Leaked Tokens in VSCode Extensions

I think this just comes down the sloppy programming. As a software engineer you will always have the opportunity to do something stupid or insecure, unless we force all our tools to nanny us. Frankly I suspect such tools would cause more problems then they are worth. That said I wouldn't scoff at a solution that makes this less likely without getting in your way. I think the key a lot of the time is rather than blaming thr tool, we should make sure we understand how the tool works.

&gt; This command [`vsce package`] <i>includes all files in the current directory</i><p>Why does it do this? Is it trying to include code or some other assets?<p>Is this normal outside of C&#x2F;C++ (or similar) build systems? Tools like cmake, premake, scons, etc. tend to expect you to tell the tool what to do. e.g. which files you want to compile.

Interesting. I think this is only a problem because npm made the &quot;files&quot; attribute optional.<p>To be honest, I can&#x27;t see why you would ever want an include by default approach to package building not explicit inclusion.

Yikes.