Each package manager, platform, type, or ecosystem has its own conventions and protocols to identify, locate, and provision software packages.
The package type is the component of a package URL that is used to capture
this information with a short string such as maven
, npm
, nuget
, gem
,
pypi
, etc.
These are known purl
package type definitions.
Known purl
type definitions are formalized here independent of the core
Package URL specification. See also a candidate list further down.
Definitions can also include types reserved for future use.
See also https://github.com/package-url/purl-spec and PURL-SPECIFICATION.rst for the Package URL specification.
alpm
for Arch Linux and other users of the libalpm/pacman package manager.
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers key.The
namespace
is the vendor such asarch
,arch32
,archarm
,manjaro
ormsys
. It is not case sensitive and must be lowercased.The
name
is the package name. It is not case sensitive and must be lowercased.The
version
is the version of the package as specified in [vercmp(8)](https://man.archlinux.org/man/vercmp.8#DESCRIPTION) as part of alpm.The
arch
is the qualifiers key for a package architecture.Examples:
pkg:alpm/arch/[email protected]?arch=x86_64 pkg:alpm/arch/[email protected]?arch=any pkg:alpm/arch/containers-common@1:0.47.4-4?arch=x86_64
apk
for APK-based packages:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers key.The
namespace
is the vendor such asalpine
oropenwrt
. It is not case sensitive and must be lowercased.The
name
is the package name. It is not case sensitive and must be lowercased.The
version
is a package version as expected by apk.The
arch
is the qualifiers key for a package architecture.Examples:
pkg:apk/alpine/[email protected]?arch=x86 pkg:apk/alpine/[email protected]?arch=x86
bitbucket
for Bitbucket-based packages:
The default repository is
https://bitbucket.org
.The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tag.Examples:
pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c
bitnami
for Bitnami-based packages:
The default repository is
https://downloads.bitnami.com/files/stacksmith
.The
name
is the component name. It must be lowercased.The
version
is the full Bitnami package version, including version and revision.The
arch
is the qualifiers key for a package architecture. Available values:amd64
(default) andarm64
.The
distro
is the qualifiers key for the distribution associated to the package.Examples:
pkg:bitnami/wordpress?distro=debian-12 pkg:bitnami/[email protected]?distro=debian-12 pkg:bitnami/[email protected]?arch=arm64&distro=debian-12 pkg:bitnami/[email protected]?arch=arm64&distro=photon-4
cocoapods
for CocoaPods:
The default repository is
https://cdn.cocoapods.org/
.The
name
is the pod name and is case sensitive, cannot contain whitespace, a plus (+) character, or begin with a period (.).The
version
is the package version.The purl subpath is used to represent a pods subspec (if present).
Examples:
pkg:cocoapods/[email protected] pkg:cocoapods/[email protected] pkg:cocoapods/[email protected]#Twitter pkg:cocoapods/[email protected]#NSData+zlib
cargo
for Rust:
The default repository is
https://crates.io/
.The
name
is the repository name.The
version
is the package version.Examples:
pkg:cargo/[email protected] pkg:cargo/[email protected] pkg:cargo/[email protected]
composer
for Composer PHP packages:
The default repository is
https://packagist.org
.The
namespace
is the vendor.The
namespace
andname
are not case sensitive and must be lowercased.Note: private, local packages may have no name. In this case you cannot create a
purl
for these.Examples:
pkg:composer/laravel/[email protected]
conan
for Conan C/C++ packages. The purl is designed to closely resemble the Conan-native <package-name>/<package-version>@<user>/<channel> syntax for package references.
name
: The Conan<package-name>
.version
: The Conan<package-version>
.namespace
: The vendor of the package.- Qualifier
user
: The Conan<user>
. Only required if the Conan package was published with<user>
. - Qualifier
channel
: The Conan<channel>
. Only required if the Conan package was published with Conan<channel>
. - Qualifier
rrev
: The Conan recipe revision (optional). If omitted, the purl refers to the latest recipe revision available for the given version. - Qualifier
prev
: The Conan package revision (optional). If omitted, the purl refers to the latest package revision available for the given version and recipe revision. - Qualifier
repository_url
: The Conan repository where the package is available (optional). If omitted,https://center.conan.io
as default repository is assumed.
Additional qualifiers can be used to distinguish Conan packages with different settings or options, e.g. os=Linux
, build_type=Debug
or shared=True
.
