Hyperframes scan flagged knip vs knex, oxlint vs eslint, tsx vs nx, rimraf vs trim as HIGH typosquats. All four are legitimate top-1000 npm packages; short names just happen to be within Levenshtein ≤2 of other top packages. These shouldn't generate HIGH severity on a clean install. Added to npm allowlist: knip, oxlint, tsx, nx, rimraf, glob, tar, zod, ky, ow, esm, ip, qs, url, prettier, vitest, vite, rollup, swc, turbo, bun, deno. Added to pypi allowlist: uv, ruff, rich, typer, anyio. Dep-auditor normalization (lowercase + [_.-] → -) already applied at load time. dep.test.mjs: 11/11 still green — lodsah→lodash detection preserved. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
62 lines
1 KiB
JSON
62 lines
1 KiB
JSON
{
|
|
"_comment": "Known legitimate packages that trigger false positive typosquatting alerts due to short names or Levenshtein proximity to top packages. Normalized: lowercase, hyphens. Extended in v7.0.0 with short-named legit packages observed flagged against top-200 (knip vs knex, oxlint vs eslint, tsx vs nx, etc.).",
|
|
"npm": [
|
|
"ms",
|
|
"acorn",
|
|
"levn",
|
|
"lie",
|
|
"jsesc",
|
|
"jiti",
|
|
"bidi-js",
|
|
"@babel/core",
|
|
"preact",
|
|
"esbuild",
|
|
"tslib",
|
|
"nanoid",
|
|
"picocolors",
|
|
"lru-cache",
|
|
"deep-is",
|
|
"flat-cache",
|
|
"keyv",
|
|
"punycode",
|
|
"escalade",
|
|
"fdir",
|
|
"knip",
|
|
"oxlint",
|
|
"tsx",
|
|
"nx",
|
|
"rimraf",
|
|
"glob",
|
|
"tar",
|
|
"zod",
|
|
"ky",
|
|
"ow",
|
|
"esm",
|
|
"ip",
|
|
"qs",
|
|
"url",
|
|
"prettier",
|
|
"vitest",
|
|
"vite",
|
|
"rollup",
|
|
"swc",
|
|
"turbo",
|
|
"bun",
|
|
"deno"
|
|
],
|
|
"pypi": [
|
|
"six",
|
|
"pip",
|
|
"pytz",
|
|
"toml",
|
|
"idna",
|
|
"attrs",
|
|
"boto",
|
|
"jedi",
|
|
"uv",
|
|
"ruff",
|
|
"rich",
|
|
"typer",
|
|
"anyio"
|
|
]
|
|
}
|