1. Atlassian Labs Avatar Atlassian Labs
  2. Partner Integrations
  3. atlascode
  4. Issues

Keytar Migration Plan

Issue #5345 resolved
Tyler Leonhardt created an issue

Hello 👋 I'm Tyler from the VS Code team. I'm opening this issue because you use the keytar shim that VS Code provides.

Keytar is officially archived and not being maintained... In an effort to promote good security practices by not depending on an archived piece of software for storing secrets, we are working on a plan to remove this shim from VS Code. We want to communicate this to you, so we minimize the disruption due to this change, hence this issue. I know this isn't the best news... we had a fair amount of work to remove our dependency on keytar as well, but we believe this is the right thing to do to ensure extensions are using secure APIs.

There are a couple of options for you to consider:

  • (recommended) Use the SecretStorage API that VS Code provides on the ExtensionContext. This API is cross-platform and will work on all platforms that VS Code supports. It is also maintained by the VS Code team and will continue to be maintained and has been a part of the VS Code API for years at this point.
  • (not recommended) You can bundle the keytar module with your extension. Keep in mind that keytar is a native node module which means that you will need to publish a platform specific extension for each platform you want to support.

Timeline

The current plan is to remove this shim from VS Code Insiders in early September which means that October 2023's stable release will be the first release without the shim.

Questions?

If you have any questions, please feel free to ask them here. I will do my best to answer them as quickly as possible. Your cooperation is greatly appreciated. ❤️

Comments (9)

  2. Tyler Leonhardt reporter

    👋 quick question, did the fix that go in migrate users from keytar over to Secret Storage? I asked because we have telemetry that tracks the importing of keytar and after the release mentioned we didn't see a drop in that telemetry. We are using this telemetry to decide when to actually remove keytar. I'm guessing you all still import keytar at activation but just don't use it until the user hits the migration path? Is that correct?

    If it's easy for you to import keytar lazily that would help me out, but if it's too much work no worries. I'll just keep a note to check in on your migration.

  3. Naveen Kumar

    Hi @Tyler Leonhardt , yes the fix migrates users from keytar over to Secret Storage.And, yes we still import keytar and use it to migrate users over to Secret storage.

  4. Tyler Leonhardt reporter

    As long as you are importing keytar only when you need to run the migration, we are ok.

  5. Naveen Kumar

    Hey, sorry for the delay in response. Actually we import keytar at activation and we use it when we need to migrate the users from keytar to secretstorage

  6. Tyler Leonhardt reporter

    When we remove keytar from VS Code, the import will fail because the package is no longer available. This will throw an error so you may need to wrap that import in a try/catch.

    I have removed keytar from VS Code on Tuesday. The first VS Code Insiders version that no longer has keytar will be released today. The first VS Code stable that no longer has keytar will be released early next month

  7. Naveen Kumar

    Okay, got it. You have removed keytar in Version: 1.83.0-insider of Vscode insider. am i right?

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Votes
0
Watchers
1