Hacker News new | past | comments | ask | show | jobs | submit login

I haven't thought this through at all but are you aware of any package repositories that do something like levenshtein distance between package names maybe combined with a heuristic on common mistyped characters to not allow typosquatting?



Yes, they do that in Dart's pub [1].

They also have the concept of verified publishers[2], which is pretty neat (similar to Maven Central), and keep track of a score for each package (e.g. https://pub.dev/packages/darq/score) including up-to-date dependencies and result of static analysis.

Dart is doing a lot of things right.

[1] https://pub.dev/

[2] https://dart.dev/tools/pub/publishing#verified-publisher


Are there any tools that can scan my dependencies and point out names that are typos of older or more popular packages?

Something like: you said "times", did you mean the older and more popular package "time"?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: