Gathering detailed insights and metrics for @vscode/codicons
Gathering detailed insights and metrics for @vscode/codicons
Installations
npm install @vscode/codiconsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
18.19.1
NPM Version
10.2.4
Releases
24
Languages
3
Handlebars
JavaScript
Dockerfile
Handlebars (70.5%)
JavaScript (25.31%)
Dockerfile (4.2%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
CC-BY-4.0 License
978 Stars
534 Commits
197 Forks
21 Watchers
21 Branches
73 Contributors
Updated on Jul 09, 2025
Maintainers
21
Package Meta Information
Latest Version
0.0.36
Package Id
@vscode/codicons@0.0.36
Unpacked Size
1.16 MB
Size
448.13 kB
File Count
500
NPM Version
10.2.4
Node Version
18.19.1
Published on
May 09, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
6
Codicons
This tool takes the Visual Studio Code icons and converts them into an icon font using fantasticon.
Install
You can use the npm package and install into your project via:
npm i @vscode/codicons
Note: We've deprecated vscode-codicons in favor of @vscode/codicons
If you're building a VS Code extension, see this webview extension sample on how to integrate.
Building Locally
All icons are stored under src > icons. The mappings of the class names and unicode characters are stored in src/template/mapping.json as well as the default styles under src/template/styles.hbs.
Install dependencies
After cloning this repo, install dependencies by running:
npm install
Build
npm run build
Output will be exported to a dist folder.
Update packages
You can run npm outdated to see if there are any package updates. To update packages, run:
npm update
Add icons
Export your icons (svg) to the src/icons folder and add an entry into src/template/mapping.json with a new codepoint key (this gets converted into a unicode key) and run the the build command. The build command will also remove any subfolders in the icons folder to keep the folder structure consistent.
Next, update the codicons file on the vscode repository, ensuring that the unicode characters are the same (you can reference the css file).
Using CSS Classes
If you're building a VS Code extension, see this webview extension sample on how to integrate.
When needing to reference an icon in the Visual Studio Code source code via CSS classes, simply create a dom element/container that contains codicon and the icon name like:
1<div class='codicon codicon-add'></div>
It's recommended to use a single dom element for each icon and not to add children elements to it.
Using SVG Sprites
When needing to use the codicon.svg sprite file, you can reference icons using the following method:
1<svg> 2 <use xlink:href="codicon.svg#add" /> 3</svg>
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Legal Notices
Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file, and grant you a license to any code in the repository under the MIT License, see the LICENSE-CODE file.
Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
Privacy information can be found at https://privacy.microsoft.com/en-us/
Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
No vulnerabilities found.
Reason
30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Creative Commons Attribution 4.0 International: LICENSE:0
Reason
no binaries found in the repo
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/build.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/gh-pages.yml:10
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Info: no jobLevel write permissions found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact 0.0.36 not signed: https://api.github.com/repos/microsoft/vscode-codicons/releases/154983267
- Warn: release artifact 0.0.36 does not have provenance: https://api.github.com/repos/microsoft/vscode-codicons/releases/154983267
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gh-pages.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/gh-pages.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/vscode-codicons/release.yml/main?enable=pin
- Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:8: pin your Docker image by updating mcr.microsoft.com/vscode/devcontainers/javascript-node:0-10 to mcr.microsoft.com/vscode/devcontainers/javascript-node:0-10@sha256:8513bfe9b3167001f68cdf4c18db8430bda5b8bc261bb2d38a3535e9bc55c8a9
- Warn: npmCommand not pinned by hash: .github/workflows/build.yml:24
- Warn: npmCommand not pinned by hash: .github/workflows/gh-pages.yml:34
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:27
- Info: 0 out of 17 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 containerImage dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
23 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
- Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Score
5.6
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More