Because no tech stack is an island running on a single programming language and in a single package ecosystem, we need a way to talk about packages across ecosystems: talk about their type, name, location, version and dependent version ranges. purl and vers are an attempt to solve this problem.

How to talk about packages, dependencies and vulnerabilities using a common language?

I will present Package URL, a way to references package across ecosystems which is emerging as a de-facto standard. And I will introduce a new work-in-progress, mostly universal notation to express version ranges to be used in resolving package dependencies such as "I require package foo, version 2.0 or later versions" and referencing affected vulnerable packages versions as in "vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5".

These two will show a way to create new, mostly universal dependency resolvers and installers, working across ecosystems and we will promote the rise of universal package managements where one tool and one unified spec can rule them all.