feat: treat namespaces as a special case when checking for typos

[sdn4z]

This PR makes a difference between normal packages and packages with a namespace. For the latter, the behaviour has been extended so that we check only in the namespace for a typo, and if there's a possible one, we require the package to be identical to the legit one.

For example:

• trusted package -> @aws/sdk
• not a typo -> @awz/zdk (namespace could be a typo, but package name does not match trusted one)
• typo -> @awz/sdk (namespace could be a typo, package name matches trusted one)

This will help reduce the number of false positives and assumes that if someone is impersonating a package, they'll mimic the namespace but keep the package identical.

refs #97

[sdn4z]

/lgtm review

[github-actions]

🦉 lgtm Review

Score: Needs a Lot of Work 🚨

🔍 Summary

This PR introduces a solid architectural refactoring, using a TrustedPackagesProtocol to support different package ecosystems like PyPI and npm. This makes the system more extensible.

However, there are three critical correctness bugs that must be fixed before merging:

1. The TrustedNpmPackageManager.__contains__ method is implemented incorrectly and will fail for namespaced packages.
2. The top_npm_reference.py file is missing an import re, which will cause a runtime NameError.
3. Invalid npm package names are silently ignored, which is inconsistent with the PyPI implementation and could hide issues in the trusted source data.

I've also included suggestions to improve performance in NormalizedPackages and to add unit tests for the new npm-specific logic. Given the critical issues, the PR needs significant work.

More information

• Id: e2d96ad3e5a840a7b8f7c79a0755a0e6
• Model: gemini-2.5-pro
• Created at: 2025-10-30T11:16:19.720185+00:00

Usage summary

• Request count: 2
• Request tokens: 83,337
• Response tokens: 19,093
• Total tokens: 102,430

See the 📚 lgtm-ai repository for more information about lgtm.

[scastlara]

Nice!