Dependency Typo Issues
Dependency Typos, also known as Typosquats, are packages published to public package registries which look very similar to legitimate packages in naming, and appearance (description, links, etc.).
Often these packages will have slight changes in their naming which can lead to inadvertent installation, and usually they will preserve the original functionality so it is not immediately obvious that they are not the correct package. These packages are not always malicious however, as they may simply be an older version of the package, a package that has been renamed, or just a similarly named package.
If the package is malicious this can open your code and your users to various vulnerabilities, including: remote code execution, data access, compromised systems, and more.
To address typos, SOOS recommends confirming if the package is a typo through a manual review.
If it does appear to be malicious, remove the package immediately and investigate to see if a security breach occurred.
Please also contact the package registry to report the package.
If you deem the issue to not be a typo and it is the intended package, remove the Typo issue from your issue list following the Creating Issue Suppressions & Attestations workflow.
