Fix PURL parsing to prevent mismatch for scoped packages #1008
+7
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug where scoped npm packages (e.g., @netdata/charts) were incorrectly handled in license checking due to double-encoding of package URLs. The fix removes unnecessary encodeURI() call since PURLs from the Dependency Graph API are already properly formatted and parsePURL() handles decoding internally.
- Removed redundant
encodeURI()call that was double-encoding already-encoded package URLs - Updated
@types/jestdependency to latest patch version
Reviewed Changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/licenses.ts | Removed encodeURI() wrapper to prevent double-encoding of package URLs when parsing |
| package.json | Updated @types/jest from 29.5.12 to 29.5.14 |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
dangoor
previously approved these changes
Nov 4, 2025
Contributor
dangoor
left a comment
dangoor
left a comment
There was a problem hiding this comment.
This makes sense! Thanks for the fix!
danielhardej
force-pushed
the
danielhardej-patch-20251023
branch
from
fb05a7c to
f620fd1
Compare
dangoor
previously approved these changes
Nov 7, 2025
Contributor
ahpook
reviewed
Nov 7, 2025
dangoor
approved these changes
Nov 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The issue was that
encodeURI(change.package_url)was encoding already encoded URLs. For example, for a package with PURLpkg:npm/@netdata/chartsafter encoding withencodeURI()would be:pkg:npm/%40netdata/charts.Removing this unnecessary encoding prevents the mismatch issue in #1006
The fix would be to modify line 177 in licenses.ts to remove the use of the
encodeURI()method. From what I understand, theparsePURL()function in purl.ts already handles URI decoding properly withdecodeURIComponent()and PURLs from the Dependency Graph API are (notionally) already properly formatted. The license exclusions list would contain the normal, unencoded package URLs and so the namespace comparison on line 186 of licenses.ts will no longer always returnfalse, thereby excluding scoped packages inallow-dependencies-licensesfrom the license check.AFAIK, this change should be safe because:
parsePURL()can handle both encoded and unencoded URLsdecodeURIComponent()is used to normalise the namespace and name.Closes: #1006