[codex] Resolve VS Code extension entrypoints#57
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Node-style entrypoint fallback for manifest main/browser, with good test coverage.
Extended reasoning...
Overview
This PR adds Node.js-style entrypoint resolution to findManifestReferenceWarnings in src/scanner/vsix.ts. When the manifest main or browser reference doesn't exactly match an archive file, it now tries appending .js/.json/.node and /index.{js,json,node} — matching what VS Code itself does via Node's require. Three new test cases cover extensionless, directory-index, and the skipped-exact-preserves-warning corner case.
Security risks
None. manifestReferenceCandidates builds candidate strings from ref.path, which has already been validated by normalizeManifestReference → normalizeZipEntryPath (rejects traversal, absolute paths, backslashes, drive letters, NUL). Resolution does only in-memory files.has(candidate) lookups against the already-extracted map — no filesystem access, no shelling out, no archive re-read. The new code only affects whether warnings are emitted; it does not change what gets extracted.
Level of scrutiny
Low. This is a warning-accuracy fix in scanner code, not a security boundary. The previous behavior emitted false-positive ARCHIVE_REFERENCED_FILE_MISSING warnings for legitimate extensions that omit the .js suffix in their manifest main (real ESLint sample cited in the PR description). The PR even preserves the stricter behavior — ARCHIVE_REFERENCED_FILE_SKIPPED for the exact path still wins over fallback resolution, as exercised by the third new test.
Other factors
The bug-hunting system found no issues, the diff is mechanical, and validation steps (format, vitest, typecheck, build, real-world sample) are all documented in the description.
1 participant
Summary:
Validation: