Security News
NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole
NVD now marks all pre-2018 CVEs as "Deferred," signaling it will no longer enrich older vulnerabilities, further eroding trust in its data.
By Sarah Gooding - Apr 04, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
- Maintainers
- 1
typos
Source code spell checker
Finds and corrects spelling mistakes among source code:
- Fast enough to run on monorepos
- Low false positives so you can run on PRs
Dual-licensed under MIT or Apache 2.0
Documentation
- Installation
- Getting Started
- Reference
- FAQ
- Comparison with other spell checkers
- Projects using typos
- Benchmarks
- Design
- Contribute
- CHANGELOG
Install
Download a pre-built binary (installable via gh-install).
Or use rust to install:
$ cargo install typos-cli
Or use Homebrew to install:
$ brew install typos-cli
Or use Conda to install:
$ conda install typos
Or use Pacman to install:
$ sudo pacman -S typos
Getting Started
Most commonly, you'll either want to see what typos are available with
$ typos
Or have them fixed
$ typos --write-changes
$ typos -w
If there is any ambiguity (multiple possible corrections), typos will just report it to the user and move on.
False Positives
Sometimes, what looks like a typo is intentional, like with people's names, acronyms, or localized content.
To mark a word or an identifier (grouping of words) as valid, add it to your _typos.toml by declaring itself as the valid spelling:
[default]
extend-ignore-identifiers-re = [
# *sigh* this just isn't worth the cost of fixing
"AttributeID.*Supress.*",
]
[default.extend-identifiers]
# *sigh* this just isn't worth the cost of fixing
AttributeIDSupressMenu = "AttributeIDSupressMenu"
[default.extend-words]
# Don't correct the surname "Teh"
teh = "teh"
For more ways to ignore or extend the dictionary with examples, see the config reference.
For cases like localized content, you can disable spell checking of file contents while still checking the file name:
[type.po]
extend-glob = ["*.po"]
check-file = false
(run typos --type-list to see configured file types)
If you need some more flexibility, you can completely exclude some files from consideration:
[files]
extend-exclude = ["localized/*.po"]
Integrations
- GitHub Actions
- pre-commit
- 🐊Putout Processor
- Visual Studio Code
- typos-lsp (Language Server Protocol server)
Custom
typos provides several building blocks for custom native integrations
-reads fromstdin,--write-changeswill be written tostdout--diffto provide a diff--format jsonto get jsonlines with exit code 0 on no errors, code 2 on typos, anything else is an error.
Examples:
$ # Read file from stdin, write corrected version to stdout
$ typos - --write-changes
$ # Creates a diff of what would change
$ typos dir/file --diff
$ # Fully programmatic control
$ typos dir/file --format json
Debugging
You can see what the effective config looks like by running
$ typos --dump-config -
You can then see how typos is processing your project with
$ typos --files
$ typos --identifiers
$ typos --words
If you need to dig in more, you can enable debug logging with -v
FAQ
Why was ... not corrected?
Does the file show up in typos --files?
If not, check your config with typos --dump-config -.
The [files] table controls how we walk files.
If you are using files.extend-exclude,
are you running into #593?
If you are using files.ignore-vcs = true,
is the file in your .gitignore but git tracks it anyways?
Prefer allowing the file explicitly (see #909).
Does the identifier show up in typos --identifiers or the word show up in typos --words?
If not, it might be subject to one of typos' heuristics for
detecting non-words (like hashes) or
unambiguous words (like words after a \ escape).
If it is showing up, likely typos doesn't know about it yet.
typos maintains a list of known typo corrections to keep the false positive
count low so it can safely run unassisted.
This is in contrast to most spell checking UIs people use where there is a known list of valid words. In this case, the spell checker tries to guess your intent by finding the closest-looking word. It then has a gauge for when a word isn't close enough and assumes you know best. The user has the opportunity to verify these corrections and explicitly allow or reject them.
For more on the trade offs of these approaches, see Design.
- To correct it locally, see also our False Positives documentation.
- To contribute your correction, see Contribute
Keywords
FAQs
Source Code Spelling Correction
We found that typos demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
Lazarus-linked threat actors expand their npm malware campaign with new RAT loaders, hex obfuscation, and over 5,600 downloads across 11 packages.
By Kirill Boychenko - Apr 04, 2025
Security News
Safari 18.4 Ships 3 New JavaScript Features from the TC39 Pipeline
Safari 18.4 adds support for Iterator Helpers and two other TC39 JavaScript features, bringing full cross-browser coverage to key parts of the ECMAScript spec.
By Sarah Gooding - Apr 03, 2025