Package name normalisation results in unexpected purls in dataset #322
Description
When querying the BQ dataset to look up PyPI packages by Purl we noticed that when the package name has a period character (.) in it the package would not be found.
This appears to be due to the documented name normalisation in deps.dev, and the purl being constructed from the normalised name. However, this purl with the name portion normalised does not match how other implementers have constructed purls.
For example, if we take the package jaraco.context and query the v3alpha API with a purl for the latest '6.0.2' version: curl 'https://api.deps.dev/v3alpha/purl/pkg%3Apypi%2Fjaraco.context%406.0.2'
We can see in the returned JSON (pasted below) that the name and purl is using the normalised name, replacing . with -, even though the API handled the query correctly.
{
"version": {
"versionKey": {
"system": "PYPI",
"name": "jaraco-context",
"version": "6.0.2"
},
"purl": "pkg:pypi/jaraco-context@6.0.2",
"publishedAt": "2025-12-24T19:21:34Z",
"isDefault": true,
"isDeprecated": false,
"licenses": [
"MIT"
],
"licenseDetails": [
{
"license": "MIT",
"spdx": "MIT"
}
],
"advisoryKeys": [],
"links": [
{
"label": "SOURCE_REPO",
"url": "https://github.com/jaraco/jaraco.context"
}
],
"slsaProvenances": [],
"attestations": [],
"registries": [
"https://pypi.org/simple"
],
"relatedProjects": [
{
"projectKey": {
"id": "github.com/jaraco/jaraco.context"
},
"relationProvenance": "UNVERIFIED_METADATA",
"relationType": "SOURCE_REPO"
}
],
"upstreamIdentifiers": [
{
"packageName": "jaraco_context",
"versionString": "6.0.2",
"source": "PYPI_RELEASE_FILENAME"
},
{
"packageName": "jaraco.context",
"versionString": "6.0.2",
"source": "PYPI_METADATA_FILE"
}
]
}
}