This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Hi Team,
I created a VS Code extension and properly configured the required metadata in the package.json file, including:
However, when I try to upload the .vsix file to the Visual Studio Marketplace, I receive the following error:
“Upload Error: Your extension has suspicious content. Please fix your extension metadata, or contact support if you need assistance.”
I have already tried updating and modifying the metadata multiple times based on the error message, but the issue still persists and I am unable to publish the extension.
Also, I am not currently using the Personal Access Token (PAT) method in Azure DevOps, so I would like to know whether I may be missing any required setup or doing something incorrectly during the publishing process.
Could you please review this issue and guide me on what needs to be corrected?
Thank you for your support.
Thanks, CyberscanAI
A family of Microsoft suites of integrated development tools for building applications for Windows, the web, mobile devices and many other platforms. Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi @Dev Cyberscope ,
It looks like the Marketplace scanner is flagging something in your VSIX as “suspicious content.” Usually this comes down to either a mismatch or invalid fields in your extension’s manifest (package.json / source.extension.vsixmanifest) or extra files bundled into the VSIX that aren’t allowed.
You can try below steps
Only these top‐level properties are allowed in a VS Code extension manifest:
Remove or exclude anything else (for example, don’t bundle scripts, devDependencies, dependencies or arbitrary config files into the VSIX). If you’re using vsce to package, you can add a .vscodeignore to filter out node_modules, .git folders, build scripts, etc.
npm install -g vsce
vsce package
Once your VSIX only contains the allowed manifest and your publisher ID is correct, the “suspicious content” error should clear and your extension will pass the built-in virus/metadata scan.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hi Team,
The error "Your extension has suspicious content" generally appears when the validation system in VS Marketplace detects any missing or unsafe data in the metadata of the extension or its packaging.
One of the issues found during the inspection of the package.json file is that the activationEvents property is left blank:
"activationEvents": []
Instead, you can set a valid activationEvent like:
"activationEvents": [
"onCommand:extension.start"
]
Following are some other things to keep in mind:
Ensure that all the links such as homepage, repository, bugs.url are active and available publicly.
The GitHub repository should be public.
Eliminate all unnecessary/minimized files in the .vsix packaging.
To publish using the established Visual Studio Code Extensions (VSCE) procedure you can utilize an Azure DevOps Personal Access Token (PAT) as follows:
Recommended Commands:
vsce login
vsce package
vsce publish
The problem here is likely due to issues with your metadata meeting validation criteria or security checks of the Marketplace which could prevent your extension from functioning correctly, however, if you’ve correctly updated and installed your activation events and republished via the approved VSCE and Azure DevOps PAT process, this should resolve the problem.