"We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found."
"That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it's their fault)"
If the dependency has been compromised then extensions that use that dependency and ship compromised code are also compromised. Its a transitive property if it ships bad code.
With that in mind Microsoft yoinking the extension from the market place and user devices seems reasonable. But what was the "loop" they mention?
obviously there are people who downloaded it multiple times
Its been around and on enough different platforms that most people who use it would have lost count of how many times they have downloaded it.
I currently have it installed on 4 android devices (my phone, my tablet, my sons tablet, google TV dongle), 3 windows devices (personal PC, loungeroom PC, work PC), and 1 Xbox. That's 8 installs in current use but if you factor in a history of device replacement and software updates I would easily account for hundreds of downloads.
Edit: its great to see the games they highlight with the cover illustrations. They cover a variety of genres and all look like quality games with interesting design choices.
I understand proprietary licenses and the business models they support, I also understand open source licenses and the business models they support.
If they they published paid binaries and free source code I would support them (morally), or if they published free binaries and free source code and ran a patreon I would support them (morally).
But to fork GPL code and hold the derived source ransom? Not cool.
Well that's not ideal.