Accept pnpm id with parens in the version component

jdalton · jdalton · commit da9a6aebf9e1 · 2025-04-18T12:08:08.000-06:00
diff --git a/src/package-url.js b/src/package-url.js
@@ -168,10 +168,14 @@ class PackageURL {
     }
 
     let rawVersion
-    let atSignIndex = pathname.lastIndexOf('@')
-    // Handle unencoded leading '@' characters. This is a small break from
-    // the specification to make parsing more forgiving so that users don't
-    // have to deal with it.
+    let atSignIndex =
+      rawType === 'npm'
+        ? // Deviate from the specification to handle a special npm purl type case for
+          // pnpm ids such as 'pkg:npm/next@14.2.10(react-dom@18.3.1(react@18.3.1))(react@18.3.1)'.
+          pathname.indexOf('@', firstSlashIndex + 2)
+        : pathname.lastIndexOf('@')
+    // When a forward slash ('/') is directly preceding an '@' symbol,
+    // then the '@' symbol is NOT considered a version separator.
     if (
       atSignIndex !== -1 &&
       pathname.charCodeAt(atSignIndex - 1) === 47 /*'/'*/
diff --git a/test/data/contrib-tests.json b/test/data/contrib-tests.json
@@ -142,5 +142,17 @@
     "qualifiers": null,
     "subpath": null,
     "is_invalid": false
+  },
+  {
+    "description": "pnpm ids with parens in the version",
+    "purl": "pkg:npm/next@14.2.10(react-dom@18.3.1(react@18.3.1))(react@18.3.1)",
+    "canonical_purl": "pkg:npm/next@14.2.10(react-dom%4018.3.1(react%4018.3.1))(react%4018.3.1)",
+    "type": "npm",
+    "namespace": null,
+    "name": "next",
+    "version": "14.2.10(react-dom@18.3.1(react@18.3.1))(react@18.3.1)",
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": false
   }
 ]
