ci: excessive security hardening (supply chain + static analysis + docs) (#336)

* ci: add supply chain security (Trivy, Cosign, SBOM, dependency-review)
## Background
SLSA Level 3 provenance was already in place, but the release pipeline
lacked VSIX signing, SBOM generation, and PR-level dependency checks.
## Changes
- publish.yml: Add Trivy fs scan (CRITICAL/HIGH gate before publish)
- publish.yml: Add Cosign keyless VSIX signing (.bundle artifact)
- publish.yml: Add Syft CycloneDX SBOM generation + attestation
- publish.yml: Attach sbom-cyclonedx.json and .vsix.bundle to Release
- ci.yml: Add dependency-review-action (license + CVE check on PRs)
- README.md: Add Supply Chain Security verification instructions
All new Actions are SHA-pinned with Harden-Runner coverage.
Cosign signing and SBOM attestation are soft-fail (warn on failure).

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6

* ci: add Semgrep SAST and Socket.dev firewall to security checks
## Background
CodeQL was the only SAST engine. A single engine has detection blind
spots that complementary tools can cover.
## Changes
- security.yml: Add Semgrep job (p/typescript, p/security-audit, p/secrets)
- security.yml: Add Socket.dev firewall job (npm supply chain risk on PRs)
- ci.yml: Migrate dependency-review from deny-licenses to allow-licenses
- .github/dependency-review-config.yml: New config with MIT-compatible allowlist
All new Actions are SHA-pinned with Harden-Runner coverage.
Socket.dev requires GitHub App installation (Free tier).

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6

* docs(git-id-switcher): add STRIDE threat model, Webview CSP policy, and OpenVEX declaration
## Background
Security documentation existed only as implicit knowledge in code
comments. Threat model, capability boundaries, and vulnerability
impact assessment were not formalized.
## Changes
- docs/THREAT_MODEL.md: STRIDE-based threat model (S2/T3/R1/I2/D3/E3)
  with existing mitigation mapping and residual risk assessment
- docs/ARCHITECTURE.md: Add Webview CSP policy (nonce-based, future use)
  and Extension Capabilities table (granted + explicitly denied)
- .vex/vex.json: OpenVEX declaration (zero production dependencies,
  devDependency CVEs do not affect end users)
- .github/dependency-review-config.yml: Allow Semgrep and Socket.dev
  actions (CI-only, unknown license resolved)

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6

* ci: add anti-impersonation measures (fingerprint, URL validation, typosquat reporting)
## Background
VS Code Marketplace typosquatting is a growing threat. Users need
a way to verify they have the authentic extension.
## Changes
- README.md: Add Extension Fingerprint section (Publisher ID,
  Extension ID, Marketplace/Open VSX URLs)
- ci.yml: Add package.json URL validation step (repository.url
  and homepage must match expected values)
- SECURITY.md: Add typosquat reporting procedure with verification
  checklist (Cosign, SLSA, publisher, extension ID)
- docs/THREAT_MODEL.md: Promote S3 (Impersonation) from unmitigated
  to Spoofing section with existing mitigations mapped

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6

* chore: release v0.16.20
## Background
Supply chain security hardening, static analysis, threat model,
and anti-impersonation measures were added across steps 1-3.5.
## Changes
- CHANGELOG.md: Add 0.16.20 entry (Security + Documentation)
- package.json: Bump version 0.16.19 → 0.16.20

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: nullvariant

.github/dependency-review-config.yml

@@ -0,0 +1,30 @@
+# Dependency Review configuration
+# https://github.com/actions/dependency-review-action
+#
+# Uses allow-list approach (recommended over deny-list).
+# Only explicitly permitted licenses pass the check.
+
+fail-on-severity: moderate
+
+# SPDX license identifiers compatible with MIT
+allow-licenses:
+  - '0BSD'
+  - 'Apache-2.0'
+  - 'BlueOak-1.0.0'
+  - 'BSD-2-Clause'
+  - 'BSD-3-Clause'
+  - 'CC0-1.0'
+  - 'CC-BY-3.0'
+  - 'CC-BY-4.0'
+  - 'ISC'
+  - 'MIT'
+  - 'PSF-2.0'
+  - 'Python-2.0'
+  - 'Unlicense'
+
+# GitHub Actions with undetectable licenses
+# These are CI-only tools (not bundled in VSIX), so license compatibility
+# with the extension's MIT license is not a concern.
+allow-dependencies-licenses:
+  - 'pkg:githubactions/semgrep/semgrep-action'
+  - 'pkg:githubactions/SocketDev/action'

