Extension removed due to security incident in NPM package "event-stream"

[cstuder]

FYI: The NPM package "event-stream" has been compromised. This lead Microsoft to unlist and forcibly de-install the affected extensions.

tomoki1207.pdf is afffected as well.

I got a popup this morning which informed me about the de-installation. According to Microsoft, you'll have to fix the dependency and publish a new version for it to re-appear in the Marketplace.

[Jiab77]

@cstuder Just got the same popup few minutes ago and you finally gave me the explanation! Thanks a lot!

[auchenberg]

Hi,

Kenneth here from the VS Code team.

Your extension is affected by https://code.visualstudio.com/blogs/2018/11/26/event-stream, and we have blocked your extension.

In order to enable your extension again the workflow is:

1. Fix the extension, submit an update to the marketplace
2. Send mail to [email protected] and [email protected] and notify us.
3. We will verify that the extension is okay
4. Our marketplace will publish the extension again and we'll remove the extension from the blocklist

/k

[CwjXFH]

I was affected not by bitcoin but by my inability to view PDF documents in vscode 😂.

[xaduha]

I'm not that bother by the vulnerability, but I am bothered by the fact that MS uninstalled it without my permission. Does anyone know whether there is a setting to prevent that?

[tomoki1207]

@cstuder Thanks a lot for information!

@ALL
I just updated for recovery.
Please just a moment.

[Jiab77]

I'm not that bother by the vulnerability, but I am bothered by the fact that MS uninstalled it without my permission. Does anyone know whether there is a setting to prevent that?

got the same... it would be better to just popup the notification and let us decide what to do instead of force removing of the extension and just give us a notification saying "we have removed the extension, please reload" WTF??? where is our right to take decisions?? @auchenberg

[cstuder]

I am very bothered by vulnerabilities and feel better knowing somebody is watching my back.

You can disable extensions auto updates with the settings extensions.autoCheckUpdates and extensions.autoUpdate. I don't know if that would help in this case.

And if you don't trust Microsoft at all, you can use VSCodium as an alternate release of VS Code.

We get into off-topic territory though, maybe post your opinion on microsoft/vscode#63837 .

[xaduha]

You can disable extensions auto updates with the settings extensions.autoCheckUpdates and extensions.autoUpdate. I don't know if that would help in this case.

I tried it, doesn't work. I have it in a docker container, so I can reset it to a state that still has the extension, but it still gets deleted every time. And without Internet connection it doesn't even start.

[Jiab77]

@cstuder:

I am very bothered by vulnerabilities and feel better knowing somebody is watching my back.

You can disable extensions auto updates with the settings extensions.autoCheckUpdates and extensions.autoUpdate. I don't know if that would help in this case.

And if you don't trust Microsoft at all, you can use VSCodium as an alternate release of VS Code.

We get into off-topic territory though, maybe post your opinion on Microsoft/vscode#63837 .

Well not so much off-topic. I got the same concerns so I don't want to disable the autoUpdate, it was just to referring to the message of @auchenberg which announce that Microsoft decided to tag as malicious and so remove the extension without asking the user first.

Notify is required for sure but a different tagging (still tagged as malicious in vscode extension search) and different behavious would be better.

@tomoki1207 thanks for your great work, just waiting on Microsoft to unlock your extension. 👍

[tomoki1207]

It seems to be republished.
Thanks.