{"id":5347148,"name":"github.com/coder/code-marketplace","ecosystem":"go","description":"","homepage":"https://github.com/coder/code-marketplace","licenses":"AGPL-3.0","normalized_licenses":["AGPL-3.0"],"repository_url":"https://github.com/coder/code-marketplace","keywords_array":[],"namespace":"github.com/coder","versions_count":5,"first_release_published_at":"2022-09-12T20:33:42.000Z","latest_release_published_at":"2023-05-30T17:07:52.000Z","latest_release_number":"v1.2.2","last_synced_at":"2026-04-07T15:12:16.422Z","created_at":"2022-10-18T03:01:16.632Z","updated_at":"2026-04-08T12:11:40.193Z","registry_url":"https://pkg.go.dev/github.com/coder/code-marketplace","install_command":"go get github.com/coder/code-marketplace","documentation_url":"https://pkg.go.dev/github.com/coder/code-marketplace#section-documentation","metadata":{},"repo_metadata":{"id":61627574,"uuid":"535759652","full_name":"coder/code-marketplace","owner":"coder","description":"Open source extension marketplace for VS Code.","archived":false,"fork":false,"pushed_at":"2025-09-10T19:44:20.000Z","size":8040,"stargazers_count":303,"open_issues_count":14,"forks_count":35,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-09-16T12:51:16.628Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coder.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-12T16:40:20.000Z","updated_at":"2025-09-16T07:56:46.000Z","dependencies_parsed_at":"2024-11-07T00:08:22.110Z","dependency_job_id":"1f700a70-50f7-4d23-8dc5-cd7a823485ef","html_url":"https://github.com/coder/code-marketplace","commit_stats":{"total_commits":116,"total_committers":9,"mean_commits":12.88888888888889,"dds":"0.22413793103448276","last_synced_commit":"3e808a63c6894102d1c6d879e54344225aa96efe"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/coder/code-marketplace","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coder","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275828265,"owners_count":25536080,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-18T02:00:09.552Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"coder","name":"Coder","uuid":"95932066","kind":"organization","description":"Coder provisions cloud development environments via Terraform, supporting Linux, macOS, Windows, X86, ARM, Kubernetes and more.","email":"contact@coder.com","website":"https://coder.com","location":null,"twitter":"coderhq","company":null,"icon_url":"https://avatars.githubusercontent.com/u/95932066?v=4","repositories_count":174,"last_synced_at":"2025-09-16T12:25:22.078Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/coder","funding_links":[],"total_stars":104016,"followers":1863,"following":0,"created_at":"2022-11-14T06:34:20.539Z","updated_at":"2025-09-16T12:25:22.078Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coder","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coder/repositories"},"tags":[{"name":"v2.4.0","sha":"43294f96a285a077228d04a40464535f8cf1c83a","kind":"tag","published_at":"2025-09-04T20:36:54.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.4.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.4.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.4.0/manifests"},{"name":"v2.3.1","sha":"ce3a083bb9f080884d2182dd53711f94d32990da","kind":"tag","published_at":"2025-03-07T00:24:18.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.3.1","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.3.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.3.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.3.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.3.1/manifests"},{"name":"v2.3.0","sha":"f8791bb4aba9bf1fe2a16454a6437859ae0a32e0","kind":"tag","published_at":"2024-12-20T21:19:31.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.3.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.3.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.3.0/manifests"},{"name":"v2.2.1","sha":"5da059cb11d5501a8e06f3821a5a062e88569d90","kind":"tag","published_at":"2024-08-14T20:04:04.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.2.1","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.2.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.2.1/manifests"},{"name":"v2.2.0","sha":"c5afa311bdae287f6da7c1e2817cbee5616dc587","kind":"tag","published_at":"2024-07-17T20:27:04.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.2.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.2.0/manifests"},{"name":"v2.1.0","sha":"6fb4e72e7578916e279835f94214182dcaf11d77","kind":"tag","published_at":"2023-12-21T22:00:59.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.1.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.1.0/manifests"},{"name":"v2.0.1","sha":"4bef2c57cf68db5b5b30e0cde014d962996b203b","kind":"tag","published_at":"2023-12-08T17:29:36.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.0.1","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.0.1/manifests"},{"name":"v2.0.0","sha":"1008fa2796fe32b5496f949d8436e0c00e0ebaff","kind":"tag","published_at":"2023-10-11T22:08:09.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v2.0.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v2.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v2.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v2.0.0/manifests"},{"name":"v1.2.2","sha":"e1d0cdc980904c3b7c4d1dee950209883007e580","kind":"tag","published_at":"2023-05-30T17:13:08.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v1.2.2","html_url":"https://github.com/coder/code-marketplace/releases/tag/v1.2.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v1.2.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.2/manifests"},{"name":"v1.2.1","sha":"ae3034c8792ea8adae585395d81f1173ff1cef2f","kind":"tag","published_at":"2022-10-31T15:44:02.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v1.2.1","html_url":"https://github.com/coder/code-marketplace/releases/tag/v1.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v1.2.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.1/manifests"},{"name":"v1.2.0","sha":"46f0cd743e6a588017564c279a02b1e9d4325686","kind":"tag","published_at":"2022-10-14T19:38:04.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v1.2.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v1.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"49e78bb4ffb7fa23dc696de556109d0c7fb44641","kind":"tag","published_at":"2022-10-03T21:36:32.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v1.1.