refactor: remove packageurl-python from runtime dependencies

Remove the packageurl-python external dependency from runtime while maintaining backward compatibility in tests. The library now stores and returns PURL as strings instead of PackageURL objects, aligning with the CycloneDX specification which treats PURL as an opaque string.

Changes:
- Component.purl now stores and returns Optional[str] instead of Optional[PackageURL]
- Purl setter converts any __str__-castable input (including PackageURL objects) to string for backward compatibility
- Removed PackageUrl serialization helper class
- Removed ComparablePackageURL internal utility class
- Updated Bom.get_component_by_purl() signature to accept Optional[str]
- Removed packageurl-python from runtime dependencies in pyproject.toml
- Added packageurl-python as dev dependency for backward compatibility testing
- Updated examples to use string PURL format

All 6531 tests pass; tox validation successful across Python 3.9, 3.12, and 3.13.

BREAKING CHANGE: Component.purl type changed from Optional[PackageURL] to Optional[str]
- Code accessing .type, .namespace, .version, .qualifiers, .subpath will break with AttributeError
- Bom.get_component_by_purl() now requires string argument instead of PackageURL object
- Code must update to work with PURL as string, e.g., parse using purl-spec compliant parsing

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: saquibsaifee

cyclonedx/_internal/compare.py

@@ -22,10 +22,7 @@
 """
 
 from itertools import zip_longest
-from typing import TYPE_CHECKING, Any, Optional
-
-if TYPE_CHECKING:  # pragma: no cover
-    from packageurl import PackageURL
+from typing import Any, Optional
 
 
 class ComparableTuple(tuple[Optional[Any], ...]):
@@ -65,18 +62,3 @@ class ComparableDict(ComparableTuple):
 
     def __new__(cls, d: dict[Any, Any]) -> 'ComparableDict':
         return super().__new__(cls, sorted(d.items()))
-
-
-class ComparablePackageURL(ComparableTuple):
-    """
-    Allows comparison of PackageURL, allowing for qualifiers.
-    """
-
-    def __new__(cls, p: 'PackageURL') -> 'ComparablePackageURL':
-        return super().__new__(cls, (
-            p.type,
-            p.namespace,
-            p.version,
-            ComparableDict(p.qualifiers) if isinstance(p.qualifiers, dict) else p.qualifiers,
-            p.subpath
-        ))

cyclonedx/model/bom.py

@@ -20,7 +20,7 @@
 from datetime import datetime
 from enum import Enum
 from itertools import chain
-from typing import TYPE_CHECKING, Optional, Union
+from typing import Optional, Union
 from uuid import UUID, uuid4
 from warnings import warn
 
@@ -54,9 +54,6 @@
 from .tool import Tool, ToolRepository, _ToolRepositoryHelper
 from .vulnerability import Vulnerability
 
-if TYPE_CHECKING:  # pragma: no cover
-    from packageurl import PackageURL
-
 
 @serializable.serializable_enum
 class TlpClassification(str, Enum):
@@ -694,13 +691,13 @@ def definitions(self) -> Optional[Definitions]:
     def definitions(self, definitions: Definitions) -> None:
         self._definitions = definitions
 
-    def get_component_by_purl(self, purl: Optional['PackageURL']) -> Optional[Component]:
+    def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]:
         """
         Get a Component already in the Bom by its PURL
 
         Args:
              purl:
-                An instance of `packageurl.PackageURL` to look and find `Component`.
+                A PURL string to look and find `Component`.
 
         Returns:
             `Component` or `None`

cyclonedx/model/component.py

@@ -19,17 +19,15 @@
 import sys
 from collections.abc import Iterable
 from enum import Enum
-from typing import Any, Optional, Protocol, Union
+from typing import Any, Optional, Union
 from warnings import warn
 
 if sys.version_info >= (3, 13):
     from warnings import deprecated
 else:
     from typing_extensions import deprecated
 
-# See https://github.com/package-url/packageurl-python/issues/65
 import py_serializable as serializable
-from packageurl import PackageURL
 from sortedcontainers import SortedSet
 
 from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str
@@ -949,13 +947,6 @@ def __str__(self) -> str:
         return self._id
 
 
-
-
-class _StringCastable(Protocol):
-
-    def __str__(self) -> str: ...
-
-
 @serializable.serializable_class(ignore_unknown_during_deserialization=True)
 class Component(Dependable):
     """
@@ -980,11 +971,10 @@ def for_file(absolute_file_path: str, path_for_bom: Optional[str]) -> 'Component
         component = ComponentBuilder().make_for_file(absolute_file_path, name=path_for_bom)
         sha1_hash = next((h.content for h in component.hashes if h.alg is HashAlgorithm.SHA_1), None)
         assert sha1_hash is not None
-        component.version = f'0.0.0-{sha1_hash[0:12]}'
-        component.purl = PackageURL(  # DEPRECATED: a file has no PURL!
-            type='generic', name=path_for_bom if path_for_bom else absolute_file_path,
-            version=f'0.0.0-{sha1_hash[0:12]}'
-        )
+        version = f'0.0.0-{sha1_hash[0:12]}'
+        name = path_for_bom if path_for_bom else absolute_file_path
+        component.version = version
+        component.purl = f'pkg:generic/{name}@{version}'  # DEPRECATED: a file has no PURL!
         return component
 
     def __init__(
@@ -1002,7 +992,7 @@ def __init__(
         hashes: Optional[Iterable[HashType]] = None,
         licenses: Optional[Iterable[License]] = None,
         copyright: Optional[str] = None,
-        purl: Optional[_StringCastable] = None,
+        purl: Optional[str] = None,
         external_references: Optional[Iterable[ExternalReference]] = None,
         properties: Optional[Iterable[Property]] = None,
         release_notes: Optional[ReleaseNotes] = None,
@@ -1398,7 +1388,7 @@ def purl(self) -> Optional[str]:
         return self._purl
 
     @purl.setter
-    def purl(self, purl: Optional[_StringCastable]) -> None:
+    def purl(self, purl: Optional[str]) -> None:
         self._purl = None if purl is None else str(purl)
 
     @property

cyclonedx/model/component_evidence.py

@@ -24,7 +24,6 @@
 from warnings import warn
 from xml.etree.ElementTree import Element as XmlElement  # nosec B405
 
-# See https://github.com/package-url/packageurl-python/issues/65
 import py_serializable as serializable
 from sortedcontainers import SortedSet
 

cyclonedx/serialization/__init__.py

@@ -24,8 +24,6 @@
 from typing import Any, Optional
 from uuid import UUID
 
-# See https://github.com/package-url/packageurl-python/issues/65
-from packageurl import PackageURL
 from py_serializable.helpers import BaseHelper
 
 if sys.version_info >= (3, 13):
@@ -57,25 +55,6 @@ def deserialize(cls, o: Any) -> BomRef:
         return BomRef.deserialize(o)
 
 
-class PackageUrl(BaseHelper):
-
-    @classmethod
-    def serialize(cls, o: Any, ) -> str:
-        if isinstance(o, PackageURL):
-            return str(o.to_string())
-        raise SerializationOfUnexpectedValueException(
-            f'Attempt to serialize a non-PackageURL: {o!r}')
-
-    @classmethod
-    def deserialize(cls, o: Any) -> PackageURL:
-        try:
-            return PackageURL.from_string(purl=str(o))
-        except ValueError as err:
-            raise CycloneDxDeserializationException(
-                f'PURL string supplied does not parse: {o!r}'
-            ) from err
-
-
 class UrnUuidHelper(BaseHelper):
 
     @classmethod

examples/complex_serialize.py

@@ -18,8 +18,6 @@
 import sys
 from typing import TYPE_CHECKING
 
-from packageurl import PackageURL
-
 from cyclonedx.contrib.license.factories import LicenseFactory
 from cyclonedx.contrib.this.builders import this_component as cdx_lib_component
 from cyclonedx.exception import MissingOptionalDependencyException
@@ -68,7 +66,7 @@
         urls=[XsUri('https://www.acme.org')]
     ),
     bom_ref='myComponent@1.33.7-beta.1',
-    purl=PackageURL('generic', 'acme', 'some-component', '1.33.7-beta.1')
+    purl='pkg:generic/acme/some-component@1.33.7-beta.1'
 )
 bom.components.add(component1)
 bom.register_dependency(root_component, [component1])

pyproject.toml

@@ -70,7 +70,6 @@ keywords = [
 
 [tool.poetry.dependencies]
 python = "^3.9"
-packageurl-python = ">=0.11, <2"
 py-serializable =  "^2.1.0"
 sortedcontainers = "^2.4.0"
 license-expression = "^30"
@@ -85,6 +84,7 @@ json-validation = ["jsonschema", "referencing"]
 xml-validation = ["lxml"]
 
 [tool.poetry.group.dev.dependencies]
+packageurl-python = ">=0.11, <2"
 ddt = "1.7.2"
 coverage = "7.10.7"
 flake8 = "7.3.0"

tests/test_component.py

@@ -73,7 +73,6 @@ def test_from_xml_file_with_path_for_bom(self) -> None:
         self.assertEqual(c.purl, str(purl))
         self.assertEqual(len(c.hashes), 1)
 
-
     def test_purl_casted_to_string(self) -> None:
         purl = PackageURL(type='pypi', name='example', version='1.2.3')
         component = Component(name='example', purl=purl)