chore(deps): bump packageurl-js from 1.2.1 to 2.0.1 (#1142)

Bumps [packageurl-js](https://github.com/package-url/packageurl-js) from
1.2.1 to 2.0.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/package-url/packageurl-js/blob/master/CHANGELOG.md">packageurl-js's
changelog</a>.</em></p>
<blockquote>
<h1>2.0.1</h1>
<h2>Bug Fix</h2>
<ul>
<li>Fix decoding problems around the <code>%</code> character <a
href="https://redirect.github.com/package-url/packageurl-js/issues/75">#75</a>
(fix contributed by <a
href="https://github.com/jdalton"><code>@​jdalton</code></a>)</li>
</ul>
<h1>2.0.0</h1>
<ul>
<li>Significant refactor based on code from <a
href="https://github.com/jdalton"><code>@​jdalton</code></a></li>
<li>Numerous bug fixes and improvements the community was asking for
<ul>
<li>See closed issues and PRs for details (too many to list here)</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/package-url/packageurl-js/commit/cd1eb4b050ea66462a729f800166ee0b02fc4c5c"><code>cd1eb4b</code></a>
chore: bump to v2.0.1 (<a
href="https://redirect.github.com/package-url/packageurl-js/issues/77">#77</a>)</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/f7dccd6dcb82a5a7c898b0e9408f88444be7b6db"><code>f7dccd6</code></a>
fix: error on decode with meaningful message</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/07b818b64ba4fb1baf74a2ffd1219e1121028730"><code>07b818b</code></a>
fix: only decode in parseString</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/c2f576f4b6b31590656538e26c97a018190de640"><code>c2f576f</code></a>
bump to v2.0.0 (<a
href="https://redirect.github.com/package-url/packageurl-js/issues/74">#74</a>)</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/b5660a513295ad99f21cc8e98c4e20a27d4f374b"><code>b5660a5</code></a>
Merge pull request <a
href="https://redirect.github.com/package-url/packageurl-js/issues/73">#73</a>
from package-url/jdalton/sync</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/400de0cb8ecffcd540f18269b6b2176f4d9a08bd"><code>400de0c</code></a>
Merge pull request <a
href="https://redirect.github.com/package-url/packageurl-js/issues/72">#72</a>
from package-url/dependabot/npm_and_yarn/braces-3.0.3</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/b6c8ce8abe592f327154b5733cd9aad350337cc3"><code>b6c8ce8</code></a>
fix: correct package-url.d.ts readonly type casing</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/96822afa27a446be58efad27bcf21f6c27585397"><code>96822af</code></a>
fix: correct param name typos</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/f81a6be5ef1ffd74ca0a3fc73a684beaec7e5c63"><code>f81a6be</code></a>
fix: use encodeQualifierValue for qualifierKey and qualifierValue</li>
<li><a
href="https://github.com/package-url/packageurl-js/commit/ff590d20a64a89152d4bb2cae3ee32a30bb28755"><code>ff590d2</code></a>
feat: encode qualifiers with URLSearchParams</li>
<li>Additional commits viewable in <a
href="https://github.com/package-url/packageurl-js/compare/v1.2.1...v2.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=packageurl-js&package-manager=npm_and_yarn&previous-version=1.2.1&new-version=2.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jan Kowalleck <[email protected]>

Author: dependabot[bot]

.github/workflows/nodejs.yml

@@ -391,7 +391,7 @@ jobs:
         js-type: [ 'cjs', 'mjs' ]
         include:
           - # lowest reasonable number that works
-            typescript-version: '^3.8'
+            typescript-version: '^4.0'
             nodeTypes-version: '^14'
             js-type: 'cjs'
     env:

HISTORY.md

@@ -18,7 +18,9 @@ All notable changes to this project will be documented in this file.
   * Serializers and `Bom`-Normalizers will take changed `Models.Bom.tools` into account ([#1152] via [#1163])
 * Dependencies
   * Support `libxmljs2@^0.35` (via [#1173])
+  * Use `packageurl-js@^2.0.1`, was `@>=0.0.6 <0.0.8 || ^1` (via [#1142])
 
+[#1142]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1142
 [#1152]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1152
 [#1163]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1163
 [#1173]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1173

package.json

@@ -80,7 +80,7 @@
     "node": ">=14.0.0"
   },
   "dependencies": {
-    "packageurl-js": ">=0.0.6 <0.0.8 || ^1",
+    "packageurl-js": "^2.0.1",
     "spdx-expression-parse": "^3.0.1 || ^4"
   },
   "optionalDependencies": {

src/_helpers/packageUrl.ts

@@ -27,11 +27,11 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 
 import type { PackageURL } from 'packageurl-js'
+import { PurlQualifierNames } from 'packageurl-js'
 
 import {tryCanonicalizeGitUrl} from "../_helpers/gitUrl"
 import { isNotUndefined } from '../_helpers/notUndefined'
 import type { PackageJson } from '../_helpers/packageJson'
-import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { Component } from '../models/component'
 import { ExternalReference } from '../models/externalReference'
@@ -137,20 +137,24 @@ export class PackageUrlFactory extends PlainPackageUrlFactory<'npm'> {
   #finalizeQualifiers (purl: PackageURL): PackageURL {
     const qualifiers = new Map(Object.entries(purl.qualifiers ?? {}))
 
