We take security vulnerabilities seriously. If you discover a security issue in PackageURLs.jl, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing the maintainers directly or using GitHub's private vulnerability reporting feature:

1. Go to the Security tab of the repository
2. Click "Report a vulnerability"
3. Fill out the vulnerability report form

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Impact: What an attacker could achieve by exploiting this vulnerability
• Reproduction Steps: Step-by-step instructions to reproduce the issue
• Affected Versions: Which versions of PackageURLs.jl are affected
• Proof of Concept: Code or commands that demonstrate the vulnerability (if applicable)
• Suggested Fix: Your recommendations for fixing the issue (if any)

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Regular Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

PackageURLs.jl performs validation on all input strings:

• Scheme validation: Only pkg: scheme is accepted
• Type validation: Must start with a letter, contain only allowed characters
• Percent-encoding: Properly decodes percent-encoded characters
• Subpath sanitization: Removes .. path traversal attempts

• PackageURLs.jl is a parsing library and does not make network requests
• PackageURLs.jl does not execute any code from parsed PURL strings
• Type-specific validation is implemented for Julia, PyPI, and npm types only

1. Validate before use: Always validate PURLs from untrusted sources
2. Use tryparse for untrusted input: Returns nothing instead of throwing on invalid input
3. Don't interpolate into commands: Never use PURL components directly in shell commands without proper escaping

# Safe: Use tryparse for untrusted input
result = tryparse(PURL, untrusted_input)
if result === nothing
    # Handle invalid input
end

# Unsafe: Don't do this with untrusted input
# run(`some-command $(purl.name)`)  # Potential command injection

Security updates will be released as patch versions (e.g., 0.4.1, 0.4.2) and announced through:

• GitHub Security Advisories
• Release notes in CHANGELOG.md
• Julia General Registry update

PackageURLs.jl is a pure Julia package with minimal dependencies, reducing the attack surface from third-party code.

For security-related questions that are not vulnerabilities, please open a regular GitHub issue.