Summary
A bundle of small packaging / manifest / data-hygiene findings noticed while reviewing the source. None are blockers, but cleaning them up should reduce the published .vsix size by ~50% and tighten the manifest.
1. vitest is in runtime dependencies (should be devDependencies)
packages/vscode-extension/package.json:
"dependencies": {
"vitest": "^4.0.4"
}vitest is a test runner — it doesn't belong in runtime deps. Although vsce package --no-dependencies keeps the node_modules out of the VSIX, the declared dependency is still misleading.
2. Test code shipped in the published VSIX
The .vsix for 0.6.2 contains two large test files that are never used at runtime:
extension/out/extension.cjs 415 512 bytes
extension/out/test/scopes.test.cjs 410 928 bytes ← test code
extension/out/test/completion.test.cjs 410 002 bytes ← test code
i.e. ~820 KB of dead bytes shipped to every user. Suggested fixes (either is enough):
- Restrict
tsup entry points in tsup.config.mjs to src/extension.ts only.
- Add a
.vscodeignore (currently missing) with at minimum out/test/**.
3. Stray console.log in production
packages/vscode-extension/src/extension.ts:117:
provideCompletionItems(document, position) {
console.log(position); // ← debug log
return scopeCompletion(document, position);
},Fires on every completion trigger (typing / or .). Should be removed.
4. Missing capabilities.untrustedWorkspaces declaration
packages/vscode-extension/package.json has no capabilities.untrustedWorkspaces block. For modern VS Code (>= 1.57) it's good practice to declare it explicitly. The extension is safe to run in untrusted workspaces (it only reads editor text and registers a remote MCP server), so:
"capabilities": {
"untrustedWorkspaces": {
"supported": true,
"description": "Reads editor text for OAuth scope linting and registers a remote MCP server. No workspace content is executed."
}
}5. http:// (non-HTTPS) documentation links in the bundled API data
Eight entries in the generated src/apis.ts use plain HTTP. They render as clickable markdown links in the hover tooltip:
http://code.google.com/apis/analytics/docs/mgmt/home.html (x3)
http://code.google.com/apis/calendar/v3/
http://developers.google.com/chrome/policy
http://cloud.google.com/developer-connect/docs/overview
http://cloud.google.com/iam/docs/workload-identity-federation (x2)
These come from Google's Discovery service responses verbatim. HSTS preload (for *.google.com) means modern browsers auto-upgrade them in practice, but the data is cleaner if scripts/fetch-apis.ts normalises http:// → https:// before serializing.
function normalizeDocLink(url?: string): string | undefined {
return url?.replace(/^http:\/\//, "https://");
}
Happy to split these into separate PRs (or one combined PR) if any of the above are accepted.
Summary
A bundle of small packaging / manifest / data-hygiene findings noticed while reviewing the source. None are blockers, but cleaning them up should reduce the published
.vsixsize by ~50% and tighten the manifest.1.
vitestis in runtimedependencies(should bedevDependencies)packages/vscode-extension/package.json:vitestis a test runner — it doesn't belong in runtime deps. Althoughvsce package --no-dependencieskeeps thenode_modulesout of the VSIX, the declared dependency is still misleading.2. Test code shipped in the published VSIX
The
.vsixfor0.6.2contains two large test files that are never used at runtime:i.e. ~820 KB of dead bytes shipped to every user. Suggested fixes (either is enough):
tsupentry points intsup.config.mjstosrc/extension.tsonly..vscodeignore(currently missing) with at minimumout/test/**.3. Stray
console.login productionpackages/vscode-extension/src/extension.ts:117:Fires on every completion trigger (typing
/or.). Should be removed.4. Missing
capabilities.untrustedWorkspacesdeclarationpackages/vscode-extension/package.jsonhas nocapabilities.untrustedWorkspacesblock. For modern VS Code (>= 1.57) it's good practice to declare it explicitly. The extension is safe to run in untrusted workspaces (it only reads editor text and registers a remote MCP server), so:5.
http://(non-HTTPS) documentation links in the bundled API dataEight entries in the generated
src/apis.tsuse plain HTTP. They render as clickable markdown links in the hover tooltip:These come from Google's Discovery service responses verbatim. HSTS preload (for
*.google.com) means modern browsers auto-upgrade them in practice, but the data is cleaner ifscripts/fetch-apis.tsnormaliseshttp://→https://before serializing.Happy to split these into separate PRs (or one combined PR) if any of the above are accepted.