Encode "+" as "%2B" since "+" is a valid SemVer character.

[tiegz]

Currently this library is generating PURLs like pkg:golang/github.com/azure/azure-sdk-for-go@v56.3.0+incompatible.

The PURL spec says that versions should be a "percent-encoded string", and while the + character is fine to use while escaping for application/x-www-form-urlencoded content, the original RFC3986 spec for general URIs does not mention using + to escape .

I think it's preferable to escape + because downstream parsers of the URL will likely unescape the + as , resulting in invalid PURL versions as in pkg:golang/github.com/azure/azure-sdk-for-go@v56.3.0 incompatible.

There's a good analysis of this problem in package-url/purl-spec#261 as well.

[tiegz]

note that url.QueryEscape will encode +, but that method was replaced with PathEscape in #1

[tiegz]

before the fix in this PR, this test would fail as:

packageurl_test.go:389: expected pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path to parse as pkg:type/name/space/name@versio%20n%2Bbeta?key=value#sub/path but got pkg:type/name/space/name@versio%20n+beta?key=value#sub/path

[tiegz]

another example where not-escaping + is undesirable: "pkg:rpm/rhel/libstdc++@8.5.0-18.el8". Downstream Purl libraries will likely interpret that package name as "libstdc "

[RicardoAReyes]

Has the anchor community looked into merging this code?

[wagoodman]

I'll work on getting CI passing -- thanks for the fix! 🙌

[wagoodman]

Thanks for the fix!