Feature Request: Register a platformio Package URL (PURL) type #5371
Description
Hello,
This proposal suggests the creation of a dedicated PURL type for PlatformIO libraries. This would enable better integration with the software supply chain security ecosystem, including SBOMs (Software Bills of Materials), vulnerability databases, and dependency management tools.
What is PURL?
Package URL (PURL) is an open standard for uniquely identifying software packages across different ecosystems. It is now an official ECMA International standard: ECMA-427, ratified in December 2025 and maintained by Ecma Technical Committee 54 (TC54).
Official References
| Resource | URL |
|---|---|
| ECMA-427 Standard | https://ecma-international.org/publications-and-standards/standards/ecma-427/ |
| TC54 (Technical Committee) | https://tc54.org/purl/ |
| GitHub Specification Repository | https://github.com/package-url/purl-spec |
| PURL Type Definitions | https://github.com/package-url/purl-spec/tree/main/types |
| Ecma TC54 GitHub | https://github.com/Ecma-TC54/ECMA-427 |
PURL Syntax
A PURL follows this structure:
pkg:<type>/<namespace>/<name>@<version>?<qualifiers>#<subpath>
Each component has a specific role:
| Component | Description | Required |
|---|---|---|
pkg |
URL scheme (constant) | Yes |
type |
Package ecosystem (e.g., npm, pypi, maven) |
Yes |
namespace |
Name prefix (e.g., Maven groupId, GitHub org) | Type-dependent |
name |
Package name | Yes |
version |
Package version | No |
qualifiers |
Key-value metadata (e.g., arch, os) |
No |
subpath |
Path within the package | No |
Examples from other ecosystems
pkg:npm/lodash@4.17.21
pkg:pypi/django@4.2.0
pkg:maven/org.apache.commons/io@1.3.4
pkg:cargo/rand@0.8.5
pkg:nuget/Newtonsoft.Json@13.0.1
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie
Why PlatformIO needs a PURL type
1. Growing importance of embedded systems security
PlatformIO is the world's first package and project dependency management solution for embedded development. As embedded systems become increasingly connected (IoT, industrial automation, automotive), software supply chain security becomes critical.
PURL support would enable:
- Vulnerability tracking for PlatformIO libraries
- Proper SBOM generation for embedded projects
- Integration with security scanning tools (OWASP Dependency-Check, Snyk, Grype, Trivy, etc.)
- Compliance with regulations (FDA cybersecurity guidelines, automotive UNECE WP.29, etc.)
2. Unique ecosystem characteristics
PlatformIO has specific characteristics that warrant a dedicated type rather than using the generic type:
- Owner/name structure: Libraries are identified as
owner/name(e.g.,me-no-dev/AsyncTCP) - Platform/framework qualifiers: Libraries may target specific platforms (ESP32, STM32) or frameworks (Arduino, ESP-IDF)
- Dedicated registry: https://registry.platformio.org/
- Multiple package types: Libraries, platforms, and tools
3. Alignment with industry standards
PURL is now widely adopted in the security ecosystem:
- CVE Record Format v5.2.0 now includes PURL
- CycloneDX SBOMs use PURL as primary identifier
- SPDX 3.0 SBOMs support PURL
- OSV (Open Source Vulnerabilities) database uses PURL
- GitHub Advisory Database supports PURL
- NIST NVD is adding PURL support
Proposed PURL type definition
Type: platformio
| Component | Description | Requirement |
|---|---|---|
| type | platformio |
Required |
| namespace | The library owner (e.g., me-no-dev) |
Required |
| name | The library name (e.g., AsyncTCP) |
Required |
| version | The library version (e.g., 1.1.1) |
Optional |
| qualifiers | See below | Optional |
Examples
pkg:platformio/me-no-dev/AsyncTCP@1.1.1
pkg:platformio/adafruit/Adafruit_NeoPixel@1.12.0
pkg:platformio/bblanchon/ArduinoJson@7.0.4
pkg:platformio/sparkfun/SparkFun_BME280@2.0.9
pkg:platformio/espressif/arduino-esp32@3.0.0?platform=espressif32
pkg:platformio/stm32duino/STM32FreeRTOS@10.3.2?framework=arduino&platform=ststm32
Default repository
https://registry.platformio.org/
Qualifiers
| Qualifier | Type | Description | Example |
|---|---|---|---|
platform |
Optional | Target development platform | espressif32, ststm32, atmelavr, teensy |
framework |
Optional | Target framework | arduino, espidf, stm32cube, zephyr |
repository_url |
Optional | Alternative registry URL (for private/enterprise registries) | https://registry.example.com/ |
Case sensitivity
- namespace: Not case sensitive, must be lowercased in canonical form
- name: Not case sensitive, must be lowercased in canonical form
Canonical form examples
| Input | Canonical |
|---|---|
pkg:platformio/Adafruit/Adafruit_NeoPixel@1.12.0 |
pkg:platformio/adafruit/adafruit_neopixel@1.12.0 |
pkg:platformio/ME-NO-DEV/AsyncTCP@1.1.1 |
pkg:platformio/me-no-dev/asynctcp@1.1.1 |
Benefits for PlatformIO users
Security & Compliance
- Vulnerability tracking: Automatically identify known vulnerabilities in embedded dependencies
- SBOM generation: Create standardized SBOMs for regulatory compliance
- Supply chain security: Better visibility into the embedded software supply chain
Developer Experience
- Interoperability: Seamless integration with CI/CD pipelines and security tools
- Traceability: Unique, standardized identifiers for all PlatformIO packages
- Ecosystem integration: Better support from third-party tools and services
Enterprise Features
- Private registry support: Via
repository_urlqualifier - Audit trails: Standardized package identification for compliance audits
- License compliance: Better integration with license scanning tools
Implementation path
Phase 1: Specification
- PlatformIO team approves the concept
- Submit a PURL type proposal to https://github.com/package-url/purl-spec
- Create JSON definition file following the type definition schema
- Create test cases for validation
Phase 2: PlatformIO Integration
- Integrate PURL generation into PlatformIO CLI (
pio pkgcommands) - Add PURL field to
library.jsonmanifest (optional, for display) - Display PURL in the PlatformIO Registry web interface
- Add PURL to API responses
Phase 3: Ecosystem Integration
- Submit PlatformIO type to vulnerability databases (OSV, etc.)