If no additional qualifiers are used to distinguish Conan packages build with different settings or options, then the purl is ambiguous and it is up to the user to work out which package is being referred to (e.g. with context information).
Examples:
pkg:conan/[email protected] pkg:conan/openssl.org/[email protected]?user=bincrafters&channel=stable pkg:conan/openssl.org/[email protected]?arch=x86_64&build_type=Debug&compiler=Visual%20Studio&compiler.runtime=MDd&compiler.version=16&os=Windows&shared=True&rrev=93a82349c31917d2d674d22065c7a9ef9f380c8e&prev=b429db8a0e324114c25ec387bfd8281f330d7c5c
conda
for Conda packages:
The default repository is
https://repo.anaconda.com
.The
name
is the package name.The
version
is the package version.The qualifiers:
build
is the build string.channel
is the package stored location.subdir
is the associated platform.type
is the package type.Examples:
pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2
cpan
for CPAN Perl packages:
The default repository is
https://www.cpan.org/
.The
namespace
: - To refer to a CPAN distribution name, thenamespace
MUST be present. In this case, the namespace is the CPAN id of the author/publisher. It MUST be written uppercase, followed by the distribution name in thename
component. A distribution name MUST NOT contain the string::
. - To refer to a CPAN module, thenamespace
MUST be absent. The module name MAY contain zero or more::
strings, and the module name MUST NOT contain a-
The
name
is the module or distribution name and is case sensitive.The
version
is the module or distribution version.Optional qualifiers may include:
repository_url
: CPAN/MetaCPAN/BackPAN/DarkPAN repository base URL (default ishttps://www.cpan.org
)download_url
: URL of package or distributionvcs_url
: extra URL for a package version control systemext
: file extension (default istar.gz
)
Examples:
pkg:cpan/Perl::[email protected] pkg:cpan/DROLSKY/[email protected] pkg:cpan/[email protected] pkg:cpan/GDT/URI-PackageURL pkg:cpan/LWP::UserAgent pkg:cpan/OALDERS/[email protected] pkg:cpan/URI
cran
for CRAN R packages:
The default repository is
https://cran.r-project.org
.The
name
is the package name and is case sensitive, but there cannot be two packages on CRAN with the same name ignoring case.The
version
is the package version.Examples:
pkg:cran/[email protected] pkg:cran/[email protected] pkg:cran/[email protected]
deb
for Debian, Debian derivatives, and Ubuntu packages:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a base url as arepository_url
qualifiers key.The
namespace
is the "vendor" name such as "debian" or "ubuntu". It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.The
version
is the version of the binary (or source) package.arch
is the qualifiers key for a package architecture. The special valuearch=source
identifies a Debian source package that usually consists of a Debian Source control file (.dsc) and corresponding upstream and Debian sources. Thedpkg-query
command can print thename
andversion
of the corresponding source package of a binary package:dpkg-query -f '${source:Package} ${source:Version}' -W <binary package name>
Examples:
pkg:deb/debian/[email protected]?arch=i386&distro=jessie pkg:deb/debian/[email protected]?arch=amd64&distro=stretch pkg:deb/ubuntu/[email protected]?arch=amd64 pkg:deb/debian/attr@1:2.4.47-2?arch=source pkg:deb/debian/attr@1:2.4.47-2%2Bb1?arch=amd64
docker
for Docker images:
The default repository is
https://hub.docker.com
.The
namespace
is the registry/user/organization if present.The version should be the image id sha256 or a tag. Since tags can be moved, a sha256 image id is preferred.
Examples:
pkg:docker/cassandra@latest pkg:docker/smartentry/debian@dc437cc87d10 pkg:docker/customer/dockerimage@sha256%3A244fd47e07d10?repository_url=gcr.io
gem
for RubyGems:
The default repository is
https://rubygems.org
.The
platform
qualifiers key is used to specify an alternative platform. such asjava
for JRuby. The implied default isruby
for Ruby MRI.Examples:
pkg:gem/[email protected] pkg:gem/[email protected]?platform=java
generic
for plain, generic packages that do not fit anywhere else such as
for "upstream-from-distro" packages. In particular this is handy for a plain
version control repository such as a bare git repo.
