jb-asi
commented
1 month ago Also, really love this extension. Congratulations on its success!
Open jb-asi opened 1 month ago
jb-asi
commented
1 month ago Also, really love this extension. Congratulations on its success!
kevinramharak
commented
1 month ago Hi, thanks for reporting this. FYI, I'm not the extension author; I'm just an enthusiast who contributes a little bit.
Looking into this for a few minutes I found this article: https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171 This explains why extensiontotal marks it as a medium-level threat. Although I agree with their assessment about lacking verification on the VS Code extension marketplace, this warning (in my understanding) will appear on any extension where the listed homepage/repository is pointing to a domain they have not verified ownership of.
As this is the actual repo and homepage of the ts-pretty-errors extension, in this case the warning is just exactly what it is: a warning. Using an actual verified domain as the homepage for the extension seems like a bit much just to get rid of a warning on a third-party site.
I think they point out a very valid flaw, I hope the VS Code team takes it seriously and works to improve this attack vector. But it also reads like an advertisement for extensiontool as a product. So do keep that in mind.
Describe the bug A third-party-extension security rater (similar to Snyk) has given this repo's VS Code Extension a "medium" threat level due to:
Link here.
Expected behavior Please consider if it would be simple and convenient to become "verified" as a publisher. If so, perhaps it may be something you would be willing to do. Or not!
Original error [Not applicable]
Screenshots [Not applicable]