This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Hi Team,
I created a VS Code extension and properly configured the required metadata in the package.json file, including:
However, when I try to upload the .vsix file to the Visual Studio Marketplace, I receive the following error:
“Upload Error: Your extension has suspicious content. Please fix your extension metadata, or contact support if you need assistance.”
I have already tried updating and modifying the metadata multiple times based on the error message, but the issue still persists and I am unable to publish the extension.
Also, I am not currently using the Personal Access Token (PAT) method in Azure DevOps, so I would like to know whether I may be missing any required setup or doing something incorrectly during the publishing process.
Could you please review this issue and guide me on what needs to be corrected?
Thank you for your support.
Thanks, CyberscanAI
A family of Microsoft suites of integrated development tools for building applications for Windows, the web, mobile devices and many other platforms. Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hi Team,
The error "Your extension has suspicious content" generally appears when the validation system in VS Marketplace detects any missing or unsafe data in the metadata of the extension or its packaging.
One of the issues found during the inspection of the package.json file is that the activationEvents property is left blank:
"activationEvents": []
Instead, you can set a valid activationEvent like:
"activationEvents": [
"onCommand:extension.start"
]
Following are some other things to keep in mind:
Ensure that all the links such as homepage, repository, bugs.url are active and available publicly.
The GitHub repository should be public.
Eliminate all unnecessary/minimized files in the .vsix packaging.
To publish using the established Visual Studio Code Extensions (VSCE) procedure you can utilize an Azure DevOps Personal Access Token (PAT) as follows:
Recommended Commands:
vsce login
vsce package
vsce publish
The problem here is likely due to issues with your metadata meeting validation criteria or security checks of the Marketplace which could prevent your extension from functioning correctly, however, if you’ve correctly updated and installed your activation events and republished via the approved VSCE and Azure DevOps PAT process, this should resolve the problem.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi @Dev Cyberscope ,
It looks like the Marketplace scanner is flagging something in your VSIX as “suspicious content.” Usually this comes down to either a mismatch or invalid fields in your extension’s manifest (package.json / source.extension.vsixmanifest) or extra files bundled into the VSIX that aren’t allowed.
You can try below steps
Only these top‐level properties are allowed in a VS Code extension manifest:
Remove or exclude anything else (for example, don’t bundle scripts, devDependencies, dependencies or arbitrary config files into the VSIX). If you’re using vsce to package, you can add a .vscodeignore to filter out node_modules, .git folders, build scripts, etc.
npm install -g vsce
vsce package
Once your VSIX only contains the allowed manifest and your publisher ID is correct, the “suspicious content” error should clear and your extension will pass the built-in virus/metadata scan.
@Pravallika KV
I have followed all the steps mentioned in both the official documentation and your suggestions, but nothing seems to work.
axios to call a custom API. I need to include node_modules because when I add it to .vscodeignore, the custom API calls stop working. So I kept node_modules included so that team members can test the extension locally in their own VS Code.1.116.0 while the engine version declared in my extension is 1.110.0. Only these top‐level properties are allowed in a VS Code extension manifest:![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 16%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
One thing that stands out is the inclusion of the full node_modules directory inside the VSIX. Even if it’s needed for local testing, Marketplace scanners can flag bundled dependencies—especially large dependency trees or packages that make external API/network calls as suspicious content.
Since you’re using axios only, you may want to try bundling the extension instead of shipping raw node_modules. Tools like esbuild or webpack can package the required code into a smaller output and avoid including unnecessary files that trigger Marketplace validation.
Also, the issue is probably not related to your VS Code engine version mismatch (1.116 vs 1.110). That usually doesn’t cause the “suspicious content” flag by itself.
A few things I would specifically verify:
No secrets/API keys accidentally included in the VSIX
No executable/binary files bundled
Public/reachable repository + homepage URLs
Proper activationEvents (not empty)
Packaging only production dependencies
At this point, inspecting the generated .vsix contents carefully is probably more important than editing metadata again.
@Dev Cyberscope Following up to see if the above provided information was helpful. If you have any further queries do let us know.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
Hi @Dev Cyberscope ,
This doesn't appear to be a metadata or PAT-related issue. The Marketplace is likely flagging the VSIX because it includes the node_modules folder directly, which is often detected as “suspicious content” by the security scanner.
Try below steps:
node_modules from the VSIX packagedist/extension.js)main entry in package.json to point to it:"main": "./dist/extension.js"
The issue with Axios occurs because the current setup depends on runtime resolution via node_modules. Once you move to bundling, Axios (and its dependencies) will be included in the final bundle automatically.
Hope this helps!
If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.
@Dev Cyberscope Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.