Does it protect against typosquatting?

Question

Does it protect against typosquatting?

renedekat opened this issue 8 years ago · 2 comments

Will the --secure option protect against this: http://incolumitas.com/2016/06/08/typosquatting-package-managers/

Answer 1 · 2016-08-11T13:02:02.000Z

@renedekat, Yes, in --secure mode, as auto-install only attempts to install packages that have > 10k installs in the last month, it tries to ignore all the fake libraries.

I am using this as a proxy for trusted packages.

For example:
express has 6,820,817 downloads in the last month, while
expres has 728 downloads in the last month

The second one will be ignored by auto-install

Suggestions for making this better are welcome 😄

Answer 2 · 2016-08-11T18:50:11.000Z

Added this to FAQ in README.md