Package-URL Project

Software ecosystems have evolved into highly interconnected networks of components, packages, and dependencies. Managing this complexity demands a robust, uniform mechanism to identify and track software packages (and their versions) across diverse ecosystems and tools.

The Package-URL project was developed to address this challenge by creating:

• PURL (Package-URL): a standard URL-based syntax to identify software packages, independent from their ecosystem or distribution channel, and
• VERS (VErsion Range Specifier): a standard URI-based syntax to define package version ranges and version semantics (algorithm or procedure) to interpret a version range notation.

PURL

PURL embeds critical software package metadata directly into its structure, enabling efficient and accurate package identification at scale. Each PURL type provides a standard way to identify, locate, and provision software packages according to the conventions and protocols for a package manager, platform, or ecosystem. This standardization ensures interoperability between tools and ecosystems, fostering greater collaboration and reducing ambiguity in software supply chain management.

Challenges addressed by PURL:

• Ambiguity in Package Identification: With diverse naming conventions across ecosystems, identifying software packages reliably has historically been a challenge. PURL eliminates this ambiguity by creating a universal identifier with a predictable structure.
• Cross-Ecosystem Interoperability: Developers, organizations, and tools often work across multiple ecosystems, each with its own package management systems. PURL harmonizes these differences, enabling seamless interoperability.
• Enhanced Traceability and Risk Management: In an era where supply chain security is critical, PURL provides the foundation for identifying and tracing packages to their origins, dependencies, and potential vulnerabilities.
• Tooling and Automation: By standardizing package identification, PURL simplifies tooling development, automation, and integration for tasks such as software composition analysis, vulnerability management, and license compliance.

See the PURL section of this website for details about:

• The PURL specification
• How to build, parse or test a PURL
• The current set of registered PURL types

PURL was approved by Ecma International as ECMA-427 in December 2025 and is on a fast track to become an ISO standard.

VERS

VERS provides a structured notation that defines software package version ranges and provides rules to resolve the content of a version range. Each VERS scheme provides a standard way to define and resolve a version range for a package manager, platform, or ecosystem. The construction and validation rules are designed such that a VERS is easy to read and understand by humans and straightforward to process by tools. This standardization ensures more accurate and consistent analysis of package version dependencies and the impact of known vulnerabilities or bugs on a software package.

Challenges addressed by VERS:

• Ambiguity of package dependencies: With diverse version range notations across ecosystems, accurately and consistently identifying software package dependencies is a long-standing problem. VERS eliminates this ambiguity by creating a universal version range notation with a predictable structure.
• Ambiguity of package versions affected by a vulnerability: With diverse version range notations across ecosystems, accurately and consistently identifying software package versions affected by a vulnerability or bug is extremely difficult. VERS eliminates this ambiguity by creating a universal version range notation with a predictable structure.
• Tooling and Automation: By standardizing version range analysis, VERS simplifies tooling development, automation, and integration for tasks such as software composition analysis and software vulnerability management.

See the VERS section of this website for details about:

• The VERS specification
• How to parse and validate a VERS

VERS will be submitted to Ecma as a new standard in later 2026.

PURL and VERS

The PURL and VERS specifications are synergistic in several ways including:

• A VERS version-scheme can be defined for a PURL type.
• You can use the 'vers' qualifiers key in a PURL to identify a version range for a package.

Adopters

The Specifications and Tools that have adopted PURL or VERS (or both) are documented in the Getting Started section.