[{"data":1,"prerenderedAt":297},["ShallowReactive",2],{"blog-post-blog_en-open-vsx-registry-300-million-downloads-supply-chain-sicherheit":3},{"id":4,"title":5,"body":6,"cover":281,"date":282,"description":283,"draft":284,"extension":285,"meta":286,"navigation":287,"path":288,"seo":289,"stem":290,"tags":291,"__hash__":296},"blog_en\u002Fen\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit.md","Open VSX: 300 Million Downloads and New Supply-Chain Protections",{"type":7,"value":8,"toc":276},"minimark",[9,30,35,38,85,92,96,99,125,133,254,258,272],[10,11,12,13,17,18,21,22,25,26,29],"p",{},"Extension registries have shifted from background services to critical infrastructure. In early March 2026, the Open VSX Registry reported more than ",[14,15,16],"strong",{},"300 million downloads per month",", peak traffic above ",[14,19,20],{},"50 million requests per day",", and an ecosystem with ",[14,23,24],{},"thousands of publishers"," and ",[14,27,28],{},"tens of thousands of extensions",".",[31,32,34],"h2",{"id":33},"what-changes-in-registry-operations","What Changes in Registry Operations",[10,36,37],{},"At this scale, registry capabilities resemble practices from mature package ecosystems:",[39,40,41,56,66,72,78],"ul",{},[42,43,44,47,48,51,52,55],"li",{},[14,45,46],{},"Pre-publication verification"," to detect ",[14,49,50],{},"namespace impersonation",", ",[14,53,54],{},"spoofing",", and suspicious uploads",[42,57,58,59,62,63],{},"Checks for ",[14,60,61],{},"exposed credentials"," and recurring ",[14,64,65],{},"malicious patterns",[42,67,68,71],{},[14,69,70],{},"Quarantine & review"," for flagged packages before publication",[42,73,74,77],{},[14,75,76],{},"Responsible rate limiting"," and traffic management for automated spikes",[42,79,80,81,84],{},"A move toward ",[14,82,83],{},"hybrid multi-region architecture"," with encrypted data and backups",[10,86,87],{},[88,89],"img",{"alt":90,"src":91},"Diagram: Publish → Verify → Distribute","\u002Fimg\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit-diagram.svg",[31,93,95],{"id":94},"implications-for-cicd-and-enterprise-governance","Implications for CI\u002FCD and Enterprise Governance",[10,97,98],{},"When IDE extensions become part of production development workflows, standard supply-chain controls apply:",[39,100,101,107,113,119],{},[42,102,103,106],{},[14,104,105],{},"Allowlists"," for publishers and extension IDs",[42,108,109,112],{},[14,110,111],{},"Mirroring"," into internal registries for reproducible builds",[42,114,115,118],{},[14,116,117],{},"Signatures, SBOMs, and malware scanning"," as gates before rollout",[42,120,121,124],{},[14,122,123],{},"Audit logs"," for installs and automated updates",[10,126,127,128,132],{},"A common pattern is a CI stage that validates a ",[129,130,131],"code",{},".vsix"," artifact before it is promoted:",[134,135,140],"pre",{"className":136,"code":137,"language":138,"meta":139,"style":139},"language-yaml shiki shiki-themes github-light github-dark","name: extension-verify\non: [workflow_dispatch]\njobs:\n  verify:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Scan VSIX archive\n        run: |\n          unzip -l extension.vsix | head -n 50\n          gitleaks detect --no-git --source .\n          trivy fs --severity HIGH,CRITICAL .\n","yaml","",[129,141,142,159,175,184,192,203,211,224,236,242,248],{"__ignoreMap":139},[143,144,147,151,155],"span",{"class":145,"line":146},"line",1,[143,148,150],{"class":149},"s9eBZ","name",[143,152,154],{"class":153},"sVt8B",": ",[143,156,158],{"class":157},"sZZnC","extension-verify\n",[143,160,162,166,169,172],{"class":145,"line":161},2,[143,163,165],{"class":164},"sj4cs","on",[143,167,168],{"class":153},": [",[143,170,171],{"class":157},"workflow_dispatch",[143,173,174],{"class":153},"]\n",[143,176,178,181],{"class":145,"line":177},3,[143,179,180],{"class":149},"jobs",[143,182,183],{"class":153},":\n",[143,185,187,190],{"class":145,"line":186},4,[143,188,189],{"class":149},"  verify",[143,191,183],{"class":153},[143,193,195,198,200],{"class":145,"line":194},5,[143,196,197],{"class":149},"    runs-on",[143,199,154],{"class":153},[143,201,202],{"class":157},"ubuntu-latest\n",[143,204,206,209],{"class":145,"line":205},6,[143,207,208],{"class":149},"    steps",[143,210,183],{"class":153},[143,212,214,217,219,221],{"class":145,"line":213},7,[143,215,216],{"class":153},"      - ",[143,218,150],{"class":149},[143,220,154],{"class":153},[143,222,223],{"class":157},"Scan VSIX archive\n",[143,225,227,230,232],{"class":145,"line":226},8,[143,228,229],{"class":149},"        run",[143,231,154],{"class":153},[143,233,235],{"class":234},"szBVR","|\n",[143,237,239],{"class":145,"line":238},9,[143,240,241],{"class":157},"          unzip -l extension.vsix | head -n 50\n",[143,243,245],{"class":145,"line":244},10,[143,246,247],{"class":157},"          gitleaks detect --no-git --source .\n",[143,249,251],{"class":145,"line":250},11,[143,252,253],{"class":157},"          trivy fs --severity HIGH,CRITICAL .\n",[31,255,257],{"id":256},"why-this-matters","Why This Matters",[10,259,260,261,51,264,267,268,271],{},"With the rise of cloud IDEs and agentic development workflows, extension distribution becomes a central attack and failure domain. Combining ",[14,262,263],{},"publication-time checks",[14,265,266],{},"scalable infrastructure",", and ",[14,269,270],{},"operational security processes"," reduces risk while keeping the ecosystem vendor-neutral and open.",[273,274,275],"style",{},"html pre.shiki code .s9eBZ, html code.shiki .s9eBZ{--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":139,"searchDepth":161,"depth":161,"links":277},[278,279,280],{"id":33,"depth":161,"text":34},{"id":94,"depth":161,"text":95},{"id":256,"depth":161,"text":257},"\u002Fimg\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit-cover.jpg","2026-04-08","Open VSX scales to hundreds of millions of monthly downloads and introduces pre-publication verification and multi-region operations.",false,"md",{},true,"\u002Fen\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit",{"title":5,"description":283},"en\u002Fblog\u002Fopen-vsx-registry-300-million-downloads-supply-chain-sicherheit",[292,293,294,295],"Developer Tools","Supply Chain Security","Open Source","Ecosystem","6I3_GD4bvBpyw2ePjtCb_ng-GzTuxnQW2qInKGr5DAk",1775680578305]