.github/workflows/ci.yml

@@ -70,6 +70,28 @@ jobs:
         shell: bash
         run: ls -la extensions/git-id-switcher/*.vsix
 
+      - name: Verify package.json URLs (anti-impersonation)
+        shell: bash
+        run: |
+          cd extensions/git-id-switcher
+          REPO_URL=$(node -e "console.log(require('./package.json').repository.url)")
+          HOMEPAGE=$(node -e "console.log(require('./package.json').homepage)")
+
+          EXPECTED_REPO="https://github.com/nullvariant/nullvariant-vscode-extensions"
+          EXPECTED_HOME_PREFIX="https://github.com/nullvariant/nullvariant-vscode-extensions"
+
+          if [ "$REPO_URL" != "$EXPECTED_REPO" ]; then
+            echo "::error::repository.url mismatch: expected '$EXPECTED_REPO', got '$REPO_URL'"
+            exit 1
+          fi
+
+          if [[ "$HOMEPAGE" != "$EXPECTED_HOME_PREFIX"* ]]; then
+            echo "::error::homepage does not start with '$EXPECTED_HOME_PREFIX': got '$HOMEPAGE'"
+            exit 1
+          fi
+
+          echo "package.json URLs verified"
+
   e2e:
     name: E2E Tests (${{ matrix.os }})
     strategy:
@@ -113,3 +135,27 @@ jobs:
         if: runner.os != 'Linux'
         run: npm run test:e2e
         working-directory: extensions/git-id-switcher
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    # Only run on pull requests (requires base/head comparison)
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          config-file: './.github/dependency-review-config.yml'
+          comment-summary-in-pr: always

.github/workflows/publish.yml

@@ -50,6 +50,61 @@ jobs:
         id: version
         run: echo "version=${GITHUB_REF#refs/tags/git-id-switcher-v}" >> $GITHUB_OUTPUT
 
+      # Supply Chain Security: Trivy VSIX scan (post-package, pre-publish)
+      # Scans the packaged VSIX for known CVEs before any publishing step
+      - name: Scan VSIX with Trivy
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: 'extensions/git-id-switcher'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      # Supply Chain Security: Cosign keyless signing for VSIX
+      # Uses GitHub OIDC token (no secret key management required)
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+
+      - name: Sign VSIX with Cosign (keyless)
+        id: cosign-sign
+        continue-on-error: true
+        run: |
+          VSIX_FILE="extensions/git-id-switcher/git-id-switcher-${{ steps.version.outputs.version }}.vsix"
+          VSIX_BASENAME=$(basename "$VSIX_FILE")
+
+          cosign sign-blob "$VSIX_FILE" \
+            --yes \
+            --bundle "extensions/git-id-switcher/${VSIX_BASENAME}.bundle"
+
+          echo "vsix_file=$VSIX_FILE" >> $GITHUB_OUTPUT
+          echo "bundle_file=extensions/git-id-switcher/${VSIX_BASENAME}.bundle" >> $GITHUB_OUTPUT
+
+      - name: Warn if Cosign signing failed
+        if: steps.cosign-sign.outcome == 'failure'
+        run: echo "::warning::Cosign VSIX signing failed. The VSIX will be published without a Cosign signature."
+
+      # Supply Chain Security: SBOM generation (CycloneDX via Syft)
+      - name: Generate SBOM (CycloneDX)
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
+        with:
+          path: extensions/git-id-switcher
+          artifact-name: sbom-cyclonedx.json
+          output-file: extensions/git-id-switcher/sbom-cyclonedx.json
+          format: cyclonedx-json
+
+      # Supply Chain Security: SBOM attestation (signed with GitHub Attestation API)
+      - name: Attest SBOM
+        id: sbom-attest
+        continue-on-error: true
+        uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0
+        with:
+          subject-path: extensions/git-id-switcher/*.vsix
+          sbom-path: extensions/git-id-switcher/sbom-cyclonedx.json
+
+      - name: Warn if SBOM attestation failed
+        if: steps.sbom-attest.outcome == 'failure'
+        run: echo "::warning::SBOM attestation failed. The SBOM will be included in the release without attestation."
+
       # SLSA Provenance: Generate attestation via GitHub Attestation API
       # This creates verifiable build provenance for supply chain security
       - name: Generate SLSA Provenance attestation
@@ -91,6 +146,8 @@ jobs:
           files: |
             extensions/git-id-switcher/*.vsix
             extensions/git-id-switcher/*.intoto.jsonl
+            extensions/git-id-switcher/sbom-cyclonedx.json
+            extensions/git-id-switcher/*.vsix.bundle
           generate_release_notes: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security.yml

