vis add
Add packages with typosquat detection and security scanning
vis add
Add packages using the detected package manager. Before installing, vis runs a typosquat check against a curated blocklist of known malicious package names, followed by an optional Socket.dev security scan.
Usage
vis add <packages...> [options]Examples
vis add react react-dom # Add packages
vis add -D typescript @types/react # Add as dev dependencies
vis add react --filter app # Add to specific workspace package
vis add -g typescript # Add globally (uses npm)
vis add lodash -w # Add to workspace root
vis add lodash --no-socket-check # Add without Socket.dev check
vis add lodash --no-typosquat-check # Skip typosquat name checkOptions
| Option | Alias | Default | Description |
|---|---|---|---|
--save-dev | -D | false | Add as dev dependency |
--exact | -E | false | Save exact version |
--save-peer | -P | false | Add as peer dependency |
--save-optional | -O | false | Add as optional dependency |
--global | -g | false | Install globally (uses npm) |
--workspace-root | -w | false | Add to workspace root |
--workspace | false | Use workspace protocol (pnpm) | |
--filter | -F | Filter by workspace package name | |
--no-typosquat-check | false | Skip typosquat name check before adding | |
--no-socket-check | false | Skip Socket.dev security check before adding |
How It Works
flowchart TD
A["vis add <packages>"] --> B{Typosquat check\nenabled?}
B -- no --> E
B -- yes --> C["Check names against\nblocklist & heuristics"]
C --> D{Typosquat\ndetected?}
D -- no --> E{Socket.dev\ncheck enabled?}
D -- yes --> P["Show warning:\n'Did you mean X?'"]
P --> Q{User choice}
Q -- "S (suggested)" --> R["Replace with correct\npackage name"]
R --> E
Q -- "y (keep original)" --> E
Q -- "N (abort)" --> Z["Exit with code 1"]
E -- no --> G
E -- yes --> F["Fetch security\nreports from Socket.dev"]
F --> H{Score below\nthreshold?}
H -- no --> G["Detect package manager\n(pnpm, npm, yarn, bun)"]
H -- yes --> I{User\nconfirms?}
I -- yes --> G
I -- no --> Z
G --> J["Run native\nadd command"]
J --> K["Done"]Typosquat Detection
When you run vis add, the package names are checked against a curated blocklist of known typosquats for popular packages (react, express, lodash, axios, etc.). The detection uses two methods:
- Blocklist lookup -- Direct match against
data/typosquats.json, a curated list of known typosquat names that exist on npm. - Heuristic detection -- Generates variants using common attack patterns (character omission, transposition, duplication, homoglyph substitution, separator swaps) and checks if your input matches any variant of a known package.
Example
$ vis add axois
warn: Possible typosquat detected:
warn: ⚠ axois — did you mean axios? (known typosquat)
Use suggested package instead? [S]uggested / [y]es, keep original / [N]o, abort (default: N)Choosing S replaces axois with axios and continues the add, preserving any version specifier you provided (e.g., axois@^1.0 becomes axios@^1.0).
In non-interactive mode (CI, piped stdin), typosquat detection always aborts to prevent automated installation of malicious packages.
Socket.dev Security Check
When Socket.dev is configured (via vis.config.ts), each package is scored across multiple dimensions (license, maintenance, quality, supply chain, vulnerability). Packages scoring below the minimum threshold (default: 40%) require explicit confirmation.
See vis init to configure Socket.dev integration.