fix(vscode): claim a free display name and fix the Marketplace README links#814
Merged
Merged
Conversation
… links
`vsce publish` failed a third time:
This extension display name is taken. Please try a different one.
The Marketplace reserves `displayName` across all publishers, exactly as it
reserves `name`. `Apollon` is held by the abandoned `tumaet.apollon-vscode`
listing. `Apollon - TUM` is the display name the `aet-tum.apollon-extension`
listing already carries, so the update keeps it -- and it matches the sibling
`aet-tum.iris-thaumantias` ("Artemis - TUM").
While auditing the listing, both relative links in the Marketplace README were
found to 404. vsce rewrites relative README links against the repository root
and ignores `repository.directory` (microsoft/vscode-vsce#980), so an extension
in a subdirectory ships links one level too high, silently, with no warning:
./README.dev.md -> .../blob/HEAD/README.dev.md 404
../LICENSE -> .../blob/HEAD/../LICENSE 404
`--baseContentUrl` fixes the first. It cannot fix the second: vsce keeps `../`
verbatim and GitHub does not normalize `..` in a blob path. The link now points
at `./LICENSE.txt`, which exists in the extension root and ships in the VSIX.
The base URLs live in `package:vsix` and the release workflow packages through
that script, so there is one definition rather than two that can drift.
The README's diagram list said "SFC"; the shipped label is "Sequential function
chart". All 13 now match the labels in `src/shared/diagramTypes.ts`.
Verified against the artifact vsce actually produces: id
`aet-tum.apollon-extension`, displayName `Apollon - TUM`, v5.1.1, icon present
(256x256 PNG), LICENSE.txt present, no src/ and no sourcemaps, and every URL in
the packaged readme.md returns 200 (npmjs.com returns 403 to curl -- Cloudflare
bot mitigation; the registry API returns 200 for the package). `pnpm run
package:vsix` was executed with vsce resolved from PATH, the way the runner
does it.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claudia-Anthropica
approved these changes
Jul 9, 2026
Claudia-Anthropica
left a comment
Collaborator
There was a problem hiding this comment.
@FelixTJDietrich Looks good. The Marketplace identity and README link handling are consistent, and the checks are green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Third server-side rejection, third distinct rule:
Rather than fix it and find out about rule #4 next run, I put three principal engineers on it — one researching the Marketplace's documented validation surface, one auditing the artifact vsce actually produces, one red-teaming the result.
The blocker
The Marketplace reserves
displayNameacross all publishers, exactly as it reservesname:The rule went live 2023-02-01 (vscode-discussions#433) — which is why 29 duplicate display names I sampled from the gallery are all pre-2023 grandfathering.
Apollonis held by the abandonedtumaet.apollon-vscode.Apollon - TUMis the display name ouraet-tum.apollon-extensionlisting already carries, so the update keeps it, and it matches its siblingaet-tum.iris-thaumantias→Artemis - TUM.The defect nobody would have reported
While auditing the listing, both relative links in the Marketplace README were found to 404 silently. vsce rewrites relative README links against the repository root and ignores
repository.directory(vscode-vsce#980, open), so an extension in a subdirectory ships links one level too high — with zero warnings at package time.Measured with
curlagainst the URLs inside the actual VSIX:[README.dev.md](./README.dev.md).../blob/HEAD/README.dev.md[LICENSE](../LICENSE).../blob/HEAD/../LICENSE--baseContentUrlfixes the first. It cannot fix the second: vsce keeps../verbatim and GitHub does not normalize..in a blob path, so it stays broken even with a correct base. That link now points at./LICENSE.txt, which exists in the extension root and already ships inside the VSIX.The base URLs are declared once, in
package:vsix, and the release workflow packages through that script instead of callingvsceitself — the same duplication that produced the wrong extension ID two PRs ago.Also corrected
The README advertised
SFC; the shipped label isSequential function chart. All 13 diagram types now matchsrc/shared/diagramTypes.tsexactly.Verified against the artifact that will actually be uploaded
Not the source tree — the VSIX:
aet-tum.apollon-extensionApollon - TUM5.1.1(listing is at 1.0.0)media/icon.png, present, 256×256 PNG (the live listing currently has no icon asset at all)src/, sourcemapsreadme.mdThe one non-200 is
npmjs.com→403, which is Cloudflare bot mitigation againstcurl;registry.npmjs.orgreturns200for the package.I also executed the changed CI packaging path locally rather than reasoning about it: installed
vsceinto a temp prefix, put it onPATH, and ranpnpm run package:vsixfromvscode-extension/— packages cleanly, glob matches exactly one VSIX.Red team confirmed via vsce v3.9.1
src/publish.tsthat--packagePathreads the manifest from inside the VSIX, never from disk — which is what makes the publish job's.nvmrc-only sparse checkout safe, and means the base-URL flags can't disagree with what ships.lint,typecheck,format:checkclean; 44/44 tests pass.Shipping
Merging is still inert —
versionis unchanged, so #808's push guard correctly skips. Publish with Actions → Release VS Code Extension → Run workflow onmain,dry_run: false.Residual risk, stated honestly
vsce packageperforms only local validation;name/displayNameuniqueness is enforced only at the server on publish, and there is no documented dry-run. Every rule I could find a trusted source for is now satisfied, and the two identity fields are values this listing already holds — the strongest guarantee available short of publishing. Unverified by any trusted source: whether a reserved-name list exists, and anydescriptionlength cap.Unrelated and still open:
OVSX_PATunset (Open VSX skipped by design), and thevscode-marketplaceenvironment has no protection rules.🤖 Generated with Claude Code