Possible supply chain issue new published version

[danieldspx]

Description

A new version of GitLens was published on the VS Code Marketplace, but it does not appear in the GitHub releases.

At the same time, GitLens was indirectly pulling in @ctrl/tinycolor, which recently had issues. This suggests the publisher may have been affected when updating/using the extension(?).

Can you confirm if the Marketplace release is legitimate and why it’s missing from GitHub?

More info:
https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/
https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

GitLens Version

17.4.1

VS Code Version

No response

Git Version

No response

Logs, Screenshots, Screen Captures, etc

No response

[danieldspx]

I will close this as it can be a false alarm. Sorry about the noise just wanted to ensure.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.