[{"data":1,"prerenderedAt":296},["ShallowReactive",2],{"blog-post-blog_de-open-vsx-registry-300-million-downloads-supply-chain-sicherheit":3},{"id":4,"title":5,"body":6,"cover":280,"date":281,"description":282,"draft":283,"extension":284,"meta":285,"navigation":286,"path":287,"seo":288,"stem":289,"tags":290,"__hash__":295},"blog_de\u002Fde\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit.md","Open VSX: 300 Millionen Downloads und neue Supply-Chain-Schutzmaßnahmen",{"type":7,"value":8,"toc":275},"minimark",[9,30,35,38,85,92,96,99,125,133,254,258,271],[10,11,12,13,17,18,21,22,25,26,29],"p",{},"Extension-Registries sind von Nebenkomponenten zu kritischer Infrastruktur geworden. Anfang März 2026 meldete die Open-VSX-Registry mehr als ",[14,15,16],"strong",{},"300 Millionen Downloads pro Monat",", Spitzenlasten von über ",[14,19,20],{},"50 Millionen Requests pro Tag"," und ein Ökosystem mit ",[14,23,24],{},"tausenden Publishern"," und ",[14,27,28],{},"zehntausenden Extensions",".",[31,32,34],"h2",{"id":33},"was-sich-im-registry-betrieb-ändert","Was sich im Registry-Betrieb ändert",[10,36,37],{},"Mit dem Wachstum werden Registry-Mechaniken operationalisiert, die bisher eher aus Paketmanagern bekannt waren:",[39,40,41,56,66,72,78],"ul",{},[42,43,44,47,48,51,52,55],"li",{},[14,45,46],{},"Pre-Publication-Verifikation"," zur Erkennung von ",[14,49,50],{},"Namespace-Impersonation",", ",[14,53,54],{},"Spoofing"," und verdächtigen Uploads",[42,57,58,59,62,63],{},"Checks auf ",[14,60,61],{},"exponierte Credentials"," und wiederkehrende ",[14,64,65],{},"malicious patterns",[42,67,68,71],{},[14,69,70],{},"Quarantine & Review"," für auffällige Pakete vor der Veröffentlichung",[42,73,74,77],{},[14,75,76],{},"Responsible Rate Limiting"," und Traffic-Management für automatisierte Lastspitzen",[42,79,80,81,84],{},"Aufbau einer ",[14,82,83],{},"hybriden Multi-Region-Architektur"," mit verschlüsselten Daten und Backups",[10,86,87],{},[88,89],"img",{"alt":90,"src":91},"Diagramm: Publish → Verify → Distribute","\u002Fimg\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit-diagram.svg",[31,93,95],{"id":94},"auswirkungen-auf-cicd-und-enterprise-governance","Auswirkungen auf CI\u002FCD und Enterprise-Governance",[10,97,98],{},"Wenn IDE-Erweiterungen Teil produktiver Entwicklungsprozesse sind, werden klassische Supply-Chain-Kontrollen relevant:",[39,100,101,107,113,119],{},[42,102,103,106],{},[14,104,105],{},"Allowlists"," für Publisher und Extension-IDs",[42,108,109,112],{},[14,110,111],{},"Mirroring"," in interne Registries für reproduzierbare Builds",[42,114,115,118],{},[14,116,117],{},"Signaturen, SBOMs und Malware-Scanning"," als Gate vor Rollout",[42,120,121,124],{},[14,122,123],{},"Audit Logs"," für Installationen und automatische Updates",[10,126,127,128,132],{},"Ein typisches Muster ist eine CI-Stufe, die ein ",[129,130,131],"code",{},".vsix","-Artefakt vor dem Freigabeprozess prüft:",[134,135,140],"pre",{"className":136,"code":137,"language":138,"meta":139,"style":139},"language-yaml shiki shiki-themes github-light github-dark","name: extension-verify\non: [workflow_dispatch]\njobs:\n  verify:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Scan VSIX archive\n        run: |\n          unzip -l extension.vsix | head -n 50\n          gitleaks detect --no-git --source .\n          trivy fs --severity HIGH,CRITICAL .\n","yaml","",[129,141,142,159,175,184,192,203,211,224,236,242,248],{"__ignoreMap":139},[143,144,147,151,155],"span",{"class":145,"line":146},"line",1,[143,148,150],{"class":149},"s9eBZ","name",[143,152,154],{"class":153},"sVt8B",": ",[143,156,158],{"class":157},"sZZnC","extension-verify\n",[143,160,162,166,169,172],{"class":145,"line":161},2,[143,163,165],{"class":164},"sj4cs","on",[143,167,168],{"class":153},": [",[143,170,171],{"class":157},"workflow_dispatch",[143,173,174],{"class":153},"]\n",[143,176,178,181],{"class":145,"line":177},3,[143,179,180],{"class":149},"jobs",[143,182,183],{"class":153},":\n",[143,185,187,190],{"class":145,"line":186},4,[143,188,189],{"class":149},"  verify",[143,191,183],{"class":153},[143,193,195,198,200],{"class":145,"line":194},5,[143,196,197],{"class":149},"    runs-on",[143,199,154],{"class":153},[143,201,202],{"class":157},"ubuntu-latest\n",[143,204,206,209],{"class":145,"line":205},6,[143,207,208],{"class":149},"    steps",[143,210,183],{"class":153},[143,212,214,217,219,221],{"class":145,"line":213},7,[143,215,216],{"class":153},"      - ",[143,218,150],{"class":149},[143,220,154],{"class":153},[143,222,223],{"class":157},"Scan VSIX archive\n",[143,225,227,230,232],{"class":145,"line":226},8,[143,228,229],{"class":149},"        run",[143,231,154],{"class":153},[143,233,235],{"class":234},"szBVR","|\n",[143,237,239],{"class":145,"line":238},9,[143,240,241],{"class":157},"          unzip -l extension.vsix | head -n 50\n",[143,243,245],{"class":145,"line":244},10,[143,246,247],{"class":157},"          gitleaks detect --no-git --source .\n",[143,249,251],{"class":145,"line":250},11,[143,252,253],{"class":157},"          trivy fs --severity HIGH,CRITICAL .\n",[31,255,257],{"id":256},"warum-das-wichtig-ist","Warum das wichtig ist",[10,259,260,261,51,264,25,267,270],{},"Mit dem Aufstieg von cloud-basierten IDEs und agentischen Developer-Workflows wird die Distribution von Extensions zu einem zentralen Angriffs- und Ausfallpunkt. Die Kombination aus ",[14,262,263],{},"Veröffentlichungs-Checks",[14,265,266],{},"skalierbarer Infrastruktur",[14,268,269],{},"operationalisierten Sicherheitsprozessen"," reduziert Risiken, ohne den offenen Charakter des Ökosystems aufzugeben.",[272,273,274],"style",{},"html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":139,"searchDepth":161,"depth":161,"links":276},[277,278,279],{"id":33,"depth":161,"text":34},{"id":94,"depth":161,"text":95},{"id":256,"depth":161,"text":257},"\u002Fimg\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit-cover.jpg","2026-04-08","Open VSX skaliert auf hunderte Millionen Downloads pro Monat und führt Pre-Publication-Verifikation sowie Multi-Region-Betrieb ein.",false,"md",{},true,"\u002Fde\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit",{"title":5,"description":282},"de\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit",[291,292,293,294],"Developer Tools","Supply Chain Security","Open Source","Ecosystem","uBbVgQh50AypclEcPbD0C2Pp1wZiAv1S8Jyj1zEM3-8",1775680577932]