核心要点维护核心包白名单与受信作用域;对新名称执行距离与正则检测。阈值策略:距离过近或包含可疑模式即阻断;支持人工复核通道。实现示例const allowNames = new Set<string>(['react','vue','lodash','express','@example/core']) function normalize(n: string): string { return n.toLowerCase().replace(/[-_.]+/g, '') } function levenshtein(a: string, b: string): number { const m = Array.from({ length: a.length + 1 }, (_, i) => i) for (let j = 1; j <= b.length; j++) { let prev = m[0] m[0] = j for (let i = 1; i <= a.length; i++) { const tmp = m[i] m[i] = Math.min( m[i] + 1, m[i - 1] + 1, prev + (a[i - 1] === b[j - 1] ? 0 : 1) ) prev = tmp } } return m[a.length] } function suspicious(name: string, threshold: number): boolean { const n = normalize(name) for (const a of allowNames) { if (levenshtein(n, normalize(a)) <= threshold) return true } if (/^(?:re|ve|lo|ex)[a-z]{2,}\d+$/.test(n)) return true return false } function allowInstall(name: string, threshold = 2): boolean { if (allowNames.has(name)) return true return !suspicious(name, threshold) } 审计与CI门禁对新引入依赖执行检测;命中阻断并输出相似目标与证据。对可疑项启用人工审批与到期例外;产线默认拒绝未审批项。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复