33,18 @@ def test_purl_correct(self) -> None:
         )
 
     def test_purl_incorrect_version(self) -> None:
-        purl = PackageURL(
-            type='pypi', name='setuptools', version='50.3.1'
-        )
+        incorrect_purl = 'pkg:pypi/setuptools@50.3.1'
         self.assertNotEqual(
-            str(purl),
-            str(get_component_setuptools_simple().purl)
+            incorrect_purl,
+            get_component_setuptools_simple().purl
         )
-        self.assertEqual(purl.type, 'pypi')
-        self.assertEqual(purl.name, 'setuptools')
-        self.assertEqual(purl.version, '50.3.1')
 
     def test_purl_incorrect_name(self) -> None:
-        purl = PackageURL(
-            type='pypi', name='setuptoolz', version='50.3.2', qualifiers='extension=tar.gz'
-        )
+        incorrect_purl = 'pkg:pypi/setuptoolz@50.3.2?extension=tar.gz'
         self.assertNotEqual(
-            str(purl),
-            str(get_component_setuptools_simple().purl)
+            incorrect_purl,
+            get_component_setuptools_simple().purl
         )
-        self.assertEqual(purl.type, 'pypi')
-        self.assertEqual(purl.name, 'setuptoolz')
-        self.assertEqual(purl.version, '50.3.2')
-        self.assertEqual(purl.qualifiers, {'extension': 'tar.gz'})
 
     def test_from_xml_file_with_path_for_bom(self) -> None:
         test_file = join(OWN_DATA_DIRECTORY, 'xml', '1.4', 'bom_setuptools.xml')
@@ -67,14 +53,6 @@ def test_from_xml_file_with_path_for_bom(self) -> None:
         expected_version = f'0.0.0-{sha1_hash[0:12]}'
         self.assertEqual(c.name, 'fixtures/bom_setuptools.xml')
         self.assertEqual(c.version, expected_version)
-        purl = PackageURL(
-            type='generic', name='fixtures/bom_setuptools.xml', version=expected_version
-        )
-        self.assertEqual(c.purl, str(purl))
+        expected_purl = f'pkg:generic/fixtures/bom_setuptools.xml@{expected_version}'
+        self.assertEqual(c.purl, expected_purl)
         self.assertEqual(len(c.hashes), 1)
-
-    def test_purl_casted_to_string(self) -> None:
-        purl = PackageURL(type='pypi', name='example', version='1.2.3')
-        component = Component(name='example', purl=purl)
-
-        self.assertEqual(component.purl, str(purl))

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`{`
`11`	`11`	`"bom-ref": "dummy-b",`
`12`	`12`	`"name": "dummy",`
`13`		`- "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",`
	`13`	`+ "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",`
`14`	`14`	`"type": "library",`
`15`	`15`	`"version": "2.3.5"`
`16`	`16`	`}`