vscode: endless loop while updating extension

@joaomoreno

The problem seems to be how vscode is handling the api results from the marketplace

When version lens is not installed the json results from https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery shows

v1.0.0 and flags=verified (screenshots from fiddler)

Once version lens is installed then the json shows v1.0.4 with flags=none

This is when I see

In the marketplace

After publishing the extension since v1.0.0 I see this error (screenshot from 2 days ago):

The error popup says this:

The extension ‘vscode-versionlens’ from ‘pflannery’ contains an entry which is unsafe for extraction.

I get a log file emailed to me and that shows the same high level message.

To add I have’nt actually included anything unsafe, in fact since v1.0.0 I’ve reduced the amount of production node_modules to less than half the file size.

There are 0 security issues reported by npm audit and github, so god knows what marketplace is falling over on.

When running vscode/vsce it packages and publishes to marketplace with no errors.

I emailed marketplace support 2 days ago and I’m just waiting to get more information about what the problem is.

The short term workaround is to install manually from the generated releases -> https://github.com/vscode-contrib/vscode-versionlens/releases

The issue is also being tracked at https://github.com/vscode-contrib/vscode-versionlens/issues/211

@isidorn , I see the fix in 667142d is to filter the extensions provided by the Marketplace to prevent getting unvalidated extensions. It’s a great mitigation, but consider this: servers have bugs, so can you really trust them? If the Marketplace starts sending unvalidated extension versions again we will be in the same situation. I recommend an additional fix, that will make the client resilient to server bugs. For example, if an auto-update fails, don’t try again for X minutes.

//cc @fiveisprime , @xavierdecoster

I’m thinking this has something to do with #98375, which was mitigated last night. I’ll reach out to the marketplace team.

Over at https://github.com/IBM-Blockchain/blockchain-vscode-extension, we published a new version of our extension earlier and all seems to be working now. @pflannery

@Jakeeyturner sounds good.

I see there have been changes since your first failure which makes me wonder if any of those changes got around the validation issue on marketplace or its actually fixed on their side.

I want to push another update but I’ve already accumulated over 18+ million installs thanks to this bug so I really dont want to push until I know:

1. it’s fixed or why its failing; and
2. vscode has released a loop fix

We initially released v1.0.29 on Thursday which was when we first saw the update loop problem.

Tried again with v1.0.30, which had a small change, on Friday quite quickly after everything was reported to be working fine here - https://status.dev.azure.com/_event/189079011 I suspect we did it too soon and that there was a backlog or something.

Then tried v1.0.31 (same as v1.0.30, minus a change to our changelog) which worked earlier.

Analysis

The valid version available for installing this extension is 1.0.0 and it seems Marketplace also has a non validated version 1.0.4 of this extension.

VS Code is not excluding non validated extensions while querying market place for latest versions but excluding while installing. Hence an update to 1.0.4 is seen always but while trying to install, it installs 1.0.0 version and this is going in auto update loop.

Removing the candidate tag as there is a new valid version of Version Lens extension is published and available in Marketplace which fixes existing clients.

Over at https://github.com/IBM-Blockchain/blockchain-vscode-extension, we published a new version of our extension earlier and all seems to be working now. @pflannery

I am sorry that I do not know about how validation is being done.

CCing @fiveisprime @joaomoreno

This issue is causing fan in MacPro spin at highest rate