Microsoft wants to make it easier for software developers using Visual Studio Team Services (VSTS) Integrated Development Environment to keep track of their coding projects with a new batch of dashboard updates.
Currently in beta, the updates include options to quickly switch between dashboards, set new permissions and bookmark frequently accessed dashboards. They are also expected to hit the next major release of Microsoft’s source code management product, Team Foundation Server (TFS), According to Microsoft senior program manager Francisco Garcia-Ascanio,
Responding to user demand, Microsoft has updated the dashboard picker with two new options, Mine and All, that help developers stay better organized. Selecting Mine shows the dashboards belonging to a user’s team, along with favorites. As expected, the All option displays all the dashboards associated with a project.
Also new is the ability to set team permissions on individual dashboards that govern whether users can create, edit and delete dashboards. Administrators can also set global permissions that affect all the dashboards used by a team.
“By going to the Dashboard settings, under Project Settings for a team, a team administrator can set permissions for their team dashboards,” explained Garcia-Ascanio in a July 18 announcement. “Whichever permissions are set here, the team’s dashboards will inherit.”
A new interface, called Dashboard Directory Pages, allows users to search for dashboards and bookmark, or “favorite,” the results. Other enhancements to the VSTS dashboard experience include full screen mode support, streamlined dashboard editing tools and dashboard descriptions for improved searching.
Plugging the ESLint Breach
Meanwhile, Microsoft has acted on a security incident involving third-party code that could potentially place VSTS data at risk.
Rajesh Ramamurthy, senior program manager of VSTS at Microsoft, announced on July 18 that the software maker had revoked the tokens for a set of VSTS users who were at risk of having their credentials exposed by two popular ESLint NPM (Node Package Manager) packages. ESLint is an open-source code analysis, or linting, utility for JavaScript.
Recently, malicious code was detected in the ESLint scope analysis library (eslint-scope version 3.7.2) and configuration package (eslint-config-eslint version 5.0.2) that could be used to steal credentials. In a security advisory, ESLint stated that “an attacker compromised the npm account of an ESLint maintainer and published malicious versions” of the packages on July 12.
After downloading and installing the packages, the contents of .npmrc configuration files, which often contain access tokens, were sent to the attacker. Highlighting the dangers posed by password reuse and failing to adopt safe password management practices, the ESLint team noted that the password of the hacked maintainer account had been used on other sites and did not have two-factor authentication enabled.
Microsoft is reaching out to the developers that were affected by the move. Users who find that their credentials no longer work as a result of the ESLint breach will need to recreate them. Finally, the company plans to deploy new APIs that will allow administrators to revoke user-created Personal Access Tokens (PAT) and JSON Web Tokens (JWT), Ramamurthy said.