- Create SBOM export feature (CycloneDX, SPDX formats)
- Document PURL usage for PlatformIO users
JSON Type Definition (Draft)
Below is a draft JSON definition file following the PURL type schema:
{
"$schema": "https://raw.githubusercontent.com/package-url/purl-spec/main/schemas/purl-type-schema.json",
"type": "platformio",
"description": "PlatformIO is a professional collaborative platform for embedded development. PlatformIO packages include libraries, development platforms, and tools for microcontroller and embedded systems development.",
"homepage_url": "https://platformio.org/",
"repository_url": "https://registry.platformio.org/",
"documentation_url": "https://docs.platformio.org/",
"namespace_definition": {
"requirement": "required",
"case_sensitive": false,
"description": "The PlatformIO package owner or organization name."
},
"name_definition": {
"case_sensitive": false,
"description": "The PlatformIO package name."
},
"version_definition": {
"requirement": "optional",
"description": "The package version following semantic versioning."
},
"qualifiers_definition": [
{
"key": "platform",
"description": "The target development platform (e.g., espressif32, ststm32, atmelavr)."
},
{
"key": "framework",
"description": "The target framework (e.g., arduino, espidf, stm32cube, zephyr)."
},
{
"key": "repository_url",
"description": "An alternative package registry URL for private or enterprise registries."
}
],
"examples": [
"pkg:platformio/me-no-dev/asynctcp@1.1.1",
"pkg:platformio/adafruit/adafruit_neopixel@1.12.0",
"pkg:platformio/bblanchon/arduinojson@7.0.4",
"pkg:platformio/espressif/arduino-esp32@3.0.0?platform=espressif32",
"pkg:platformio/stm32duino/stm32freertos@10.3.2?framework=arduino&platform=ststm32"
]
}Related ecosystems
Other embedded/hardware ecosystems that could benefit from similar PURL types:
| Ecosystem | Registry | Status |
|---|---|---|
| Arduino Library Manager | https://www.arduino.cc/reference/en/libraries/ | No PURL type |
| ESP-IDF Component Registry | https://components.espressif.com/ | No PURL type |
| Zephyr West | https://github.com/zephyrproject-rtos/zephyr | No PURL type |
| Mbed OS | https://os.mbed.com/ | No PURL type |
PlatformIO could lead the way for embedded systems PURL adoption.
References
PURL Specification
- ECMA-427 Package-URL Specification: https://ecma-international.org/publications-and-standards/standards/ecma-427/
- Ecma TC54: https://tc54.org/purl/
- PURL Specification Repository: https://github.com/package-url/purl-spec
- Existing PURL Types: https://github.com/package-url/purl-spec/tree/main/types
- How to propose a new PURL type: https://github.com/package-url/purl-spec/blob/main/purl-specification.md
PlatformIO Documentation
- PlatformIO Registry: https://registry.platformio.org/
- Library Management: https://docs.platformio.org/en/latest/librarymanager/index.html
- Creating Libraries: https://docs.platformio.org/en/latest/librarymanager/creating.html
- Package Specifications: https://docs.platformio.org/en/latest/core/userguide/pkg/
Related Standards
- CycloneDX SBOM: https://cyclonedx.org/
- SPDX: https://spdx.dev/
- OSV (Open Source Vulnerabilities): https://osv.dev/
Next Steps
If the PlatformIO team is interested in this feature, the next steps would be:
- Discuss and refine this proposal with the community
- Submit the PURL type proposal to https://github.com/package-url/purl-spec
- Implement PURL support in PlatformIO tooling
Feedback and suggestions for improving this proposal are welcome.
This proposal aims to improve software supply chain security for the embedded systems community.
I'm not affiliated with AboutCode.org nor PlatformIO.