# `NPM.Security.ExoticDeps`
[🔗](https://github.com/elixir-volt/npm_ex/blob/v0.7.4/lib/npm/security/exotic_deps.ex#L1)

Detects and blocks exotic dependency specs in published package metadata.

Registry packages can declare dependencies that resolve from outside the
configured registry, such as Git repositories, direct tarball URLs, local
files, or GitHub shorthand specs. Those sources bypass the normal registry
integrity and metadata flow and have been used by supply-chain malware to
trigger hidden build steps through transitive `optionalDependencies`.

`npm_ex` blocks these transitive specs by default. Direct project dependencies
are still controlled by the root manifest; this module protects against a
package from the registry unexpectedly introducing an external source deeper
in the dependency graph.

# `exotic?`

```elixir
@spec exotic?(term()) :: boolean()
```

# `validate!`

```elixir
@spec validate!(String.t(), String.t(), map()) :: :ok
```

# `validate_direct!`

```elixir
@spec validate_direct!(String.t(), term()) :: :ok
```

Validate a direct project dependency against the exotic dependency allowlist.

---

*Consult [api-reference.md](api-reference.md) for complete listing*