Hacker News new | ask | show | jobs
by typicalbender 1676 days ago
I haven't thought this through at all but are you aware of any package repositories that do something like levenshtein distance between package names maybe combined with a heuristic on common mistyped characters to not allow typosquatting?
2 comments
brabel 1676 days ago
Yes, they do that in Dart's pub [1].

They also have the concept of verified publishers[2], which is pretty neat (similar to Maven Central), and keep track of a score for each package (e.g. https://pub.dev/packages/darq/score) including up-to-date dependencies and result of static analysis.

Dart is doing a lot of things right.

[1] https://pub.dev/

[2] https://dart.dev/tools/pub/publishing#verified-publisher

link
Buttons840 1676 days ago
Are there any tools that can scan my dependencies and point out names that are typos of older or more popular packages?

Something like: you said "times", did you mean the older and more popular package "time"?

link