@@ -172,6 +172,55 @@ jobs:
         with:
           category: "/language:typescript"
 
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    # Skip forked PRs (no SARIF upload permission)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run Semgrep
+        uses: semgrep/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1
+        with:
+          config: >-
+            p/typescript
+            p/security-audit
+            p/secrets
+
+  socket-security:
+    name: Socket.dev Security
+    runs-on: ubuntu-latest
+    # Only run on pull requests (analyzes dependency changes)
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Socket Security Review
+        uses: SocketDev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1
+        with:
+          mode: firewall
+
   scorecard:
     name: OpenSSF Scorecard
     runs-on: ubuntu-latest

README.md

@@ -176,6 +176,56 @@ git push origin git-id-switcher-v1.0.0
 
 The [publish workflow](.github/workflows/publish.yml) will automatically build and publish the extension to VS Code Marketplace and Open VSX.
 
+## Supply Chain Security
+
+Every release includes cryptographic verification artifacts:
+
+| Artifact              | Description                         |
+| --------------------- | ----------------------------------- |
+| `*.vsix`              | The extension package               |
+| `*.vsix.intoto.jsonl` | SLSA Level 3 build provenance       |
+| `*.vsix.bundle`       | Cosign keyless signature (Sigstore) |
+| `sbom-cyclonedx.json` | CycloneDX SBOM with attestation     |
+
+### Verify VSIX signature (Cosign)
+
+```bash
+# Download the VSIX and its .bundle from the GitHub Release, then:
+cosign verify-blob git-id-switcher-<version>.vsix \
+  --bundle git-id-switcher-<version>.vsix.bundle \
+  --certificate-identity-regexp="https://github.com/nullvariant/nullvariant-vscode-extensions/" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+```
+
+### Verify SLSA provenance (GitHub CLI)
+
+```bash
+gh attestation verify git-id-switcher-<version>.vsix \
+  --repo nullvariant/nullvariant-vscode-extensions
+```
+
+### Verify SBOM attestation (GitHub CLI)
+
+```bash
+gh attestation verify git-id-switcher-<version>.vsix \
+  --repo nullvariant/nullvariant-vscode-extensions \
+  --predicate-type https://cyclonedx.org/bom
+```
+
+## Extension Fingerprint
+
+Use this information to verify you have the authentic Git ID Switcher extension:
+
+| Field        | Value                                                                             |
+| ------------ | --------------------------------------------------------------------------------- |
+| Publisher    | `nullvariant`                                                                     |
+| Extension ID | `nullvariant.git-id-switcher`                                                     |
+| Repository   | `https://github.com/nullvariant/nullvariant-vscode-extensions`                    |
+| Marketplace  | `https://marketplace.visualstudio.com/items?itemName=nullvariant.git-id-switcher` |
+| Open VSX     | `https://open-vsx.org/extension/nullvariant/git-id-switcher`                      |
+
+If you find an extension with a similar name from a different publisher, please report it (see [SECURITY.md](SECURITY.md#reporting-typosquatting)).
+
 ## License
 
 MIT

SECURITY.md

@@ -27,6 +27,25 @@ If you discover a security vulnerability, please report it by:
 
