Security notice for Apollo VS Code11/28/18 A security vulnerability affecting Apollo VS Code requires your attention
James Baxley IIItldr; A wide-spread, industry-wide security vulnerability impacted a dependency of a dependency of the Apollo VS Code plugin called event-stream . The editor extension (along with 38 others) was removed from the VS Code Marketplace . These extensions were also uninstalled for users and flagged as “malicious” within VS Code. We locked our extension to a safe version of the dependency and worked with the VS Code team to republish the Apollo package which is now safely back on the marketplace for download Timeline ofevents Monday November26
We determined that the vscode package that we use to build the Apollo VS Code editor extension was installing event-stream . We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.Tuesday November27
We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.
The prior night, the VS Code team removed 38 extensions that depended on the vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.Wednesday November28
The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.Next steps
Due to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take: