Please allow publishing unscoped npm package zerct

[kriptoburak]

🏷️ Discussion Type

Question

Body

I am requesting review/approval to publish the unscoped npm package name zerct.

I tried to publish zerct@0.1.0, but npm rejected it with:

403 Forbidden - PUT https://registry.npmjs.org/zerct - Package name too similar
to existing package react; try renaming your package to '@burakbayir/zerct' and
publishing with 'npm publish --access=public' instead

This appears to be a false positive. Zerct is our brand for a Rust backend hosting platform and is not related to React.

Project details:

Product: Zerct
Website: https://zerct.com
App domain: https://zerct.app
GitHub organization: https://github.com/Zerct
Public package repository: https://github.com/Zerct/zerct
npm org/scope: @Zerct
X profile: https://x.com/zerctcloud
Requested unscoped package: zerct
Already published fallback: @zerct/zerct
npm owner: burakbayir

The package is a CLI for deploying Rust backends to Zerct. The intended command is:

npx zerct deploy

The package metadata and source are public, the package does not depend on React, and the name is not meant to confuse users about React.

Could npm review and allow the unscoped package name zerct for this brand?

[hzijad]

The npm registry uses an automated typosquatting protection algorithm that calculates the "Levenshtein distance" (character similarity) between new packages and highly popular ones.

Because zerct is only two letters off from react (and shares the exact same string length and vowel placement), the automated gatekeeper immediately flags it as a high-risk typosquatting target to protect users from malicious lookalikes. It's an annoying false positive, but it's purely algorithmic.

Since this is a public community forum and nobody here has the admin rights to manually override the registry's naming filters, you’ll need to open an official dispute ticket with the npm support staff to get the name whitelisted.

Here is the quickest way to get a human to review it:
-Head over to the official npm Support Portal.
-Select "Open a Support Ticket".
-Set the issue type to "Package Name Dispute / Typosquatting False Positive" (or general registry support).
-Paste the exact details you provided here. Explicitly highlight:
-Your Brand Identity: Point to zerct.com, zerct.app, and your official GitHub Org (github.com/Zerct).
-The Use Case: Explain it's a dedicated CLI for a Rust backend hosting platform, intended to be used as npx zerct deploy, and contains zero React dependencies.
-Good Faith Fallback: Mention that you've already published @zerct/zerct to prove ownership and lack of malicious intent.

Good luck and hope this helps!

[kailashv2]

This is likely an automated anti-typosquatting check rather than a judgment that your package is related to React.

Names can be flagged based on similarity to highly downloaded packages, and zerct may be close enough to react for the registry to treat it as potentially confusing even if the projects are unrelated.

Since you've already:

• Established a public brand (zerct.com, GitHub org, etc.)
• Published a scoped fallback package (@zerct/zerct)
• Shown a legitimate use case (npx zerct deploy)

you've already done most of the right things.

For now, continuing with @zerct/zerct keeps users unblocked while waiting for clarification from npm staff/community maintainers on whether there is a process for reviewing false positives. It would also help if anyone here has successfully resolved a similar package-name flag to share their experience.

[Lopesnextgen]

Hey Burak,

This looks like a reasonable case for manual review

The block is probably coming from npm’s anti-typosquatting / package-name similarity checks, not from anything specific in your package contents.

zerct and react are both short five-character names, and they share enough shape that an automated similarity filter may flag it conservatively. That makes sense as a general registry safety measure, especially around a package as high-impact as react, but this also looks like the kind of case where manual review is appropriate.

From the details you shared, there are several good signals that this is a legitimate brand/package rather than an attempt to confuse users:

• Zerct appears to be an existing product/brand
• you have matching domains: zerct.com and zerct.app
• you have a matching GitHub organization: github.com/Zerct
• the source repository is public
• the npm scoped fallback already exists as @zerct/zerct
• the package is a CLI for deploying Rust backends, not a React-related package
• the intended command, npx zerct deploy, is clear and brand-specific

I would expect npm support to be the right place for this, because GitHub Community probably cannot directly approve or reserve an npm package name.

What I would include in the request

I’d send npm support the same context, plus:

• exact npm error output
• npm username: burakbayir
• requested package name: zerct
• currently published fallback: @zerct/zerct
• public repository link
• package README link
• package metadata / package.json
• confirmation that the package has no relationship to React
• confirmation that the name is not intended to reference or imitate React
• proof that Zerct is an active product/brand

The key point is that this is not a dispute over an already-owned package name. It is a false positive from the similarity filter on a currently unpublished unscoped name.

Suggested wording

npm’s package name guidelines say unscoped names should not be spelled similarly to another package or confuse users about authorship. In this case, I understand why the automated check flagged it, but I don’t think actual user confusion is likely because the package, brand, repository, domains, scope, and use case are all consistently tied to Zerct.

Useful docs:

• https://docs.npmjs.com/package-name-guidelines/
• https://docs.npmjs.com/policies/disputes/
• https://docs.npmjs.com/creating-and-publishing-scoped-public-packages/