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.1.0/manifests"},{"name":"test","sha":"7fd715e008bc52385595c095e5ee52cb89043f32","kind":"tag","published_at":"2022-10-03T21:04:38.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/test","html_url":"https://github.com/coder/code-marketplace/releases/tag/test","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@test","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/test","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/test/manifests"},{"name":"v1.0.0","sha":"ebb8f38197d1d30396cf6cc2eadab3c68ce5f5bb","kind":"tag","published_at":"2022-09-12T20:36:03.000Z","download_url":"https://codeload.github.com/coder/code-marketplace/tar.gz/v1.0.0","html_url":"https://github.com/coder/code-marketplace/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/coder/code-marketplace@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2025-10-19T02:41:11.586Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":9.345852080216646,"dependent_packages_count":6.999148183520997,"stargazers_count":null,"forks_count":null,"average":8.172500131868823},"purl":"pkg:golang/github.com/coder/code-marketplace","advisories":[{"uuid":"GSA_kwCzR0hTQS04eDlyLWh2d2ctYzU1aM4ABUup","url":"https://github.com/advisories/GHSA-8x9r-hvwg-c55h","title":"Code Extension Marketplace: Zip Slip Path Traversal","description":"# Zip Slip Path Traversal in coder/code-marketplace\n\n## Summary\n\nA Zip Slip (CWE-22) vulnerability in `coder/code-marketplace` ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. `ExtractZip` passed raw zip entry names to a callback that wrote files via `filepath.Join` with no boundary check; `filepath.Join` resolved `..` components but did not prevent the result from escaping the base path.\n\n\n## Root Cause\n\n`ExtractZip` passed the raw, attacker-controlled `zf.Name` to a caller-supplied callback:\n\n```go\nreturn false, fn(zf.Name, zr)  // zf.Name not sanitized\n```\n\n`AddExtension` constructed the output path with `filepath.Join` and no boundary check:\n\n```go\npath := filepath.Join(dir, name)              // zip loop\npath := filepath.Join(dir, file.RelativePath) // extra files loop\n```\n\n`filepath.Clean` resolved `..` lexically but did not confine the result to `dir`:\n\n```\nfilepath.Join(\"/srv/ext/pub/1.0\", \"../../../../etc/cron.d/evil\")\n  → \"/etc/cron.d/evil\"\n```\n\n## Attack Scenario\n\nAn authenticated user (any upload-capable role) would submit a VSIX containing path-traversal entries.\n\nOn extraction, files would land at attacker-chosen paths writable by the marketplace process, enabling persistence (cron/init injection), SSH key injection, `ld.so.preload` hijacking, or binary overwrite depending on process privileges.\n\n## Fix\n\nAddressed in https://github.com/coder/code-marketplace/releases/tag/v2.4.2\n\n## Recognition\nCoder would like to thank [Kandlaguduru Vamsi](https://www.linkedin.com/in/vamsi-k-5419632a9/) for responsibly disclosing this issue in accordance with https://coder.com/security/policy","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-04T06:26:02.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h","https://github.com/coder/code-marketplace/commit/988440dee05fceef8400ed725badc604dbf90792","https://github.com/coder/code-marketplace/releases/tag/v2.4.2","https://nvd.nist.gov/vuln/detail/CVE-2026-35454","https://github.com/advisories/GHSA-8x9r-hvwg-c55h"],"source_kind":"github","identifiers":["GHSA-8x9r-hvwg-c55h","CVE-2026-35454"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-04T07:00:10.185Z","updated_at":"2026-04-08T11:00:13.122Z","epss_percentage":0.00063,"epss_percentile":0.19425,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eDlyLWh2d2ctYzU1aM4ABUup","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04eDlyLWh2d2ctYzU1aM4ABUup","packages":[{"ecosystem":"go","package_name":"github.com/coder/code-marketplace","versions":[{"first_patched_version":"1.2.3-0.20260402184705-988440dee05f","vulnerable_version_range":"\u003c 1.2.3-0.20260402184705-988440dee05f"}],"purl":"pkg:go/github.com%2Fcoder%2Fcode-marketplace"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eDlyLWh2d2ctYzU1aM4ABUup/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/coder/code-marketplace","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/coder/code-marketplace","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/coder/code-marketplace/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2025-09-12T08:33:39.099Z","issues_count":40,"pull_requests_count":107,"avg_time_to_close_issue":5047360.75,"avg_time_to_close_pull_request":2036810.4444444445,"issues_closed_count":20,"pull_requests_closed_count":90,"pull_request_authors_count":13,"issue_authors_count":28,"avg_comments_per_issue":1.15,"avg_comments_per_pull_request":0.6635514018691588,"merged_pull_requests_count":71,"bot_issues_count":2,"bot_pull_requests_count":72,"past_year_issues_count":16,"past_year_pull_requests_count":60,"past_year_avg_time_to_close_issue":141880.8,"past_year_avg_time_to_close_pull_request":2662076.2954545454,"past_year_issues_closed_count":5,"past_year_pull_requests_closed_count":44,"past_year_pull_request_authors_count":5,"past_year_issue_authors_count":13,"past_year_avg_comments_per_issue":0.375,"past_year_avg_comments_per_pull_request":0.6333333333333333,"past_year_bot_issues_count":1,"past_year_bot_pull_requests_count":38,"past_year_merged_pull_requests_count":38,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/coder%2Fcode-marketplace/issues","maintainers":[{"login":"Emyrk","count":13,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Emyrk"},{"login":"code-asher","count":6,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/code-asher"},{"login":"bpmct","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bpmct"}],"active_maintainers":[{"login":"Emyrk","count":13,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Emyrk"},{"login":"code-asher","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/code-asher"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fcoder%2Fcode-marketplace/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fcoder%2Fcode-marketplace/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fcoder%2Fcode-marketplace/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fcoder%2Fcode-marketplace/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fcoder%2Fcode-marketplace/codemeta","maintainers":[]}