Ideas for the CPAN Meta v3 Specification

By Robert Rothenberg on May 4, 2026 6:12 PM under Metadata

At the 2026 Perl Toolchain Summit Salve Nilsen and I proposed some ideas that we have been discussing on and off for the past several months for CPANSec, for a CPAN Meta v3 Specification.

Why does the specification need to be extended?

Version 2 of the CPAN Meta Spec (CPAN distributio n metadata specification) is does not allow the addition of new data, except using fields prefixed by "x_".

However, there is a need to include additional metadata about:

external dependencies (services, libraries, files, or environment variable)
embedded external libraries, e.g. zlib or bootstrap.
licensing
vulnerability reporting
parent-child relationships (e.g. forked project)
fixed vulnerabilities in this fork or in embedded libraries
code and documentation generated through automation or using LLMs
how and where to report security vulnerabilities
project funding and sponsorship
how the project is supported by the maintainers
enumeration of community health documents, e.g. SECURITY.md, GOVERNANCE.md and AI_POLICY.md

This is too much information to embed in existing META.json files, and some of this metadata exists in alternative formats, for example:

SBOM (Software Bill of Materials) files
Attestations
VEX files
Common Lifecycle Enumeration (CLE)
Project Description (DOAP) file
OSSF Security Insights File
REUSE

Note that most of this data is not necessary for installing CPAN modules. It exists mainly for documentation and auditing:

generating SBOMs for an application using its dependencies
auditing software for security vulnerabilities
auditing software for license compliance
displaying the external documentation for a module such as the security policy

Specification

The specification is simple:

All new metadata will be saved in the CPAN-META directory at the root of the distribution and software repository.
All files and subdirectories saved in that directory will have well-known names.

Currently there is automation-policy.json for the AI and Automation Policy metadaya, that I have worked with Nicolas Rochelemagne. This will be discussed in a separate blog post.
The metadata should never be added as "x_" keys to the META.yml or META.json files.
This metadata may be provided as a separate file from a distribution.

The proposed specification can be found at https://github.com/CPAN-Security/cpan-metadata-v3

To suggest addition or changes, please create an issue or pull request.

Tooling

There are not yet tools for handling the METAv3 specification.

The tools will need to minimise the workload for project maintainers.

Modules should be configurable, testable and installable without any tools that support this specification. However, metadata may be useful for tools that understand them, for example, to ensure external dependencies are met.

Thanks

Thanks to the organisers of the PTS for their hard work and hospitality, and to the sponsors who are keeping the Perl ecosystem growing:

The Perl and Raku Foundation,
Grant Street Group,
Geizhals Preisvergleich,
Vienna.pm,
SUSE,
Trans-Formed Media LLC, - Ctrl O,
Simplelists,
Harald Joerg,
Michele Beltrame (Sigmafin),
Laurent Boivin.

9 comments

Tagged as:

auditing, cpansec, metadata, perl toolchain summit, security

9 Comments

Ron Savage | May 5, 2026 12:25 AM | Reply

I'm adding some notes from this post to my Perl.Wiki.html (https://savage.net.au/), & I have a few comments:
(1) I hope the new spec expands all acronyms as I do in my wiki.
(2) Specifically I searched for Common Lifecycle Enumeration (CLE) on Wikipedia but could not find anything. Is it the same as:
SDLC:
- Systems Development Life Cycle
- https://en.wikipedia.org/wiki/Systems_development_life_cycle

Ron Savage | May 5, 2026 12:55 AM | Reply

(3) What is OSS? It's not on Wikipedia, but FOSS is. Are they the same?

Ron Savage | May 5, 2026 1:07 AM | Reply

Oops. I meant OSSF.

lichtkind | May 5, 2026 2:16 PM | Reply

All fine, but what I need most in Metacpan is a navigation by topic/content.

Ron Savage | May 6, 2026 1:28 AM | Reply

Hi lichtkind
Actually that's what I deliver with my Perl.Wiki. I invented 200 topics into which I classify (currently) 4859 modules....
See my Wiki Haven.

lichtkind | May 6, 2026 8:39 AM | Reply

What a task, I have to take it into my link list. But I saw no topic 'Graphics'. And some sorting flags (by latest release, stars, etc) would be nice.

Ron Savage | May 7, 2026 5:01 AM | Reply

Firstly, in TiddlyWikis topic names are CamelCase, otherwise as [[RSS]] (displayed as RSS).

The graphs topic in the MainMenu is called Graphs, and it links to ChartingAndPlotting.

Ron Savage | May 7, 2026 5:10 AM | Reply

If I even automate the transfer of details from https://metacpan.org/recent to Perl.Wiki, then release dates & authorship might be included.

Stars...Hmmm. Maybe, but they are quite subjective. And anyway, a recent module which is brilliant would have no stars.
Eg: Geo::Leaflet.

Sorting flags...Hmmm.

john napiorkowski | May 11, 2026 5:38 PM | Reply

Seems like a lot of fields, what makes the proposer of this think that open source devs working on their spare time is going to spend precious free hours of this time on some of these things? We can’t even get CPAN authors to digitally sign distributions, which would actually be useful and that been around at least 20 years.

I would say you have to build a case that devs need to spend the time on this. From a look over a good amount of this is being driven by that EU rule that not all of us are acknowledging as valid. Just on that alone I’m personally dubious.

Name

Email Address

URL

Remember personal info?

Comments (You may use HTML tags for style)

About Robert Rothenberg

I was born on the Moon but kidnapped by astronauts and raised in the suburbs of Grumman. Eventually, I drifted along the Gulf Stream to Northern Europe.

More info »

Robert Rothenberg