Skip to content

vscode NPM package is causing a diff security issue #75732

New issue
New issue
Closed
Closed
vscode NPM package is causing a diff security issue#75732
cake-build/cake-vscode
#242
 (+9)
Assignees
octref
Labels
engineeringVS Code - Build / issue tracking / etc.
Milestone
June 2019
@queeniema

Description

@queeniema
queeniema
opened on Jun 19, 2019

Issue Type: Bug

GitHub reported a security vulnerability related to the diff NPM package in my VS Code extension's package-lock.json.

Screen Shot 2019-06-18 at 5 49 45 PM

In my VS Code extension's package.json, I've added a dependency for vscode:

"devDependencies": {
  ...
 "vscode": "^1.1.34",
  ...
}

When I run npm ls diff to see what packages are using diff, I see this:

Screen Shot 2019-06-18 at 5 49 23 PM

And I see this reflected in my package-lock.json:

"vscode": {
  "version": "1.1.34",
  "resolved": "https://registry.npmjs.org/vscode/-/vscode-1.1.34.tgz",
  "integrity": "sha512-GuT3tCT2N5Qp26VG4C+iGmWMgg/MuqtY5G5TSOT3U/X6pgjM9LFulJEeqpyf6gdzpI4VyU3ZN/lWPo54UFPuQg==",
  "dev": true,
  "requires": {
    "glob": "^7.1.2",
    "mocha": "^4.0.1",
    "request": "^2.88.0",
    "semver": "^5.4.1",
    "source-map-support": "^0.5.0",
    "url-parse": "^1.4.4",
    "vscode-test": "^0.4.1"
  },
  "dependencies": {
    ...
    "diff": {
      "version": "3.3.1",
      "resolved": "https://registry.npmjs.org/diff/-/diff-3.3.1.tgz",
      "integrity": "sha512-MKPHZDMB0o6yHyDryUOScqZibp914ksXwAMYMTHj6KO8UeKsRYNJD3oNCKjTqZon+V488P7N/HzXF8t7ZR95ww==",
      "dev": true
    },
    ...
  }
}

VS Code version: Code 1.35.1 (c7d83e5, 2019-06-12T14:29:22.216Z)
OS version: Darwin x64 18.6.0

System Info
Item Value
CPUs Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (8 x 2500)
GPU Status 2d_canvas: enabled
checker_imaging: disabled_off
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
native_gpu_memory_buffers: enabled
rasterization: enabled
surface_synchronization: enabled_on
video_decode: enabled
webgl: enabled
webgl2: enabled
Load (avg) 3, 3, 3
Memory (System) 16.00GB (0.11GB free)
Process Argv
Screen Reader no
VM 0%
Extensions (15)
Extension Author (truncated) Version
vscode-css-formatter aes 1.0.1
npm-intellisense chr 1.3.0
path-intellisense chr 1.4.2
bracket-pair-colorizer Coe 1.0.61
vscode-eslint dba 1.9.0
gitlens eam 9.8.2
vscode-npm-script eg2 0.3.7
auto-rename-tag for 0.1.0
beautify Hoo 1.5.0
ibm-streams IBM 0.5.0
vscode-duplicate mrm 1.2.1
java red 0.46.0
change-case wma 1.0.0
JavaScriptSnippets xab 1.7.2
ReactSnippets xab 2.3.0

Metadata

Metadata

Assignees

Labels

engineeringVS Code - Build / issue tracking / etc.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions