Resolve Package URLs to canonical source, VCS, registry, and artifact hub repositories.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tonylturner from gravatar.com tonylturner

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Tony Turner
  • Tags purl , package-url , repository , supply-chain , metadata
  • Requires: Python >=3.11
  • Provides-Extra: dev , test , docs
Classifiers
Report project as malware

Project description

purl2repo

CI Integration Release Python License Typed Trivy

purl2repo resolves Package URLs (PURLs) to canonical repositories and optional version references. It is built for automation that needs a clear answer plus confidence, evidence, warnings, and candidate details.

Repositories are not assumed to be GitHub projects. A result can point to source code, a VCS URL, a generic URL, or an artifact hub such as Hugging Face.

Features

  • Python API and purl2repo CLI.
  • Typed dataclass results with stable JSON serialization.
  • Evidence, warnings, confidence, and candidate scoring.
  • Repository URL validation when network is available.
  • Conservative release, tag, source, package, and revision links.
  • Structured metadata first, deps.dev third-party fallback second, bounded HTML fallback only when needed.

Supported PURL Types

Full metadata-backed resolution:

  • pkg:pypi
  • pkg:npm
  • pkg:cargo
  • pkg:maven
  • pkg:nuget
  • pkg:golang

Direct or explicit repository resolution:

  • pkg:github
  • pkg:bitbucket
  • pkg:generic
  • pkg:huggingface
  • pkg:mlflow

See docs/ecosystems.md for exact behavior by ecosystem and PURL type.

Installation

pip install purl2repo

Requires Python 3.11 or newer.

Quickstart

from purl2repo import resolve

result = resolve("pkg:pypi/requests@2.31.0")

print(result.repository_url)
print(result.repository_kind)
print(result.confidence)
print(result.evidence)

Reusable resolver:

from purl2repo import Resolver

with Resolver(timeout=15.0, use_cache=True) as resolver:
    results = list(
        resolver.resolve_many(
            [
                "pkg:pypi/requests@2.31.0",
                "pkg:npm/react@18.2.0",
                "pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd516027",
            ]
        )
    )

    parallel_results = list(
        resolver.resolve_many(
            [
                "pkg:pypi/requests@2.31.0",
                "pkg:npm/react@18.2.0",
            ],
            max_workers=4,
        )
    )

CLI

purl2repo parse pkg:pypi/requests@2.31.0
purl2repo resolve pkg:pypi/requests@2.31.0
purl2repo resolve pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd516027
purl2repo repo pkg:npm/react
purl2repo release pkg:cargo/rand@0.8.5
purl2repo supports
purl2repo version

JSON and trace output:

purl2repo resolve pkg:pypi/requests@2.31.0 --json --pretty
purl2repo resolve pkg:npm/react@18.2.0 --trace

See docs/cli.md for all commands, flags, and exit codes.

Output

resolve() returns a ResolutionResult.

The main fields are:

  • canonical_repository: full RepositoryRef with URL, kind, platform, host, namespace, name, confidence, and reasons.
  • repository_url: convenience URL for the canonical repository.
  • repository_kind: source_code, artifact_hub, vcs, generic, or related repository class.
  • version_reference: verified or inferred version-specific link when available.
  • repository_validated and repository_validation_status: whether the selected repository URL was checked, skipped, inconclusive, or not applicable.
  • confidence, evidence, warnings, and repository_candidates.

See docs/api.md, docs/scoring.md, and docs/architecture.md for the full contract.

Examples

Hugging Face resolves to Hugging Face as the canonical artifact hub, even when a PURL qualifier points elsewhere:

purl2repo resolve 'pkg:huggingface/microsoft/deberta-v3-base@559062ad13d311b87b2c455e67dcd5f1c8f65111?repository_url=https://hub-ci.huggingface.co'

Generic PURLs use explicit qualifiers:

purl2repo resolve 'pkg:generic/example@1.0.0?vcs_url=git+https://github.com/org/repo.git'

MLflow PURLs need an explicit registry or tracking endpoint:

purl2repo resolve 'pkg:mlflow/trafficsigns@10?repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow'

Versionless PURLs are valid:

purl2repo resolve pkg:pypi/requests

Documentation

Development

python3.11 -m venv .venv
.venv/bin/python -m pip install -e ".[dev]"
.venv/bin/ruff check .
.venv/bin/ruff format --check .
.venv/bin/mypy
.venv/bin/pytest --cov=purl2repo --cov-report=term-missing --cov-fail-under=90

Live integration tests are separate:

.venv/bin/pytest tests/integration -m integration

See CONTRIBUTING.md and docs/development.md for contributor guidance.

License

Apache-2.0. See LICENSE.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tonylturner from gravatar.com tonylturner

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Tony Turner
  • Tags purl , package-url , repository , supply-chain , metadata
  • Requires: Python >=3.11
  • Provides-Extra: dev , test , docs
Classifiers

Release history Release notifications | RSS feed

This version

2.0.2

2.0.1

2.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

purl2repo-2.0.2.tar.gz (58.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

purl2repo-2.0.2-py3-none-any.whl (48.9 kB view details)

Uploaded Python 3

File details

Details for the file purl2repo-2.0.2.tar.gz.

File metadata

  • Download URL: purl2repo-2.0.2.tar.gz
  • Upload date:
  • Size: 58.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for purl2repo-2.0.2.tar.gz
Algorithm Hash digest
SHA256 502ea49e11e6a2d95ef1c296524ea587caa37ea95b879c8be7c5976ba01024a4
MD5 9b8c2e8e2fa83d25ecd1a83123eb1ca4
BLAKE2b-256 64db8c54cfb042e1a0779bfa18011898d333e0dc34695deaab722d84453d54a1

See more details on using hashes here.

Provenance

The following attestation bundles were made for purl2repo-2.0.2.tar.gz:

Publisher: publish-pypi.yml on tonylturner/purl2repo

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file purl2repo-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: purl2repo-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 48.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for purl2repo-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 1f81ee16986d2d548be0cf97cca920d7035056bbe971fdacc4590f8ef1d1edad
MD5 e51d972e2c41274ff797480cd229de13
BLAKE2b-256 0e3210c1a06c93a3ac26b2e200c407c8e2f4e364e9ce47173c4eeef4115ba19b

See more details on using hashes here.

Provenance

The following attestation bundles were made for purl2repo-2.0.2-py3-none-any.whl:

Publisher: publish-pypi.yml on tonylturner/purl2repo

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page