 **Please do NOT open a public issue for security vulnerabilities.**
 
+## Reporting Typosquatting
+
+If you find a VS Code extension with a similar name to **Git ID Switcher** from a different publisher, it may be a typosquat attempt. Please report it:
+
+1. **Report to us** via [GitHub Security Advisory](https://github.com/nullvariant/nullvariant-vscode-extensions/security/advisories/new) or email `security@nullvariant.com`
+2. **Report to the marketplace**:
+   - VS Code Marketplace: Use the "Report" button on the extension page, or email `vscext@microsoft.com`
+   - Open VSX: File an issue at [open-vsx/publish-extensions](https://github.com/open-vsx/publish-extensions/issues)
+
+### How to Verify Authenticity
+
+| Check            | Expected Value                                                                      |
+| ---------------- | ----------------------------------------------------------------------------------- |
+| Publisher        | `nullvariant`                                                                       |
+| Extension ID     | `nullvariant.git-id-switcher`                                                       |
+| Repository URL   | `https://github.com/nullvariant/nullvariant-vscode-extensions`                      |
+| VSIX signature   | Verifiable via `cosign verify-blob` (see [README](README.md#supply-chain-security)) |
+| Build provenance | Verifiable via `gh attestation verify` (SLSA Level 3)                               |
+
 ## Security Measures
 
 This repository contains VS Code extensions with the following security measures:
@@ -68,26 +87,26 @@ This section documents all secrets used in CI/CD workflows.
 
 ### Repository Secrets
 
-| Name | Purpose | Used In | Rotation | Sensitivity |
-| ---- | ------- | ------- | -------- | ----------- |
-| RELEASE_PAT | Tag push to trigger publish workflow | auto-tag.yml | 90 days | High |
-| VSCE_PAT | VS Code Marketplace publishing | publish.yml, unpublish.yml | Annual | High |
-| OVSX_PAT | Open VSX publishing | publish.yml, unpublish.yml | Annual | High |
-| SONAR_TOKEN | SonarCloud code analysis | sonarcloud.yml | As needed | Medium |
-| CLOUDFLARE_API_TOKEN | Cloudflare Pages/R2 deployment | deploy-docs.yml, publish.yml | Annual | High |
-| CLOUDFLARE_ACCOUNT_ID | Cloudflare account identifier (public) | deploy-docs.yml, publish.yml | Never | Low (public ID) |
-| SLACK_WEBHOOK | Bot monitoring alerts | bot-monitoring.yml | As needed | Medium |
+| Name                  | Purpose                                | Used In                      | Rotation  | Sensitivity     |
+| --------------------- | -------------------------------------- | ---------------------------- | --------- | --------------- |
+| RELEASE_PAT           | Tag push to trigger publish workflow   | auto-tag.yml                 | 90 days   | High            |
+| VSCE_PAT              | VS Code Marketplace publishing         | publish.yml, unpublish.yml   | Annual    | High            |
+| OVSX_PAT              | Open VSX publishing                    | publish.yml, unpublish.yml   | Annual    | High            |
+| SONAR_TOKEN           | SonarCloud code analysis               | sonarcloud.yml               | As needed | Medium          |
+| CLOUDFLARE_API_TOKEN  | Cloudflare Pages/R2 deployment         | deploy-docs.yml, publish.yml | Annual    | High            |
+| CLOUDFLARE_ACCOUNT_ID | Cloudflare account identifier (public) | deploy-docs.yml, publish.yml | Never     | Low (public ID) |
+| SLACK_WEBHOOK         | Bot monitoring alerts                  | bot-monitoring.yml           | As needed | Medium          |
 
 ### GitHub App Secrets (6 bots × 2 secrets each)
 
-| Bot | Secrets | Used In |
-| --- | ------- | ------- |
+| Bot     | Secrets                                     | Used In         |
+| ------- | ------------------------------------------- | --------------- |
 | Justice | JUSTICE_BOT_APP_ID, JUSTICE_BOT_PRIVATE_KEY | justice-bot.yml |
-| Luna | LUNA_BOT_APP_ID, LUNA_BOT_PRIVATE_KEY | luna-bot.yml |
-| Slow | SLOW_BOT_APP_ID, SLOW_BOT_PRIVATE_KEY | slow-bot.yml |
-| Blaze | BLAZE_BOT_APP_ID, BLAZE_BOT_PRIVATE_KEY | blaze-bot.yml |
-| Ciel | CIEL_BOT_APP_ID, CIEL_BOT_PRIVATE_KEY | ciel-bot.yml |
-| Mimi | MIMI_BOT_APP_ID, MIMI_BOT_PRIVATE_KEY | mimi-bot.yml |
+| Luna    | LUNA_BOT_APP_ID, LUNA_BOT_PRIVATE_KEY       | luna-bot.yml    |
+| Slow    | SLOW_BOT_APP_ID, SLOW_BOT_PRIVATE_KEY       | slow-bot.yml    |
+| Blaze   | BLAZE_BOT_APP_ID, BLAZE_BOT_PRIVATE_KEY     | blaze-bot.yml   |
+| Ciel    | CIEL_BOT_APP_ID, CIEL_BOT_PRIVATE_KEY       | ciel-bot.yml    |
+| Mimi    | MIMI_BOT_APP_ID, MIMI_BOT_PRIVATE_KEY       | mimi-bot.yml    |
 
