pretty-ts-errors icon indicating copy to clipboard operation
pretty-ts-errors copied to clipboard

Published 20 hours ago • verified publisher icon yoavbls

Unverified VS Code Publisher

Open jb-asi opened this issue 1 year ago • 5 comments
trafficstars

Describe the bug A third-party-extension security rater (similar to Snyk) has given this repo's VS Code Extension a "medium" threat level due to:

Publisher didn't verify their listed domain ownership. Publisher verification is a good practice to ensure the publisher is who they say they are. Yet, VS Code publisher verification process is not rigorous enough.

Link here.

Expected behavior Please consider if it would be simple and convenient to become "verified" as a publisher. If so, perhaps it may be something you would be willing to do. Or not!

Original error [Not applicable]

Screenshots [Not applicable]

jb-asi avatar Sep 18 '24 13:09 jb-asi

Also, really love this extension. Congratulations on its success!

jb-asi avatar Sep 18 '24 13:09 jb-asi

Hi, thanks for reporting this. FYI, I'm not the extension author; I'm just an enthusiast who contributes a little bit.

Looking into this for a few minutes I found this article: https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171 This explains why extensiontotal marks it as a medium-level threat. Although I agree with their assessment about lacking verification on the VS Code extension marketplace, this warning (in my understanding) will appear on any extension where the listed homepage/repository is pointing to a domain they have not verified ownership of.

As this is the actual repo and homepage of the ts-pretty-errors extension, in this case the warning is just exactly what it is: a warning. Using an actual verified domain as the homepage for the extension seems like a bit much just to get rid of a warning on a third-party site.

I think they point out a very valid flaw, I hope the VS Code team takes it seriously and works to improve this attack vector. But it also reads like an advertisement for extensiontool as a product. So do keep that in mind.

kevinramharak avatar Sep 18 '24 16:09 kevinramharak

Thank you @jb-asi and @kevinramharak, Actually, I've been waiting for approval from Microsoft for a very long time. I fulfilled the requirements but still no comment from their side.

If anyone can help speed things up it will be really appreciated

yoavbls avatar Nov 23 '24 19:11 yoavbls

Closing this issue as stale for now. The instructions to become a verified publisher can be found here: https://code.visualstudio.com/api/working-with-extensions/publishing-extension#verify-a-publisher. It is not that interesting as it only verifies that you control a certain domain. Not really relevant for this project, besides that the badge looks fancy.

kevinramharak avatar Oct 12 '25 16:10 kevinramharak

I tried to apply publisher verification again,

Image

I hope to get a response about it this time in a few days. @kevinramharak I would like to keep this issue open to keep tracking it, at least for a few days

yoavbls avatar Oct 15 '25 22:10 yoavbls

I have seen multiple issues of requests not going through like https://github.com/microsoft/vscode-discussions/discussions/2899 and https://github.com/microsoft/vsmarketplace/issues/1486. I don't think its a priority, but for support we can try and reach out at https://github.com/microsoft/vsmarketplace/issues.

kevinramharak avatar Nov 19 '25 08:11 kevinramharak