From 4c982dfb88234dab5a83f528b9523b9a28c8bfa9 Mon Sep 17 00:00:00 2001
From: Kjell Tore Guttormsen <ktg@humanize.no>
Date: Sun, 19 Apr 2026 22:03:46 +0200
Subject: [PATCH] =?UTF-8?q?feat(llm-security):=20v7.0.0=20commit=204=20?=
 =?UTF-8?q?=E2=80=94=20typosquat=20allowlist=20for=20short=20legit=20names?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hyperframes scan flagged knip vs knex, oxlint vs eslint, tsx vs nx,
rimraf vs trim as HIGH typosquats. All four are legitimate top-1000 npm
packages; short names just happen to be within Levenshtein ≤2 of other
top packages. These shouldn't generate HIGH severity on a clean install.

Added to npm allowlist: knip, oxlint, tsx, nx, rimraf, glob, tar, zod,
ky, ow, esm, ip, qs, url, prettier, vitest, vite, rollup, swc, turbo,
bun, deno. Added to pypi allowlist: uv, ruff, rich, typer, anyio.

Dep-auditor normalization (lowercase + [_.-] → -) already applied at
load time. dep.test.mjs: 11/11 still green — lodsah→lodash detection
preserved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../knowledge/typosquat-allowlist.json        | 33 +++++++++++++++++--
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/plugins/llm-security/knowledge/typosquat-allowlist.json b/plugins/llm-security/knowledge/typosquat-allowlist.json
index 65c6401..3560fcd 100644
--- a/plugins/llm-security/knowledge/typosquat-allowlist.json
+++ b/plugins/llm-security/knowledge/typosquat-allowlist.json
@@ -1,5 +1,5 @@
 {
-  "_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens.",
+  "_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens. Extended in v7.0.0 with short-named legit packages observed flagged against top-200 (knip vs knex, oxlint vs eslint, tsx vs nx, etc.).",
   "npm": [
     "ms",
     "acorn",
@@ -20,7 +20,29 @@
     "keyv",
     "punycode",
     "escalade",
-    "fdir"
+    "fdir",
+    "knip",
+    "oxlint",
+    "tsx",
+    "nx",
+    "rimraf",
+    "glob",
+    "tar",
+    "zod",
+    "ky",
+    "ow",
+    "esm",
+    "ip",
+    "qs",
+    "url",
+    "prettier",
+    "vitest",
+    "vite",
+    "rollup",
+    "swc",
+    "turbo",
+    "bun",
+    "deno"
   ],
   "pypi": [
     "six",
@@ -30,6 +52,11 @@
     "idna",
     "attrs",
     "boto",
-    "jedi"
+    "jedi",
+    "uv",
+    "ruff",
+    "rich",
+    "typer",
+    "anyio"
   ]
 }