Hacker News new | past | comments | ask | show | jobs | submit login
Leaked Tokens in VSCode Extensions (waritschlager.de)
43 points by phil294 on May 28, 2022 | hide | past | favorite | 6 comments



I think this just comes down the sloppy programming. As a software engineer you will always have the opportunity to do something stupid or insecure, unless we force all our tools to nanny us. Frankly I suspect such tools would cause more problems then they are worth. That said I wouldn't scoff at a solution that makes this less likely without getting in your way. I think the key a lot of the time is rather than blaming thr tool, we should make sure we understand how the tool works.


> This command [`vsce package`] includes all files in the current directory

Why does it do this? Is it trying to include code or some other assets?

Is this normal outside of C/C++ (or similar) build systems? Tools like cmake, premake, scons, etc. tend to expect you to tell the tool what to do. e.g. which files you want to compile.


If you need some sort of "compilation" (e.g. TS->JS, Webpack), you need to run that before the packaging command yourself. A VSCode extension mostly consists of a single package.json file with a "main" field pointing to some .js file. As far as I understand, vsce does not parse or handle anything, it just checks some metadata and includes the entire folder. This is also why extensions often ship with several files that are not required at runtime.

As to why - since extensions can do anything they want including running bundled binaries, there is no way for the IDE to know which files may or may not be relevant. That doesn't justify going an include-by-default strategy though, an allow-list would be much better.

Is this normal in JS ecosystem? Not really I'd say. NPM packages for example have a "files" property where you specify what to include, and I feel like the general trend is towards a saner approach of modules and imports anyway.


That field is optional in npm, and vsce claims to be using npm as a base for its package structure.


Interesting. I think this is only a problem because npm made the "files" attribute optional.

To be honest, I can't see why you would ever want an include by default approach to package building not explicit inclusion.


Yikes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: