Unpublish a specific version
shinnn opened this issue Β· 67 comments
It would be useful if extension authors can unpublish only a single version from Marketplace.
Use case: an author noticed the latest version of their extension includes a serious bug, but cannot find its cause soon. Currently, end users download the broken version until the author fix the bug and publish a new version. If the feature described above is implemented, the author can unpublish the latest one soon and set about bug fix without hurrying.
cc @modigrv
The real solution is is to revert the code changes that caused the issue and release a new bugfix version with those bits.
The rule is always move forward.
I think a problem here is accidentally publishing a newer version (e.g. publishing a preview release to a stable extension channel).
If that happens, the versioning scheme is now irreversibly broken and there's nothing extension maintainers can do. Even if we republish the older version afterward, it's not the "latest" version of the package published.
At that point we're forced to break our versioning scheme (which is already constrained by the fact that the marketplace is on semver v1 and npm only accepts semver v2 -- leaving package maintainers with 3 version slots), which is at best very confusing to users.
Naturally everyone tries to take care to make sure that something like this doesn't come to pass, but in software bugs occur, mistakes happen, people are expected to "move fast and break things".
And I'm not saying we should be able to delete published versions, but other package repositories have the ability to delist a specific version so that it is no longer available. Examples:
Just want to register this scenario. Happy to open a new issue if need be.
Thoughts, @viradhamMS @pkuma-msft?
@rjmholt I am from the Marketplace team. That's a valid feedback, however we don't get many requests around this. You can always reach to the Marketplace support alias and we will be happy to consider your requests. If we see more and more asks around it we'll consider adding some functionality around it.
I just ran into the exact situation @rjmholt described, I accidentally released a version of the extension with a much higher version and Iβd love the ability to unpublish that so that I can continue with the original versioning scheme.
I would be happy to unpublish specific versions too.
We are doing beta releases, and we would like to unpublish previous beta versions that are not usable anymore anyway.
We could republish, but we would lose comments, number of installs etc.
+1, hit this today.
We released a new major version for a new feature, hit a problem and "rolled back" by republishing an older version.
So now everyone's getting a major version update with no new feature, which seems at least confusing.
I've forwarded the request to the Marketplace team
If an extension is accidentally published with a minimum required VS Code version that is too low to work, you cannot really fix this anymore.
If you publish a new version of it with an higher required VS Code version, old VS Code versions will ignore it and still use the old buggy extension version.
Without being able to delete certain releases, this cannot be fixed.
I publish a version with a Icon that has copyright and I need to remove it. Luckly no one installed it, but if they had, what would I do?
@AllanOricil I think you can just unpublish your entire extension. Then, you can upload your new version without the infringing icon.
But is there a way to push messages to users to Uninstall it and also remove the folder from ".vscode/extensions"?
I was looking for something like that to update the changelog, is that possible?
The lack of this feature can be a huge problem.
This bug microsoft/vscode-vsce#494 lead to my extension being broken for no obvious reason and being unable to unpublish it led to quite a few experiments. Having to reproduce the same environment as on travis doesn't help either.
This is an important feature we need.
This is an important feature we needοΌ
This is an important feature we need.
Could have used this just now, I accidentally published with a bad vscode engine version that relies on a new context key for keybindings. This means I cannot go back and unpublish that - older clients will always receive the "broken version" from now on.
vote for feature!
+1
π +1
This is a feature we need! I ran into the exact same issie @rjmholt described. I'm a beginner and accidentally published a version with the wrong version name. This feature will help many like me!
+1
+1
This is in our (Marketplace team) backlog; we are planning to start working on it soon
This is in our (Marketplace team) backlog; we are planning to start working on it soon
looking forward to this
I need this feature fast
the thing is that i am using svelte for webview in my extension when using in dev mode it was completely fine but when i published it the sidebar shows but not its contents
the thing is that i am using svelte for webview in my extension when using in dev mode it was completely fine but when i published it the sidebar shows but not its contents
Do you need a help unpublishing an extension now? Contact vsmarketplace@microsoft.com for now
I want to unpublish a version not the whole Extension!
I want to unpublish a version not the whole Extension!
Share the details to vsmarketplace@microsoft.com, I will get someone to help you :)
This doesn't seem possible right now, given the Marketplace API.
This just yields 400:
await api.deleteExtension(publisher, name, options.version);Similar to microsoft/vscode-vsce#616
Right now we do not have backend support to delete the particular version of an extension;
you will need to contact vsmarketplace@microsoft.com
We have this issue on our back log btw :)
The rule is always move forward.
That's your rule but not necessarily another person's rule, please allow an unpublish.
This is a total pain to deal with in an emergency.
This is something we are actively working on. I understand there are scenarios whereas an extension author, we need to unpublish an extension version.
I apricate the patience, but for please contact support for this issue
Even if allowing the most recent version to get unpublished probably would work out for many authors
my dumb ass needs this because i just published version vv1.0.1 and now i look even dumber than before.
DONE Published bobmagicii.dashyeah vv1.0.1.
it a dev platform not twitter come on guys let us manage ourselves. just look how many times i edited this comment here on github. that needs to be universal across all your properties/products.
granted the most superior choice would be dropping marketplace and having vscode use github packages XD
+1
+1
The comment emoji feature has been around for 6 full years. Just give the original issue a π emoji reaction.
You may see 30 participants but there are probably hundred(s) of subscribers you're notifying with it. Microsoft does not count your +1 comments - nobody does.
It's possible the π can count, but the +1 comment is just not useful. A bot or human can't count it. All it does is bump the feature request above recent bugs (arguably bad)
The comment emoji feature has been around for 6 full years. Just give the original issue a π emoji reaction.
You may see 30 participants but there are probably hundred(s) of subscribers you're notifying with it. Microsoft does not count your +1 comments - nobody does.
Personally, I don't mind getting this notification that I'm not the only one with this issue. And continues to worry. Do you really think microsoft counts emoji under the original issue?
-1 for sndstoom. its not about the damn +1 count, its about "wow this issue has a million replies and we still havent addressed it"
All it does is bump the feature request above recent bugs (arguably bad)
Bumping it above other more recent bugs is entirely the point.
Hey, this can open up security issues if secrets are left in previous versions. This sounds super crucial.
Hey, this can open up security issues if secrets are left in previous versions. This sounds super crucial.
When secrets get committed one should consider it no longer secret and thus rotate it.
Removing packages is not fail safe here due to people having pulled in the packages or systems having cached it.
It thus provides a false sense of security.
Not allowing yanking of specific version is a security risk for reasons that vsmarketplace team never thought about.
Imagine that at some point a malicious user publishes version 2147483647.2147483647.2147483647, which happens to be the maximum version number supported by marketplace. That means that they will be forced to unpublished/remove their entire extension and publish it under a different "ID". That is another problem by itself as that extension might be listed as a dependency by 100 other extensions.
I guess that their solution for this is the same I heard before, file a support ticket and our database admin with fix it an manual SQL query. I had a case where I needed that myself.
Ok to mark that as a security issue now?
Since default vsce publish takes everything in the folder and uploads it, I just accidentally publish a version that includes my .env file with secrets in it. And I have no way to delete that version.
Seriously, how is deleting a published version still in the backlog for over 5 years now?
Since default
vsce publishtakes everything in the folder and uploads it, I just accidentally publish a version that includes my .env file with secrets in it. And I have no way to delete that version.Seriously, how is deleting a published version still in the backlog for over 5 years now?
The best thing to do is probably delete the extension and publish it again. Always remember to check what is included running vsce ls. To ignore files use the file .vscodeignore.
+1 for this feature.
+1 for this feature.
+1 for this feature
I think a problem here is accidentally publishing a newer version (e.g. publishing a preview release to a stable extension channel).
Exactly describes what just happened to me. I've used an older version of HaaLeo/publish-vscode-extension which does not yet support the pre-release flag and thus happily published my pre-release as a stable release to the marketplace.
Having fun times here creating another fake stable release to fix the issue by bumping just the version number
I think a problem here is accidentally publishing a newer version (e.g. publishing a preview release to a stable extension channel).
I just ran into that too π , unrelated but it's strange that it's a cli arg that defines that and not something in the package.json next to your version...