 **Security Notes for GitHub Apps**:
 
@@ -114,15 +133,15 @@ Marketplace publishing secrets (VSCE_PAT, OVSX_PAT) are protected by the `produc
 
 ### Provider Links
 
-| Secret | Provider | Management URL | Expiration |
-| ------ | -------- | -------------- | ---------- |
-| RELEASE_PAT | GitHub | [GitHub Fine-grained PAT](https://github.com/settings/tokens?type=beta) | 2026-04-17 |
-| VSCE_PAT | Azure DevOps | [Azure DevOps Tokens](https://dev.azure.com/nullvariant/_usersSettings/tokens) | 2027-01-08 |
-| OVSX_PAT | Open VSX | [Open VSX Tokens](https://open-vsx.org/user-settings/tokens) | No expiration |
-| CLOUDFLARE_API_TOKEN | Cloudflare | [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens) | No expiration |
-| SONAR_TOKEN | SonarCloud | [SonarCloud Security](https://sonarcloud.io/account/security) | No expiration |
-| GitHub App Keys | GitHub | [GitHub Apps](https://github.com/settings/apps) | No expiration |
-| SLACK_WEBHOOK | Slack | [Slack Apps](https://api.slack.com/apps) | No expiration |
+| Secret               | Provider     | Management URL                                                                 | Expiration    |
+| -------------------- | ------------ | ------------------------------------------------------------------------------ | ------------- |
+| RELEASE_PAT          | GitHub       | [GitHub Fine-grained PAT](https://github.com/settings/tokens?type=beta)        | 2026-04-17    |
+| VSCE_PAT             | Azure DevOps | [Azure DevOps Tokens](https://dev.azure.com/nullvariant/_usersSettings/tokens) | 2027-01-08    |
+| OVSX_PAT             | Open VSX     | [Open VSX Tokens](https://open-vsx.org/user-settings/tokens)                   | No expiration |
+| CLOUDFLARE_API_TOKEN | Cloudflare   | [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens)        | No expiration |
+| SONAR_TOKEN          | SonarCloud   | [SonarCloud Security](https://sonarcloud.io/account/security)                  | No expiration |
+| GitHub App Keys      | GitHub       | [GitHub Apps](https://github.com/settings/apps)                                | No expiration |
+| SLACK_WEBHOOK        | Slack        | [Slack Apps](https://api.slack.com/apps)                                       | No expiration |
 
 **Token Details**:
 

extensions/git-id-switcher/.vex/vex.json

@@ -0,0 +1,28 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://github.com/nullvariant/nullvariant-vscode-extensions/extensions/git-id-switcher/.vex/vex.json",
+  "author": "Null;Variant <null@nullvariant.com>",
+  "timestamp": "2026-03-15T12:00:00Z",
+  "version": 1,
+  "tooling": "manual",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://github.com/nullvariant/nullvariant-vscode-extensions/extensions/git-id-switcher/.vex/vex.json#no-prod-deps",
+        "name": "no-production-dependencies",
+        "description": "This extension has zero production dependencies. All npm packages in package.json are devDependencies used only during development and CI. The published VSIX contains only compiled JavaScript with no third-party code bundled."
+      },
+      "products": [
+        {
+          "@id": "pkg:npm/git-id-switcher",
+          "identifiers": {
+            "purl": "pkg:npm/git-id-switcher"
+          }
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "All dependencies are devDependencies. No third-party code is included in the published VSIX package. CVEs in devDependencies do not affect end users."
+    }
+  ]
+}