Each package manager, platform, type, or ecosystem has its own conventions and protocols to identify, locate, and provision software packages.
The package type is the component of a package URL that is used to capture
this information with a short string such as maven
, npm
, nuget
, gem
,
pypi
, etc.
These are known purl
package type definitions.
Known purl
type definitions are formalized here independent of the core
Package URL specification. See also a candidate list further down.
Definitions can also include types reserved for future use.
See also https://github.com/package-url/purl-spec and <PURL-SPECIFICATION.rst>`_ for the Package URL specification.
bitbucket
for Bitbucket-based packages:
The default repository is
https://bitbucket.org
The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tagExamples:
pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c
cargo
for Rust:
The default repository is
https://crates.io/
The
name
is the repository name.The
version
is the package version.Examples:
pkg:cargo/rand@0.7.2 pkg:cargo/clap@2.33.0 pkg:cargo/structopt@0.3.11
composer
for Composer PHP packages:
The default repository is
https://packagist.org
The
namespace
is the vendor.Note: private, local packages may have no name. In this case you cannot create a
purl
for these.Examples:
pkg:composer/laravel/laravel@5.5.0
deb
for Debian, Debian derivatives, and Ubuntu packages:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a base url as arepository_url
qualifiers keyThe
namespace
is the "vendor" name such as "debian" or "ubuntu". It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.The
version
is the package version.arch
is the qualifiers key for a package architectureExamples:
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch pkg:deb/ubuntu/dpkg@1.19.0.4?arch=amd64
docker
for Docker images
The default repository is
https://hub.docker.com
The
namespace
is the registry/user/organization if presentThe version should be the image id sha256 or a tag. Since tags can be moved, a sha256 image id is preferred.
Examples:
pkg:docker/cassandra@latest pkg:docker/smartentry/debian@dc437cc87d10 pkg:docker/customer/dockerimage@sha256%3A244fd47e07d10?repository_url=gcr.io
gem
for Rubygems:
The default repository is
https://rubygems.org
The
platform
qualifiers key is used to specify an alternative platform such asjava
for JRuby. The implied default isruby
for Ruby MRI.Examples:
pkg:gem/ruby-advisory-db-check@0.12.4 pkg:gem/jruby-launcher@1.1.2?platform=java
generic
for plain, generic packages that do not fit anywhere else such as
for "upstream-from-distro" packages. In particular this is handy for a plain
version control repository such as a bare git repo.
There is no default repository. A
download_url
andchecksum
may be provided in qualifiers or as separate attributes outside of apurl
for proper identification and location.When possible another or a new purl
type
should be used instead of using thegeneric
type and eventually contributed back to this specificationas for other
type
, thename
component is mandatory. In the worst case it can be a file or directory name.Examples (truncated for brevity):
pkg:generic/openssl@1.1.10g pkg:generic/openssl@1.1.10g?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz&checksum=sha256:de4d501267da pkg:generic/bitwarderl?vcs_url=https://git.fsfe.org/dxtr/bitwarderl@cc55108da32
github
for Github-based packages:
The default repository is
https://github.com
The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tagExamples:
pkg:github/package-url/purl-spec@244fd47e07d1004 pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs
golang
for Go packages
There is no default package repository: this is implied in the namespace using the
go get
command conventionsThe
namespace
and name must be lowercased.The
subpath
is used to point to a subpath inside a packageThe
version
is often empty when a commit is not specified and should be the commit in most cases when available.Examples:
pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c pkg:golang/google.golang.org/genproto#googleapis/api/annotations pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c#api
hex
for Hex packages
The default repository is
https://repo.hex.pm
.The
namespace
is optional; it may be used to specify the organization for private packages on hex.pm. It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.Examples:
pkg:hex/jason@1.1.2 pkg:hex/acme/foo@2.3. pkg:hex/phoenix_html@2.13.3#priv/static/phoenix_html.js pkg:hex/bar@1.2.3?repository_url=https://myrepo.example.com
maven
for Maven JARs and related artifacts
The default repository is
https://repo.maven.apache.org/maven2
The group id is the
namespace
and the artifact id is thename
Known qualifiers keys are:
classifier
andtype
as defined in the POM documentation. Note that Maven uses a concept / coordinate called packaging which does not map directly 1:1 to a file extension. In this use case, we need to construct a link to one of many possible artifacts. Maven itself uses type in a dependency declaration when needed to disambiguate between them.Examples:
pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1 pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=pom pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?classifier=sources pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=zip&classifier=dist pkg:maven/net.sf.jacob-projec/jacob@1.14.3?classifier=x86&type=dll pkg:maven/net.sf.jacob-projec/jacob@1.14.3?classifier=x64&type=dll
npm
for Node NPM packages:
The default repository is
https://registry.npmjs.org
The
namespace
is used for the scope of a scoped NPM package.Per the package.json spec, new package "must not have uppercase letters in the name", therefore the must be lowercased.
Examples:
pkg:npm/foobar@12.3.1 pkg:npm/%40angular/animation@12.3.1 pkg:npm/mypackage@12.4.5?vcs_url=git://host.com/path/to/repo.git@4345abcd34343
nuget
for NuGet .NET packages:
The default repository is
https://www.nuget.org
There is no
namespace
per se even if the common convention is to use dot-separated package names where the first segment isnamespace
-like. TBD: should we split the first segment as a namespace?Examples:
pkg:nuget/EnterpriseLibrary.Common@6.0.1304
pypi
for Python packages:
The default repository is
https://pypi.python.org
PyPi treats
-
and_
as the same character and is not case sensitive. Therefore a Pypi packagename
must be lowercased and underscore_
replaced with a dash-
Examples:
pkg:pypi/django@1.11.1 pkg:pypi/django-allauth@12.23
rpm
for RPMs:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers keythe
namespace
is the vendor such as fedora or opensus It is not case sensitive and must be lowercased.the
name
is the RPM name and is case sensitive.the
version
is the combined version and release of an RPMepoch
(optional for RPMs) is a qualifier as it's not required for unique identification, but when the epoch exists we strongly encourage using itarch
is the qualifiers key for a package architectureExamples:
pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25 pkg:rpm/centerim@4.22.10-1.el6?arch=i686&epoch=1&distro=fedora-25
alpine
for Alpine Linux apk packages:apache
for Apache projects packages:android
for Android apk packages:arch
for Arch Linux packages:atom
for Atom packages:bower
for Bower JavaScript packages:brew
for Homebrew packages:buildroot
for Buildroot packagescarthage
for Cocoapods Cocoa packages:chef
for Chef packages:chocolatey
for Chocolatey packagesclojars
for Clojure packages:cocoapods
for Cocoapods iOS packages:conan
for Conan C/C++ packages:coreos
for CoreOS packages:cpan
for CPAN Perl packages:cran
for CRAN R packages:ctan
for CTAN TeX packages:crystal
for Crystal Shards packages:drupal
for Drupal packages:dtype
for DefinitelyTyped TypeScript type definitions:dub
for D packages:elm
for Elm packages:eclipse
for Eclipse projects packages:gitea
for Gitea-based packages:gitlab
for Gitlab-based packages:gradle
for Gradle pluginsguix
for Guix packages:hackage
for Haskell packages:haxe
for Haxe packages:helm
for Kubernetes packagesjulia
for Julia packages:lua
for LuaRocks packages:melpa
for Emacs packagesmeteor
for Meteor JavaScript packages:nim
for Nim packages:nix
for Nixos packages:opam
for OCaml packages:openwrt
for OpenWRT packages:osgi
for OSGi bundle packages:p2
for Eclipse p2 packages:pear
for Pear PHP packages:pecl
for PECL PHP packages:perl6
for Perl 6 module packages:platformio
for PlatformIO packages:ebuild
for Gentoo Linux portage packages:pub
for Dart packages:puppet
for Puppet Forge packages:sourceforge
for Sourceforge-based packages:sublime
for Sublime packages:swift
for Swift packages:terraform
for Terraform modulesvagrant
for Vagrant boxesvim
for Vim scripts packages:wordpress
for Wordpress packages:yocto
for Yocto recipe packages:
This document is licensed under the MIT license