Currently only index projects use PURL as their canonical identifier in lockfile/env. But even they use unversioned PURL, so if multiple versions of the same project are present, dependency graph cannot be unambiguosly constructed from the information provided.
Non-index projects that contain publisher/name complying with our rules don't use PURL as their canonical identifier (unless they were added using this identifier). PURL results in much nicer paths for the environment, so it would be nice to use the PURL there. Lockfile cannot in general use PURLs as canonical identifiers in such cases, since it needs to preserve
lockfile<->.project.json mapping.
Currently only index projects use PURL as their canonical identifier in lockfile/env. But even they use unversioned PURL, so if multiple versions of the same project are present, dependency graph cannot be unambiguosly constructed from the information provided.
Non-index projects that contain publisher/name complying with our rules don't use PURL as their canonical identifier (unless they were added using this identifier). PURL results in much nicer paths for the environment, so it would be nice to use the PURL there. Lockfile cannot in general use PURLs as canonical identifiers in such cases, since it needs to preserve
lockfile<->
.project.jsonmapping.