Google Took Down My Chrome Extension for Using Lodash

(EDIT: The extension is back up!)<p>I used to work on Mozilla&#x27;s Add-ons store, and god I hate the reviews. Mozilla used to do them manually. I WORKED there, and wasn&#x27;t able to get unblocked (for an extension used by almost everyone at Mozilla) because I was using jQuery... which was started by a guy who ALSO worked at Mozilla. So I feel ya completely.<p>The only thing I&#x27;ll say is... Extensions have a scary level of access (they&#x27;re basically almost as easy to use as a website, but with unlimited powers such as recording every site you visit and stealing passwords), and the average user will never understand that. The source code is hidden and updates are pushed to users silently, so a compromised GitHub account could result in a huge hack of everyone&#x27;s everything. They&#x27;re far more dangerous than a malicious iPhone app in Apple&#x27;s app store.<p>Luckily, this seems automated, and seems like they&#x27;ll fix it. Especially if it gets traction here.

Having your business beholden to <i>any</i> app store is a bit scary, but Google&#x27;s chrome web store is probably the most precarious. As far as I can tell, almost every negative action taken against you is done in an automated fashion, with basically no human recourse beyond knowing someone on the inside or hoping for a negative PR cycle.<p>At least with the mobile app stores, a good review process with <i>some</i> human recourse is baked into the incentives of the platform, since lots of money is involved.<p>With the Chrome web store, you get the feeling it is just there because Google capitulated in the past, acknowledging that browser extensions are necessary to be a mainstream browser. Beyond that, it seems to be moderated with two goals: reduce overhead cost and mitigate any security threats.<p>The result is the complaints you hear from every extension developer:<p>* Google arbitrarily blocks a decent % of updates, because of automated flagging<p>* Google removes extensions with basically no recourse, often for unclear reasons<p>* Google itself (if I remember correctly) even recommends using a Google account separate from your personal&#x2F;work email, since often these automated suspensions take down the account connected to it too<p>Don&#x27;t get me wrong, browser extensions have a lot of power and that&#x27;s often an issue (malware, browser history collection, phishing, etc). Still, building an extension for Chrome involves the constant reminder that you are under the thumb of a big monolith organization that is indifferent to you.

We have been in this position ourselves - I really do empathise and live with the same fear.<p>The removal process ought not be automated, unless it&#x27;s a serious violation that can be detected algorithmically with high confidence.<p>The algorithms detecting violations are clearly buggy as hell. Our take down also made little sense, and we had to resort to support, which is itself a nightmare. There are numerous similar stories a Google search away.<p>Extensions are growing to be a fundamental part of the browsing experience- Google ought to invest more into improving the ecosystem.<p>Scaling the human review process should protect both users and developers.

These static analysis tools are just not good enough to rely on in a completely automated way and I guess Google is just not willing to spend the money on having flagged apps go through a manual check before being removed.<p>We use one of those static analysis tools to find &#x27;threats&#x27; as a sort of audit gatekeeper before release. Any issues found have to be addressed either by code changes or by comments. I&#x27;d estimate around 95% of the issues found are false positives.<p>Examples include flagging the &#x27;Random&#x27; class (C#) for not being cryptographically secure. This is true of course but that does not mean that there aren&#x27;t a plethora of valid use-cases for using such a class.<p>Then there&#x27;s obviously all the cases where the tool is just not clever enough to follow the program flow.

It&#x27;s an unfortunate accident but I&#x27;ll write down why I think it&#x27;s good.<p>&gt; having countless hours of work be obliterated by an automated system without manual review (presumably) is terrifying<p>The code in question was &quot;obfuscated&quot; to an automated system, yeah they&#x27;re unicode escape string for a utility library but a lot of usages of binary&#x2F;unicode escape strings in code is considered to be some malicious obfuscation.<p>What they did is smart. They have their analyzer set to fire on obfusacted code. They direct it to you. If you&#x27;re a perpetrautor you&#x27;ll say oh noes they got me, if you&#x27;re innocent - you&#x27;ll request manual review, contact support or escalate in some other way and they get their manual review from you actually.<p>I would guess that their false-positive rate for this static analysis has to be low. There aren&#x27;t many legitamate usecases for these escape strings.<p>The solution they could consider is to after this alert is fired to check whether the file in question matches a checksum of some recent lodash releases but in the end &quot;using lodash&quot; is not an excuse, as a developer you&#x27;re also responsible for the dependencies you bundle with your extension so you should be mindful of what code malicious or not is in there.

Whatever this web site is doing to break the page down key is extremely annoying.

One thing people have to remember, you exist on Google&#x27;s platform at their whim.

Does lodash support tree-shaking if you only import the utilities you require? Sounds like you probably don&#x27;t need the obscure math Unicode bits.

We need alternatives to these arbitrarily managed stores and other walled gardens. This isn’t the first time either Google or Mozilla took down extensions they disagree with:<p><a href="https:&#x2F;&#x2F;reclaimthenet.org&#x2F;firefox-rejects-free-speech-bans-free-speech-commenting-plugin-dissenter-from-its-extensions-gallery&#x2F;" rel="nofollow">https:&#x2F;&#x2F;reclaimthenet.org&#x2F;firefox-rejects-free-speech-bans-f...</a><p><a href="https:&#x2F;&#x2F;reclaimthenet.org&#x2F;google-chrome-web-store-bans-dissenter-extension&#x2F;" rel="nofollow">https:&#x2F;&#x2F;reclaimthenet.org&#x2F;google-chrome-web-store-bans-disse...</a>

Minification is obfuscation - I&#x27;m not sure how this is controversial.

I’ve run a business with two Chrome extensions for nearly a decade. The review process has gotten increasingly bizarre lately, and very slow in the last month or so. I have a very minor update to an extension that we’ve been trying to release since last month. I’ve reached out to contacts at Google, and they’re trying to expedite, but I don’t know how anyone without an inside connection would get things done. AFAICT, there isn’t even a veneer of customer support for the devs who have built up this ecosystem.

This was at near the top of the front page around half an hour ago and now it has disappeared... What happened? Is this being filtered for some reason?

More generally I want more levels of access for apps and extensions.<p>In particular: Why do we assume that all apps and extensions should have unrestricted access to the internet? Why is that not a privelege like &quot;read and write&quot; contacts in mobile apps or &quot;read all tabs&quot; in extensions?

Actually think the whole thing was totally reasonable along with the few hours it took them to get back to you.<p>My only qualm would be if instead of removing your extension entirely, maybe it would be better to say &quot;App is currently being reviewed and will be made available soon.&quot;

Another HN story where the solution is to yell into the virtual sky loud and hope that someone &quot;important&quot; enough escalates the problem through completely non-standard channels that &quot;normal&quot; people don&#x27;t have access to.<p>It&#x27;s getting old.<p>(To be clear not hating on this guy, his extension, post, etc. Just the status-quo of how these problems are &quot;solved&quot;)

Author here. Thank you HN for helping me get my extension back up! &lt;3<p>Wish it didn&#x27;t require getting on the front page to find a timely resolution on these sorts of issues, but it&#x27;s heartening to see that the community is so supportive whenever something like this pops up.

You can say what you want but Apple has a point in heavily limiting extensions and forcing adblockers to use content block APIs they provide.

Ironic that the company which makes the most used software on the entire planet (their search engine) can&#x27;t read code and was spooked by some Unicode escape codes...

Or you could just use lodash source and compile using your own compiler like rollup and remove uglification.<p>Or just not use lodash. most of their helpers are easily done these days.