There is no default repository. A
download_url
andchecksum
may be provided in qualifiers or as separate attributes outside of apurl
for proper identification and location.When possible another or a new purl
type
should be used instead of using thegeneric
type and eventually contributed back to this specification.as for other
type
, thename
component is mandatory. In the worst case it can be a file or directory name.Examples (truncated for brevity):
pkg:generic/[email protected] pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz&checksum=sha256:de4d501267da pkg:generic/bitwarderl?vcs_url=git%2Bhttps://git.fsfe.org/dxtr/bitwarderl%40cc55108da32
github
for GitHub-based packages:
The default repository is
https://github.com
.The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tag.Examples:
pkg:github/package-url/purl-spec@244fd47e07d1004 pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs
golang
for Go packages:
There is no default package repository: this is implied in the namespace using the
go get
command conventions.The
namespace
and name must be lowercased.The
subpath
is used to point to a subpath inside a package.The
version
is often empty when a commit is not specified and should be the commit in most cases when available.Examples:
pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c pkg:golang/google.golang.org/genproto#googleapis/api/annotations pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c#api
hackage
for Haskell packages:
The default repository is https://hackage.haskell.org.
The version is package version.
The name is case sensitive and use kebab-case.
Examples:
pkg:hackage/[email protected] pkg:hackage/[email protected] pkg:hackage/[email protected]
hex
for Hex packages:
The default repository is
https://repo.hex.pm
.The
namespace
is optional; it may be used to specify the organization for private packages on hex.pm. It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.Examples:
pkg:hex/[email protected] pkg:hex/acme/[email protected]. pkg:hex/[email protected]#priv/static/phoenix_html.js pkg:hex/[email protected]?repository_url=https://myrepo.example.com
huggingface
for Hugging Face ML models
The default repository is
https://huggingface.co
.The
namespace
is the model repository username or organization, if present. It is case sensitive.The
name
is the model repository name. It is case sensitive.The
version
is the model revision Git commit hash. It is case insensitive and must be lowercased in the package URL.Examples:
pkg:huggingface/distilbert-base-uncased@043235d6088ecd3dd5fb5ca3592b6913fd516027 pkg:huggingface/microsoft/deberta-v3-base@559062ad13d311b87b2c455e67dcd5f1c8f65111?repository_url=https://hub-ci.huggingface.co
luarocks
for Lua packages installed with LuaRocks:
namespace
: The user manifest under which the package is registered. If not given, the root manifest is assumed. It is case insensitive, but lowercase is encouraged since namespaces are normalized to ASCII lowercase.name
: The LuaRocks package name. It is case insensitive, but lowercase is encouraged since package names are normalized to ASCII lowercase.version
: The full LuaRocks package version, including module version and rockspec revision. It is case sensitive, and lowercase must be used to avoid compatibility issues with older LuaRocks versions. The full version number is required to uniquely identify a version.- Qualifier
repository_url
: The LuaRocks rocks server to be used; useful in case a private server is used (optional). If omitted,https://luarocks.org
as default server is assumed.
Examples:
pkg:luarocks/[email protected] pkg:luarocks/hisham/[email protected] pkg:luarocks/username/[email protected]?repository_url=https://example.com/private_rocks_server/
maven
for Maven JARs and related artifacts:
The default
repository_url
ishttps://repo.maven.apache.org/maven2
.The group id is the
namespace
and the artifact id is thename
.Known qualifiers keys are:
classifier
andtype
as defined in the POM documentation. Note that Maven uses a concept / coordinate called packaging which does not map directly 1:1 to a file extension. In this use case, we need to construct a link to one of many possible artifacts. Maven itself uses type in a dependency declaration when needed to disambiguate between them.Examples:
pkg:maven/org.apache.xmlgraphics/[email protected] pkg:maven/org.apache.xmlgraphics/[email protected]?type=pom pkg:maven/org.apache.xmlgraphics/[email protected]?classifier=sources pkg:maven/org.apache.xmlgraphics/[email protected]?type=zip&classifier=dist pkg:maven/net.sf.jacob-projec/[email protected]?classifier=x86&type=dll pkg:maven/net.sf.jacob-projec/[email protected]?classifier=x64&type=dll pkg:maven/groovy/[email protected]?repository_url=https://maven.google.com
mlflow
for MLflow ML models (Azure ML, Databricks, etc.)
The repository is the MLflow tracking URI. There is no default. Examples:
- Azure ML:
https://<region>.api.azureml.ms/mlflow/v1.0/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.MachineLearningServices/workspaces/<workspace-name>
- Azure Databricks:
https://adb-<numbers>.<number>.azuredatabricks.net/api/2.0/mlflow
- AWS Databricks:
https://dbc-<alphanumeric>-<alphanumeric>.cloud.databricks.com/api/2.0/mlflow
- GCP Databricks:
https://<numbers>.<number>.gcp.databricks.com/api/2.0/mlflow
- Azure ML:
The
namespace
is empty.The
name
is the model name. Case sensitivity depends on the server implementation:- Azure ML: it is case sensitive and must be kept as-is in the package URL.
