Currently, packageurl-js package parses the name of an npm package from the purl case-sensitively only in specific cases for some legacy npm packages. (Thanks @lamppu for the analysis.)
See:
|
// Ignore lowercasing legacy names because they could be mixed case. |
|
// https://github.com/npm/validate-npm-package-name/tree/v6.0.0?tab=readme-ov-file#legacy-names |
|
if (!isNpmLegacyName(getNpmId(purl))) { |
|
lowerName(purl) |
|
} |
According to this discussion in this purl-spec issue that conditional behavior seems to be wrong, and mixed case packages should be unconditionally allowed (see the last comment from @pombredanne).
@jdalton, do you think a fix and release would be doable soon?
Currently, packageurl-js package parses the name of an npm package from the purl case-sensitively only in specific cases for some legacy npm packages. (Thanks @lamppu for the analysis.)
See:
packageurl-js/src/purl-type.js
Lines 139 to 143 in bb4185a
According to this discussion in this
purl-specissue that conditional behavior seems to be wrong, and mixed case packages should be unconditionally allowed (see the last comment from @pombredanne).@jdalton, do you think a fix and release would be doable soon?