Dependency Typo Issues

what are they? dependency typos, also known as typosquats, are packages published to public package registries which look very similar to legitimate packages in naming, and appearance (description, links, etc ) often these packages will have slight changes in their naming which can lead to inadvertent installation, and usually they will preserve the original functionality so it is not immediately obvious that they are not the correct package these packages are not always malicious however, as they may simply be an older version of the package, a package that has been renamed, or just a similarly named package how does it affect my code? if the package is malicious this can open your code and your users to various vulnerabilities, including remote code execution, data access, compromised systems, and more what can i do about it? to address typos, soos recommends confirming if the package is a typo through a manual review if it does appear to be malicious, remove the package immediately and investigate to see if a security breach occurred please also contact the package registry to report the package if you deem the issue to not be a typo and it is the intended package, remove the typo issue from your issue list following the creating issue suppressions & attestations docid\ inbrolrzqnfvkihn08fnd workflow