Unverified VS Code Publisher

[jb-asi]

Describe the bug
A third-party-extension security rater (similar to Snyk) has given this repo's VS Code Extension a "medium" threat level due to:

Publisher didn't verify their listed domain ownership. Publisher verification is a good practice to ensure the publisher is who they say they are. Yet, VS Code publisher verification process is not rigorous enough.

Link here.

Expected behavior
Please consider if it would be simple and convenient to become "verified" as a publisher. If so, perhaps it may be something you would be willing to do. Or not!

Original error
[Not applicable]

Screenshots
[Not applicable]

[jb-asi]

Also, really love this extension. Congratulations on its success!

[kevinramharak]

Hi, thanks for reporting this. FYI, I'm not the extension author; I'm just an enthusiast who contributes a little bit.

Looking into this for a few minutes I found this article: https://medium.com/@amitassaraf/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171
This explains why extensiontotal marks it as a medium-level threat. Although I agree with their assessment about lacking verification on the VS Code extension marketplace, this warning (in my understanding) will appear on any extension where the listed homepage/repository is pointing to a domain they have not verified ownership of.

As this is the actual repo and homepage of the ts-pretty-errors extension, in this case the warning is just exactly what it is: a warning. Using an actual verified domain as the homepage for the extension seems like a bit much just to get rid of a warning on a third-party site.

I think they point out a very valid flaw, I hope the VS Code team takes it seriously and works to improve this attack vector.
But it also reads like an advertisement for extensiontool as a product. So do keep that in mind.