feat(llm-security): v7.0.0 commit 4 — typosquat allowlist for short legit names
Hyperframes scan flagged knip vs knex, oxlint vs eslint, tsx vs nx, rimraf vs trim as HIGH typosquats. All four are legitimate top-1000 npm packages; short names just happen to be within Levenshtein ≤2 of other top packages. These shouldn't generate HIGH severity on a clean install. Added to npm allowlist: knip, oxlint, tsx, nx, rimraf, glob, tar, zod, ky, ow, esm, ip, qs, url, prettier, vitest, vite, rollup, swc, turbo, bun, deno. Added to pypi allowlist: uv, ruff, rich, typer, anyio. Dep-auditor normalization (lowercase + [_.-] → -) already applied at load time. dep.test.mjs: 11/11 still green — lodsah→lodash detection preserved. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
a9e377570c
commit
4c982dfb88
1 changed files with 30 additions and 3 deletions
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
"_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens.",
|
"_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens. Extended in v7.0.0 with short-named legit packages observed flagged against top-200 (knip vs knex, oxlint vs eslint, tsx vs nx, etc.).",
|
||||||
"npm": [
|
"npm": [
|
||||||
"ms",
|
"ms",
|
||||||
"acorn",
|
"acorn",
|
||||||
|
|
@ -20,7 +20,29 @@
|
||||||
"keyv",
|
"keyv",
|
||||||
"punycode",
|
"punycode",
|
||||||
"escalade",
|
"escalade",
|
||||||
"fdir"
|
"fdir",
|
||||||
|
"knip",
|
||||||
|
"oxlint",
|
||||||
|
"tsx",
|
||||||
|
"nx",
|
||||||
|
"rimraf",
|
||||||
|
"glob",
|
||||||
|
"tar",
|
||||||
|
"zod",
|
||||||
|
"ky",
|
||||||
|
"ow",
|
||||||
|
"esm",
|
||||||
|
"ip",
|
||||||
|
"qs",
|
||||||
|
"url",
|
||||||
|
"prettier",
|
||||||
|
"vitest",
|
||||||
|
"vite",
|
||||||
|
"rollup",
|
||||||
|
"swc",
|
||||||
|
"turbo",
|
||||||
|
"bun",
|
||||||
|
"deno"
|
||||||
],
|
],
|
||||||
"pypi": [
|
"pypi": [
|
||||||
"six",
|
"six",
|
||||||
|
|
@ -30,6 +52,11 @@
|
||||||
"idna",
|
"idna",
|
||||||
"attrs",
|
"attrs",
|
||||||
"boto",
|
"boto",
|
||||||
"jedi"
|
"jedi",
|
||||||
|
"uv",
|
||||||
|
"ruff",
|
||||||
|
"rich",
|
||||||
|
"typer",
|
||||||
|
"anyio"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue