feat: security hardening, primordials, VERS, URL-to-PURL, DX improvements (v1.4.0)

.config/esbuild.config.mjs

@@ -216,7 +216,7 @@ function createPathShorteningPlugin() {
 
 // Build configuration for CommonJS output
 export const buildConfig = {
-  entryPoints: [`${srcPath}/index.ts`],
+  entryPoints: [`${srcPath}/index.ts`, `${srcPath}/exists.ts`],
   outdir: distPath,
   outbase: srcPath,
   bundle: true,

CHANGELOG.md

@@ -4,6 +4,43 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.4.0](https://github.com/SocketDev/socket-packageurl-js/releases/tag/v1.4.0) - 2026-03-28
+
+### Added
+
+- **VERS parser**: First JavaScript implementation of the VERS (VErsion Range Specifier) companion spec to PURL. Supports parsing, serialization, and containment checking for semver-based schemes (npm, cargo, golang, gem, hex, pub, cran, swift)
+- **URL-to-PURL conversion**: `UrlConverter.fromUrl()` converts registry URLs to PackageURLs across 27 hostnames and 17 purl types (npm, pypi, maven, cargo, nuget, github, gitlab, bitbucket, docker, hex, pub, cocoapods, hackage, conda, cpan, luarocks, huggingface, swift, cran, vscode)
+- **`toSpec()` method**: Returns the package identity without the `pkg:type/` prefix (the npm "spec" equivalent)
+- **`isValid()` static method**: Quick validation without throwing
+- **`fromUrl()` static method**: Convenience wrapper for `UrlConverter.fromUrl()`
+- **Immutable copy methods**: `withVersion()`, `withNamespace()`, `withQualifier()`, `withQualifiers()`, `withSubpath()` return new instances
+- **PurlBuilder factories**: Added 18 new type factories (bitbucket, cocoapods, conan, conda, cran, deb, docker, github, gitlab, hackage, hex, huggingface, luarocks, oci, pub, rpm, swift, vscode-extension)
+- **Injection character detection**: `containsInjectionCharacters()` utility for shell metacharacter detection
+- **`vers` qualifier**: Added 6th standard qualifier per purl spec
+- **`./exists` entry point**: Registry existence checks available via `@socketregistry/packageurl-js/exists`
+
+### Changed
+
+- **Bundle size reduced 95%**: Core bundle is 178 KB (was 3.3 MB). Exists functions moved to separate entry point to avoid bundling HTTP dependencies
+- **Primordials module**: All 43 built-in references captured at module load time via `uncurryThis` pattern (mirrors Node.js internals). Zero raw prototype method calls remain
+- **Frozen constants**: Module-level Maps, Sets, regex patterns, and arrays are frozen
+- **Null prototype objects**: All user-facing object literals use `__proto__: null`
+- **Flyweight cache**: `fromString()` caches up to 1024 instances; `toString()` memoized
+- **Version lowercasing**: Added for oci, pypi, and vscode-extension per upstream spec
+
+### Fixed
+
+- **ReDoS prevention**: Consecutive `.*` groups collapsed in wildcard regex
+- **Null byte rejection**: All string components reject `\x00` to prevent truncation in C-based consumers
+- **VERS resource limits**: 1000 constraint maximum, MAX_SAFE_INTEGER validation
+- **vscode-extension validation**: Rejects illegal characters in namespace, name, version, and platform qualifier
+
+### Security
+
+- Prototype pollution resilience via primordials (captured String, Array, RegExp, Object, Reflect methods)
+- Global tampering protection verified (replacing `global.URL` after import has no effect)
+- Inline regex patterns hoisted to frozen module-scope constants
+
 ## [1.3.5](https://github.com/SocketDev/socket-packageurl-js/releases/tag/v1.3.5) - 2025-11-02
 
 ### Changed

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketregistry/packageurl-js",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "packageManager": "pnpm@10.33.0",
   "license": "MIT",
   "description": "Socket.dev optimized package override for packageurl-js",
@@ -20,6 +20,10 @@
       "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
+    "./exists": {
+      "types": "./dist/exists.d.ts",
+      "default": "./dist/exists.js"
+    },
     "./data/npm/builtin-names.json": "./data/npm/builtin-names.json",
     "./data/npm/legacy-names.json": "./data/npm/legacy-names.json",
     "./package.json": "./package.json"
@@ -58,7 +62,7 @@
     "@babel/parser": "7.29.0",
     "@dotenvx/dotenvx": "1.52.0",
     "@oxlint/migrate": "1.51.0",
-    "@socketsecurity/lib": "5.11.3",
+    "@socketsecurity/lib": "5.11.4",
     "@socketsecurity/registry": "2.0.2",
     "@types/node": "24.9.2",
     "@types/picomatch": "4.0.2",