VDB for VS Code
Flags slopsquatting, known CVEs, and registry risk in your dependency files
as you edit them — a thin client over the VDB API.
When you open or save a supported dependency file, the extension extracts every
dependency, asks POST /v1/ai/check-packages to score them, and draws the
verdict inline.
What it catches
- 🧠 Slopsquatting / hallucinated packages — names an LLM invented that don't
exist on any registry. Attackers routinely squat these, so an AI-suggested
import can pull in malware. VDB flags them as errors and helps you find the
real name.
- 🛡️ Known CVEs & CISA KEV — version-specific advisories, with the highest
known-safe version offered as a one-click upgrade.
- 🆕 Freshly-registered typosquats — an optional live npm / PyPI / crates /
Go registry probe catches malicious packages published too recently to be in
any CVE feed.
- 📌 Unpinned dependencies — flags deps with no concrete version, where only
the name (not version-specific CVEs) can be checked.
Everything runs inline as you type. Only package names and versions are sent
to VDB — never your source code. Works with no account (50 free checks per
IP); add a key for unmetered use.
Supported files
- npm —
package.json, package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml
- PyPI —
requirements*.txt
- Cargo —
Cargo.toml, Cargo.lock
- Go —
go.mod
- SBOM — CycloneDX / SPDX (
*.cdx.json, *.spdx.json, bom.json, sbom.json)
Lockfiles and SBOMs are read-only: findings are shown but no hand-edit quick
fixes are offered (you regenerate them, you don't patch them by hand). Run
VDB: Scan all dependency files in workspace for a project-wide sweep.
| VDB risk |
Editor surface |
Meaning |
not_found |
Error (red) |
Name doesn't exist on the registry — likely hallucinated |
high |
Error (red) |
KEV / high-severity CVE, or strong supply-chain signal |
medium |
Warning (yellow) |
Known vulnerability worth reviewing |
unknown |
Info (blue) |
VDB couldn't verify — proceed with caution |
| unpinned |
Info (blue) |
No concrete version sent — only the name was checked, not CVEs |
low / none |
— (no marker) |
Looks fine |
The status bar summarises the file (VDB ⛔ 2 ⚠ 1) and clicking it opens the
Problems panel.
Quick fixes (💡) follow VDB's decision policy and edit the manifest for you:
- high / medium with a known fix → Update name to safe version (bumps
the version in place, pulling the highest
fixed_in from the advisories)
- high / medium with no patch → no code edit. VDB flags the risk but can't
pick a replacement package for you — that's a human decision — so it only
offers Search ecosystem for alternatives (a registry search, not a VDB
recommendation) plus the advisory.
- not_found (hallucinated / slopsquatted name) → Find the correct name for
'name' (searches the registry and replaces it with the one you pick) and
Remove 'name' (deletes the line; fixes the dangling JSON comma when it
was the last entry)
- unpinned (no concrete version) → Pin name to latest version (resolves
the latest release from the registry on click and writes it in, so the next
scan can actually check that version for CVEs)
- Open advisory as a secondary action
The boundary is deliberate: a deterministic fix (bump to a published safe
version, delete a non-existent package) is auto-applied; a judgement call
(which alternative library to adopt) is left to you.
Auth
The extension works with no key — VDB allows 50 free check-packages calls
per IP. When the trial runs out you're prompted to add a key via
VDB: Set API key (stored in VS Code SecretStorage, never in settings).
The extension sends only dependency names and versions — never your source.
Settings
| Setting |
Default |
Description |
vdb.apiUrl |
https://vdb.ai.kr |
API origin. Use http://localhost:8080 dev. |
vdb.scanOnSave |
true |
Re-scan on save. |
vdb.scanOnOpen |
true |
Scan on open. |
vdb.probeRegistry |
true |
Real-time registry probe (catches fresh squats). |
vdb.flagUnpinned |
true |
Info marker on deps with no concrete version. |
Commands
- VDB: Scan current dependency file
- VDB: Scan all dependency files in workspace
- VDB: Check a single package (
pkg:npm/lodash@4.17.20)
- VDB: Set API key / VDB: Clear stored API key
Develop
cd vscode-extension
npm install
npm run compile # or: npm run watch
# press F5 in VS Code to launch an Extension Development Host
Publish
npm run package # builds vdb-vscode-<version>.vsix
npm run publish:vsce # VS Code Marketplace (needs VSCE_PAT)
npm run publish:ovsx # Open VSX (needs OVSX_PAT, covers Cursor/VSCodium)
release.yml.example is a ready-to-use GitHub Actions workflow — move it to
.github/workflows/ and add VSCE_PAT / OVSX_PAT secrets to publish on a
vscode-v* tag. Set a real publisher in package.json before the first
publish.
License
The extension is licensed under Apache-2.0 (see LICENSE / NOTICE) — the
code is open so you can verify it only sends package names and versions. The VDB
service, API, and the "VDB" name/logos remain proprietary; the license covers
this client code only.
Roadmap
Covers npm, PyPI, Cargo, Go across manifests, lockfiles, and SBOMs, with a
workspace-wide scan. Next: SBOM XML/tag-value, more ecosystems (Maven, NuGet,
RubyGems), and inline annotations for transitive-only advisories.