- Databricks: it is case insensitive and must be lowercased in the package URL.
The
version
is the model version.Known qualifiers keys are:
model_uuid
andrun_id
as defined in the MLflow documentation.Examples:
pkg:mlflow/creditfraud@3?repository_url=https://westus2.api.azureml.ms/mlflow/v1.0/subscriptions/a50f2011-fab8-4164-af23-c62881ef8c95/resourceGroups/TestResourceGroup/providers/Microsoft.MachineLearningServices/workspaces/TestWorkspace pkg:mlflow/trafficsigns@10?model_uuid=36233173b22f4c89b451f1228d700d49&run_id=410a3121-2709-4f88-98dd-dba0ef056b0a&repository_url=https://adb-5245952564735461.0.azuredatabricks.net/api/2.0/mlflow
npm
for Node NPM packages:
The default repository is
https://registry.npmjs.org
.The
namespace
is used for the scope of a scoped NPM package.Per the package.json spec, new package "must not have uppercase letters in the name", therefore the must be lowercased.
Examples:
pkg:npm/[email protected] pkg:npm/%40angular/[email protected] pkg:npm/[email protected]?vcs_url=git://host.com/path/to/repo.git%404345abcd34343
nuget
for NuGet .NET packages:
The default repository is
https://www.nuget.org
.There is no
namespace
per se even if the common convention is to use dot-separated package names where the first segment isnamespace
-like.Examples:
pkg:nuget/[email protected]
qpkg
for QNX packages:
There is no default package repository: this should be implied either from the
namespace
or using a repository base URL asrepository_url
qualifiers key.The
namespace
is the vendor of the package. It is not case sensitive and must be lowercased.Examples:
pkg:qpkg/blackberry/[email protected] pkg:qpkg/blackberry/[email protected]
oci
for all artifacts stored in registries that conform to the
OCI Distribution Specification,
including container images built by Docker and others:
There is no canonical package repository for OCI artifacts. Therefore
oci
purls must be registry agnostic by default. To specify the repository, provide arepository_url
value.OCI purls do not contain a
namespace
, although,repository_url
may contain a namespace as part of the physical location of the package.The
name
is not case sensitive and must be lowercased. The name is the last fragment of the repository name. For example if the repository name islibrary/debian
then thename
isdebian
.The
version
is thesha256:hex_encoded_lowercase_digest
of the artifact and is required to uniquely identify the artifact.Optional qualifiers may include:
arch
: key for a package architecture, when relevant.repository_url
: A repository URL where the artifact may be found, but not intended as the only location. This value is encouraged to identify a location the content may be fetched.tag
: artifact tag that may have been associated with the digest at the time.
Examples:
pkg:oci/debian@sha256%3A244fd47e07d10?repository_url=docker.io/library/debian&arch=amd64&tag=latest pkg:oci/debian@sha256%3A244fd47e07d10?repository_url=ghcr.io/debian&tag=bullseye pkg:oci/static@sha256%3A244fd47e07d10?repository_url=gcr.io/distroless/static&tag=latest pkg:oci/hello-wasm@sha256%3A244fd47e07d10?tag=v1
pub
for Dart and Flutter packages:
The default repository is
https://pub.dartlang.org
.Pub normalizes all package names to be lowercase and using underscores. The only allowed characters are [a-z0-9_].
