diff --git a/plugins/llm-security/knowledge/typosquat-allowlist.json b/plugins/llm-security/knowledge/typosquat-allowlist.json
index 65c6401..3560fcd 100644
--- a/plugins/llm-security/knowledge/typosquat-allowlist.json
+++ b/plugins/llm-security/knowledge/typosquat-allowlist.json
@@ -1,5 +1,5 @@
 {
-  "_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens.",
+  "_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens. Extended in v7.0.0 with short-named legit packages observed flagged against top-200 (knip vs knex, oxlint vs eslint, tsx vs nx, etc.).",
   "npm": [
     "ms",
     "acorn",
@@ -20,7 +20,29 @@
     "keyv",
     "punycode",
     "escalade",
-    "fdir"
+    "fdir",
+    "knip",
+    "oxlint",
+    "tsx",
+    "nx",
+    "rimraf",
+    "glob",
+    "tar",
+    "zod",
+    "ky",
+    "ow",
+    "esm",
+    "ip",
+    "qs",
+    "url",
+    "prettier",
+    "vitest",
+    "vite",
+    "rollup",
+    "swc",
+    "turbo",
+    "bun",
+    "deno"
   ],
   "pypi": [
     "six",
@@ -30,6 +52,11 @@
     "idna",
     "attrs",
     "boto",
-    "jedi"
+    "jedi",
+    "uv",
+    "ruff",
+    "rich",
+    "typer",
+    "anyio"
   ]
 }