fix: address decodeURIComponent errors

[jdalton]

PR to address #75.

I'm still noodling on normalization behavior of the constructor. We may be able to tweak it to how URLSearchParams does it (it must have some encoding detection).

Update:

After reviewing new URL(), and new URLSearchParams() we can avoid decodeURIComponent during normalization and only use it in parseString.

[matt-phylum]

I'm a little worried about this. If somebody writes pkg:generic/whatever#100% it will do what they want, but if somebody writes pkg:generic/whatever#100%/100%25, the subpath will be 100%/100%25 because the decoding error applies to the entire component.

Implementations are inconsistent.

• error: anchore/packageurl-go, package-url/packageurl-go, package-url/packageurl-java, package-url/packageurl-js (2.0.0), sonatype/package-url-java
• 100%/100%: althonos/packageurl.rs, giterlizzi/perl-URL-PackageURL, package-url/packageurl-dotnet, package-url/packageurl-php, package-url/packageurl-python, package-url/packageurl-swift, phylum-dev/purl
• 100%/100%25: maennchen/purl, package-url/packageurl-ruby, package-url/packageurl-js (this code)

It probably doesn't matter because it's an invalid PURL to begin with.

[jdalton]

@matt-phylum Thank you for digging into this. It is interesting.

new URL('pkg:generic/whatever#100%/100%25').toString()
// -> 'pkg:generic/whatever#100%/100%25'

While

PackageURL.fromString('pkg:generic/whatever#100%/100%25').toString()
-> 'pkg:generic/whatever#100%25/100%2525'

Updated PR to error:

PurlError: Invalid purl: unable to decode "subpath" component

[jdalton]

@steven-esser could you cut a patch release at your convenience 🙏

[steven-esser]

@jdalton Will do

[steven-esser]

@jdalton v2.0.1 published to npmjs: https://www.npmjs.com/package/packageurl-js/v/2.0.1

[jdalton]

Thank you @steven-esser 🕺