Hi Jack, thanks for building this extension — it's one of the more useful Claude Code usage trackers out there.
I was doing a routine security review before installing, and noticed that the published .vsix on the VS Code Marketplace contains a compiled file out/ccusageIntegration.js that doesn't have a corresponding TypeScript source file in this repo.
That file imports child_process and uses spawn to execute commands (ccusage, bunx ccusage, npx ccusage, and a hardcoded local path /Users/jack/Workspace/ccusage/src/index.ts). None of the other modules in the package import it, so it appears to be dead code — looks like it may have been compiled locally and accidentally included when packaging.
A couple of minor things I also noticed:
.claude/settings.local.json (your local dev settings) is included in the .vsix — you may want to add it to .vscodeignore- The
npx ccusage fallback could be a latent supply chain concern if that package name were ever squatted on npm
Suggested fixes:
- Add the source file to the repo, or remove the compiled output before packaging
- Add
out/ccusageIntegration.js and .claude/ to .vscodeignore if they're not needed
- Republish a clean
.vsix build
Happy to help if any of this is unclear. Just flagging it so users can verify that the published package matches the source. Cheers!
Hi Jack, thanks for building this extension — it's one of the more useful Claude Code usage trackers out there.
I was doing a routine security review before installing, and noticed that the published
.vsixon the VS Code Marketplace contains a compiled fileout/ccusageIntegration.jsthat doesn't have a corresponding TypeScript source file in this repo.That file imports
child_processand usesspawnto execute commands (ccusage,bunx ccusage,npx ccusage, and a hardcoded local path/Users/jack/Workspace/ccusage/src/index.ts). None of the other modules in the package import it, so it appears to be dead code — looks like it may have been compiled locally and accidentally included when packaging.A couple of minor things I also noticed:
.claude/settings.local.json(your local dev settings) is included in the .vsix — you may want to add it to.vscodeignorenpx ccusagefallback could be a latent supply chain concern if that package name were ever squatted on npmSuggested fixes:
out/ccusageIntegration.jsand.claude/to.vscodeignoreif they're not needed.vsixbuildHappy to help if any of this is unclear. Just flagging it so users can verify that the published package matches the source. Cheers!