I think a problem here is accidentally publishing a newer version (e.g. publishing a preview release to a stable extension channel).
Exactly describes what just happened to me. I've used an older version of
HaaLeo/publish-vscode-extensionwhich does not yet support the pre-release flag and thus happily published my pre-release as a stable release to the marketplace.Having fun times here creating another fake stable release to fix the issue by bumping just the version number
I found out afterwards that everything would have worked in the first place because it does not matter whether you set the pre-release flag or not if the extension has already been bundled.
The fact that the VSCode backend (namely https://marketplace.visualstudio.com/manage/publishers/<publisher>/extensions/<extension>/hub?_a=manageExtension) and the VSCode Marketplace when opened in the browser do not distinguish at all between pre-releases and non-pre-releases added to the confusion. In particular, I thought I've published a stable instead of a pre-release and then had to bump all version numbers to fix this issue even though the VSIX's extension.vsixmanifest file would have correctly specified that it's a pre-release.
Just an fiy:
So I published a release by mistake (while the extension only used prereleases until then), I then unpublished it (which removed the extension and all past versions all together π
)
Upon republishing a pre-release It seems like there are two distinct items now in the extensions list (the marketplace does show the right info)
So now there are two extension with the same name and ID. Not sure how to debug that properly or if will just get garbage collected at some point?
Read the whole issue and i can provide two experiences that are new and critical to us:
- a. Happened now twice that we introduced a security issue (happens to the best of us) that were introduced, realized, and then fixed after a very short time (one in about 9h and one in 2h)
- b. Happened now trice (today is one of them) where we released a version that broke either a functionality for all users somehow or for a very specific functionality (e.g. only MacOS users on ARM64)
No matter how fast we are fixing these issues, we still have to wait for the CI to give the OK and then the CD to give the OK. And no matter how long that is, it is far too long when you know that version X to Y are affected and could be just deleted. This is what we do with the JetBrains marketplace btw and with the artifacts that we control ourselves. The only exception is the VS Code marketplace. Which is in my opinion very cool to work with, except for this single feature that is missing.
This missing feature is especially annoying since we are releasing right to the user with every merge. That is usually really cool, but in the 5 cases above, it wasn't. We adapted our CI to catch those cases, but as you all surely know all to well, bugs happen and we might need to remove a published version once again. Removing the whole extension is not an option and pushing a new version isn't either for the reasons i stated.
Why do you call it manage extensions when there is nothing to change?
vsce unpublish 2.0.0
This will delete ALL published versions! Please type '2.0' to confirm: no
O.o
Any news on this?
We need the ability to unpublish versions, the same way NPM allows it.
Its still an issue....? its been 6 years.....
Any updateοΌ
I would like to unpublish a version as well. Has there been any update on how to do this?
It looks like the API used by vsce (extension publishing tool) has a method to delete the extension. Unfortunately, it didn't work in naive way, it failed with error code 400.
Read more here: microsoft/vscode-vsce#909
P.S. @seaniyer is it possible that someone from your team takes a look at it? If this command works, then this problem is essentially solved, and marketplace support team won't need to delete extension versions manually. 400 points out to the fact that it's implemented but doesn't work for some reason.
Unpublishing a specific version is currently not supported for VS Marketplace.
@xavierdecoster any thoughts regarding that API ?
@seaniyer That's actually the main reason for my investigation. If there's an easy way to support it via the official API, then this problem could be solved for a lot of folks. The 400 error code points out that it's implemented but doesn't work due to some misconfiguration of the API.
@kesane-msft since you wrote that you need more people asking about this feature. How many do you need? There are now about 100 likes on the issue.
We just hit again a bug where we would like to unpublish a version. We can for all platforms except for VSC see
#235 (comment) for some description on why that is useful to everyone.
Hi folks,
Solution proposal for unpublish version & Request for feedback
VS Marketplace team is looking to invest in this popular feature request in the coming months. I would like to kick things off by sharing an initial draft of Unpublish specific version - Solution proposal PR for everyoneβs input. The document also has a summary of problem scenarios as we understand them so far. I would like to make sure the proposal is starting off in the right direction and no important problem scenarios are missed. Please review and comment in the PR. Thanks for your contributions!