Dependency Submission API doesn't allow arbitrary package URL types

[jamietanna]

Select Topic Area

Bug

Body

As noted in package-url/purl-spec#286, the GitHub's Dependency Submission API, which consumes pURL(s) appears to be rejecting pURLs with arbitrary types, which seems unexpected.

I've asked for clarification in package-url/purl-spec#286 for the spec's purposes, and also raising here for visibility.

I would expect that the API would allow augmenting with any package data, rather than requiring it just be "known" types.

As noted in package-url/purl-spec#286 (comment), the

(Aside: I believe that in the above case, a translation from pkg:mix -> pkg:hex would make sense)

However, there will still be package types that aren't "known" - for instance organisation-specific ones - and therefore restricting usage of them in the API is a little frustrating.

[queenofcorgis]

@h4md153v63n
We’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[jamietanna]

This is now supported 👏🏽 https://github.blog/changelog/2025-04-03-dependency-graph-supports-all-purl-identified-package-ecosystems