{ "_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens. Extended in v7.0.0 with short-named legit packages observed flagged against top-200 (knip vs knex, oxlint vs eslint, tsx vs nx, etc.). v7.3.0 adds npm_official_scopes — list of scopes whose scoped packages should NOT trigger E13 scope-hopping advisory. Kept in sync with NPM_OFFICIAL_SCOPES in scanners/lib/supply-chain-data.mjs (doc-consistency drift-guard).", "npm": [ "ms", "acorn", "levn", "lie", "jsesc", "jiti", "bidi-js", "@babel/core", "preact", "esbuild", "tslib", "nanoid", "picocolors", "lru-cache", "deep-is", "flat-cache", "keyv", "punycode", "escalade", "fdir", "knip", "oxlint", "tsx", "nx", "rimraf", "glob", "tar", "zod", "ky", "ow", "esm", "ip", "qs", "url", "prettier", "vitest", "vite", "rollup", "swc", "turbo", "bun", "deno" ], "pypi": [ "six", "pip", "pytz", "toml", "idna", "attrs", "boto", "jedi", "uv", "ruff", "rich", "typer", "anyio" ], "npm_official_scopes": [ "@types", "@reduxjs", "@nestjs", "@angular", "@nrwl", "@modelcontextprotocol", "@babel", "@testing-library", "@aws-sdk", "@azure", "@google-cloud", "@vue", "@svelte", "@nuxt", "@sveltejs", "@vitejs", "@playwright", "@storybook", "@radix-ui", "@reach", "@emotion", "@mui" ] }