More information on pub naming and versioning is available in the [pubspec documentation](https://dart.dev/tools/pub/pubspec)
Examples:
pkg:pub/[email protected] pkg:pub/[email protected]
pypi
for Python packages:
The default repository is
https://pypi.org
. (Previouslyhttps://pypi.python.org
.)PyPI treats
-
and_
as the same character and is not case sensitive. Therefore a PyPI packagename
must be lowercased and underscore_
replaced with a dash-
.The
file_name
qualifier selects a particular distribution file (case-sensitive). For naming convention, see the Python Packaging User Guide on source distributions, binary distributions, and platform compatibility tags.Examples:
pkg:pypi/[email protected] pkg:pypi/[email protected]?filename=Django-1.11.1.tar.gz pkg:pypi/[email protected]?filename=Django-1.11.1-py2.py3-none-any.whl pkg:pypi/[email protected]
rpm
for RPMs:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base URL asrepository_url
qualifiers key.The
namespace
is the vendor such as Fedora or OpenSUSE. It is not case sensitive and must be lowercased.The
name
is the RPM name and is case sensitive.The
version
is the combined version and release of an RPM.epoch
(optional for RPMs) is a qualifier as it's not required for unique identification, but when the epoch exists we strongly encourage using it.arch
is the qualifiers key for a package architecture.Examples:
pkg:rpm/fedora/[email protected]?arch=i386&distro=fedora-25 pkg:rpm/[email protected]?arch=i686&epoch=1&distro=fedora-25
swid
for ISO-IEC 19770-2 Software Identification (SWID) tags:
- There is no default package repository.
- The
namespace
is the optional name and regid of the entity with a role of softwareCreator. If specified, name is required and is the first segment in the namespace. If regid is known, it must be specified as the second segment in the namespace. A maximum of two segments are supported. - The
name
is the name as defined in the SWID SoftwareIdentity element. - The
version
is the version as defined in the SWID SoftwareIdentity element. - The qualifier
tag_id
must not be empty and corresponds to the tagId as defined in the SWID SoftwareIdentity element. Per the SWID specification, GUIDs are recommended. If a GUID is used, it must be lowercase. If a GUID is not used, the tag_id qualifier is case aware but not case sensitive. - The qualifier
tag_version
is an optional integer and corresponds to the tagVersion as defined in the SWID SoftwareIdentity element. If not specified, defaults to 0. - The qualifier
patch
is optional and corresponds to the patch as defined in the SWID SoftwareIdentity element. If not specified, defaults to false. - The qualifier
tag_creator_name
is optional. If the tag creator is different from the software creator, the tag_creator_name qualifier should be specified. - The qualifier
tag_creator_regid
is optional. If the tag creator is different from the software creator, the tag_creator_regid qualifier should be specified.
Use of known qualifiers key/value pairs such as download_url
can be used to specify where the package was retrieved from.
Examples:
pkg:swid/Acme/example.com/[email protected]?tag_id=75b8c285-fa7b-485b-b199-4745e3004d0d pkg:swid/Fedora@29?tag_id=org.fedoraproject.Fedora-29 pkg:swid/Adobe+Systems+Incorporated/Adobe+InDesign@CC?tag_id=CreativeCloud-CS6-Win-GM-MUL
swift
for Swift packages:
There is no default package repository: this should be implied from
namespace
.The
namespace
is source host and user/organization and is required.The
name
is the repository name.The
version
is the package version and is required.Examples:
pkg:swift/github.com/Alamofire/[email protected] pkg:swift/github.com/RxSwiftCommunity/[email protected]
apache
for Apache projects packages:android
for Android apk packages:atom
for Atom packages:bower
for Bower JavaScript packages:brew
for Homebrew packages:buildroot
for Buildroot packagescarthage
for Cocoapods Cocoa packages:chef
for Chef packages:chocolatey
for Chocolatey packagesclojars
for Clojure packages:coreos
for CoreOS packages:ctan
for CTAN TeX packages:crystal
for Crystal Shards packages:drupal
for Drupal packages:dtype
for DefinitelyTyped TypeScript type definitions:dub
for D packages:elm
for Elm packages:eclipse
for Eclipse projects packages:gitea
for Gitea-based packages:gitlab
for GitLab-based packages:gradle
for Gradle pluginsguix
for Guix packages:haxe
for Haxe packages:helm
for Kubernetes packagesjulia
for Julia packages:melpa
for Emacs packagesmeteor
for Meteor JavaScript packages:nim
for Nim packages:nix
for Nixos packages:opam
for OCaml packages:openwrt
for OpenWRT packages:osgi
for OSGi bundle packages:p2
for Eclipse p2 packages:pear
for Pear PHP packages:pecl
for PECL PHP packages:perl6
for Perl 6 module packages:platformio
for PlatformIO packages:ebuild
for Gentoo Linux portage packages:puppet
for Puppet Forge packages:sourceforge
for Sourceforge-based packages:sublime
for Sublime packages:terraform
for Terraform modulesvagrant
for Vagrant boxesvim
for Vim scripts packages:wordpress
for Wordpress packages:yocto
for Yocto recipe packages:
This document is licensed under the MIT license.