-    const downloadUrl = qualifiers.get(PackageUrlQualifierNames.DownloadURL)
+    const downloadUrl = qualifiers.get(PurlQualifierNames.DownloadUrl)
     if (downloadUrl !== undefined) {
-      qualifiers.delete(PackageUrlQualifierNames.VcsUrl)
+      qualifiers.delete(PurlQualifierNames.VcsUrl)
       if (npmDefaultRepositoryMatcher.test(downloadUrl)) {
-        qualifiers.delete(PackageUrlQualifierNames.DownloadURL)
+        qualifiers.delete(PurlQualifierNames.DownloadUrl)
       }
     }
-    if (!qualifiers.has(PackageUrlQualifierNames.DownloadURL) && !qualifiers.has(PackageUrlQualifierNames.VcsUrl)) {
+    if (!qualifiers.has(PurlQualifierNames.DownloadUrl) && !qualifiers.has(PurlQualifierNames.VcsUrl)) {
       // nothing to base a checksum on
-      qualifiers.delete(PackageUrlQualifierNames.Checksum)
+      qualifiers.delete(PurlQualifierNames.Checksum)
+    }
+    if (qualifiers.size > 0) {
+      purl.qualifiers = Object.fromEntries(qualifiers.entries())
+      /* @ts-expect-error TS2322 */
+      purl.qualifiers.__proto__ = null /* eslint-disable-line no-proto -- intended */
+    } else {
+      purl.qualifiers = undefined
     }
-    purl.qualifiers = qualifiers.size > 0
-      ? Object.fromEntries(qualifiers.entries())
-      : undefined
 
     return purl
   }

src/factories/fromNodePackageJson.node.ts

@@ -17,9 +17,8 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import { PackageURL } from 'packageurl-js'
+import { PackageURL, PurlQualifierNames } from 'packageurl-js'
 
-import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
 import { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { Component } from '../models/component'
 
@@ -37,6 +36,8 @@ export class PackageUrlFactory<PurlType extends PackageURL['type'] = PackageURL[
   /* eslint-disable-next-line @typescript-eslint/no-inferrable-types -- docs */
   makeFromComponent (component: Component, sort: boolean = false): PackageURL | undefined {
     const qualifiers: PackageURL['qualifiers'] = {}
+    /* @ts-expect-error TS2322 */
+    qualifiers.__proto__ = null /* eslint-disable-line no-proto -- intended */
     let subpath: PackageURL['subpath'] = undefined
 
     // sorting to allow reproducibility: use the last instance for a `extRef.type`, if multiples exist
@@ -55,17 +56,17 @@ export class PackageUrlFactory<PurlType extends PackageURL['type'] = PackageURL[
       /* eslint-disable-next-line @typescript-eslint/switch-exhaustiveness-check -- intended */
       switch (extRef.type) {
         case ExternalReferenceType.VCS:
-          [qualifiers[PackageUrlQualifierNames.VcsUrl], subpath] = url.split('#', 2)
+          [qualifiers[PurlQualifierNames.VcsUrl], subpath] = url.split('#', 2)
           break
         case ExternalReferenceType.Distribution:
-          qualifiers[PackageUrlQualifierNames.DownloadURL] = url
+          qualifiers[PurlQualifierNames.DownloadUrl] = url
           break
       }
     }
 
     const hashes = component.hashes
     if (hashes.size > 0) {
-      qualifiers[PackageUrlQualifierNames.Checksum] = Array.from(
+      qualifiers[PurlQualifierNames.Checksum] = Array.from(
         sort
           ? hashes.sorted()
           : hashes,

src/factories/packageUrl.ts

@@ -251,7 +251,7 @@ suite('integration: Factories.FromNodePackageJson.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual = sut.makeFromComponent(component, true)
 
@@ -287,7 +287,7 @@ suite('integration: Factories.FromNodePackageJson.PackageUrlFactory', () => {
           download_url: 'https://foo.bar/download-2'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?download_url=https%3A//foo.bar/download-2'
+      const expectedString = 'pkg:testing/name?download_url=https%3A%2F%2Ffoo.bar%2Fdownload-2'
 
       const actual1 = sut.makeFromComponent(component1, true)
       const actual2 = sut.makeFromComponent(component2, true)

tests/integration/Factories.FromNodePackageJson.PackageUrlFactory.test.js

@@ -174,7 +174,7 @@ suite('integration: Factories.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&download_url=https%3A//foo.bar/download&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?checksum=blake3%3Aaa51dcd43d5c6c5203ee16906fd6b35db298b9b2e1de3fce81811d4806b76b7d%2Csha-256%3Ac3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2&download_url=https%3A%2F%2Ffoo.bar%2Fdownload&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual = sut.makeFromComponent(component, true)
 
@@ -213,7 +213,7 @@ suite('integration: Factories.PackageUrlFactory', () => {
           vcs_url: 'git+https://foo.bar/repo.git'
         }, undefined)
       // expect objet's keys in alphabetical oder, expect sorted hash list
-      const expectedString = 'pkg:testing/name?download_url=https%3A//foo.bar/download-2&vcs_url=git%2Bhttps%3A//foo.bar/repo.git'
+      const expectedString = 'pkg:testing/name?download_url=https%3A%2F%2Ffoo.bar%2Fdownload-2&vcs_url=git%2Bhttps%3A%2F%2Ffoo.bar%2Frepo.git'
 
       const actual1 = sut.makeFromComponent(component1, true)
       const actual2 = sut.makeFromComponent(component2, true)