Skip to content

fix(diff): detect upgrades for version-qualified purls#20

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-ziyluo
Open

fix(diff): detect upgrades for version-qualified purls#20
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-ziyluo

Conversation

@dmchaledev

@dmchaledev dmchaledev commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Problem

diff() builds its component lookup map keyed on the raw purl:

const key = comp.purl ?? comp.name;

But a purl embeds the version (pkg:npm/lodash@4.17.21), and real-world SBOM generators (Syft, Trivy, cdxgen, …) almost always emit version-qualified purls. So the same package at two versions gets two different keys, and an upgrade is reported as a remove + add instead of an upgrade — defeating the tool's flagship "highlights upgraded dependencies" feature for the common case.

Reproduction (before)

old: lodash@4.17.20  →  new: lodash@4.17.21
added:    [ 'lodash@4.17.21' ]
removed:  [ 'lodash@4.17.20' ]
upgraded: []

The previous test even encoded this as "correct behavior", but it directly contradicts the README's promise.

Fix

Key components by a version-independent purl identity — strip the #subpath, ?qualifiers, and trailing @version, then fall back to the package name. (An npm scope like %40scope is percent-encoded, so a literal @ only ever separates the version.)

After

added:    []
removed:  []
upgraded: [ '4.17.20 -> 4.17.21' ]

Tests

  • Replaced the test that asserted the buggy add/remove behavior with one asserting proper upgrade detection.
  • Added coverage for purls carrying qualifiers/subpaths.
  • Added a guard that distinct packages are not falsely reported as upgrades.

All 31 tests pass; lint and typecheck clean.

🤖 Generated with Claude Code

https://claude.ai/code/session_01BPc7gpi66iTEvhzh9b3rNf

Generated by Claude Code

@claude
fix(diff): detect upgrades for version-qualified purls
f468262 
Component map keys were the raw purl, which embeds the version
(e.g. pkg:npm/lodash@4.17.21). Real-world SBOM generators (Syft,
Trivy, cdxgen) almost always emit version-qualified purls, so every
version got its own key and an upgrade was reported as a remove + add
instead of an upgrade — defeating the tool's flagship "upgraded
dependencies" feature.

Key components by a version-independent purl identity (subpath,
qualifiers, and @Version stripped), falling back to the name. Add
tests covering qualified/subpath purls and guarding against false
upgrades between distinct packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BPc7gpi66iTEvhzh9b3rNf
@dmchaledev dmchaledev mentioned this pull request Jun 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmchaledev @claude