🚨 Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis β†’
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@socketregistry/packageurl-js

Package Overview
Dependencies
Maintainers
2
Versions
23
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@socketregistry/packageurl-js

Socket.dev optimized package override for packageurl-js

latest
Source
npmnpm
Version
1.3.5
Version published
Weekly downloads
2.5K
117.85%
Maintainers
2
Weekly downloads
Β 
Created
Source

@socketregistry/packageurl-js

Socket Badge CI - @socketregistry/packageurl-js

Follow @SocketSecurity Follow @socket.dev on Bluesky

TypeScript Package URL (purl) parser and builder. Drop-in replacement for packageurl-js with full type safety, zero dependencies, and spec compliance with the Package URL specification.

What is a PURL?

A Package URL (purl) standardizes how to identify software packages:

pkg:npm/lodash@4.17.21
pkg:pypi/requests@2.28.1
pkg:maven/org.springframework/spring-core@5.3.21

Format breakdown:

  pkg:type/namespace/name@version?qualifiers#subpath
  β”‚   β”‚    β”‚         β”‚    β”‚       β”‚          β”‚
  β”‚   β”‚    β”‚         β”‚    β”‚       β”‚          └─ Optional subpath
  β”‚   β”‚    β”‚         β”‚    β”‚       └──────────── Optional key=value pairs
  β”‚   β”‚    β”‚         β”‚    └──────────────────── Optional version
  β”‚   β”‚    β”‚         └───────────────────────── Required package name
  β”‚   β”‚    └─────────────────────────────────── Optional namespace/scope
  β”‚   └──────────────────────────────────────── Required package type
  └──────────────────────────────────────────── Scheme (always "pkg:")

Supports 35+ ecosystems: npm, pypi, maven, gem, cargo, nuget, composer, golang, docker, and more.

Installation

pnpm install @socketregistry/packageurl-js

Drop-in replacement via package override:

{
  "pnpm": {
    "overrides": {
      "packageurl-js": "npm:@socketregistry/packageurl-js@^1"
    }
  }
}

Requirements: Node >= 18.20.4

Usage

Parse purls:

import { PackageURL } from '@socketregistry/packageurl-js'

const purl = PackageURL.fromString('pkg:npm/lodash@4.17.21')
console.log(purl.name)      // 'lodash'
console.log(purl.version)   // '4.17.21'

Build purls:

import { PackageURLBuilder } from '@socketregistry/packageurl-js'

// npm packages
PackageURLBuilder.npm().name('lodash').version('4.17.21').build()
// -> 'pkg:npm/lodash@4.17.21'

// Python packages
PackageURLBuilder.pypi().name('requests').version('2.28.1').build()
// -> 'pkg:pypi/requests@2.28.1'

// Maven with namespace and qualifiers
PackageURLBuilder.maven()
  .namespace('org.springframework')
  .name('spring-core')
  .version('5.3.21')
  .qualifier('classifier', 'sources')
  .build()
// -> 'pkg:maven/org.springframework/spring-core@5.3.21?classifier=sources'

Constructor API:

import { PackageURL } from '@socketregistry/packageurl-js'

new PackageURL('npm', null, 'express', '4.18.2')
// -> 'pkg:npm/express@4.18.2'

// With namespace and subpath
new PackageURL('npm', '@babel', 'runtime', '7.18.6', null, 'helpers/typeof.js')
// -> 'pkg:npm/%40babel/runtime@7.18.6#helpers/typeof.js'

Convert to URLs:

import { UrlConverter } from '@socketregistry/packageurl-js'

UrlConverter.toRepositoryUrl(purl)
// -> 'https://github.com/lodash/lodash'

UrlConverter.toDownloadUrl(purl)
// -> 'https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz'

Use type-safe PURL types:

import { PURL_Type, EcosystemString } from '@socketregistry/packageurl-js'

// Type-safe enum values
console.log(PURL_Type.NPM)      // 'npm'
console.log(PURL_Type.PYPI)     // 'pypi'
console.log(PURL_Type.MAVEN)    // 'maven'

// Use in type annotations
function processPurl(type: EcosystemString) {
  // type is constrained to valid PURL type strings
}

Documentation

DocDescription
Getting StartedQuick setup guide for contributors
API ReferenceComplete API documentation
ExamplesCommon use cases and patterns
Builder PatternFluent builder guide

Development

pnpm install   # Install dependencies
pnpm build     # Build
pnpm test      # Test
pnpm check     # Lint + typecheck

Keywords

Socket.dev
package-overrides

FAQs

Package last updated on 02 Nov 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

New React Server Components Vulnerabilities: DoS and Source Code Exposure

Security News

New React Server Components Vulnerabilities: DoS and Source Code Exposure

New DoS and source code exposure bugs in React Server Components and Next.js: what’s affected and how to update safely.

By Sarah GoodingΒ  - Β Dec 12, 2025