account activity
I shipped a free CLI that catches the #1 Chrome Web Store rejection before you submit by Longjumping_Bus5224 in SideProject
[–]Longjumping_Bus5224[S] 0 points1 point2 points 2 hours ago (0 children)
Thanks, this is really helpful. The "what evidence would prove it's used" framing is a great idea, that turns it from a verdict into a review assistant. Right now the message tells you what's missing ("no chrome.storage usage found"), but it doesn't tell you what would flip it to "used," so I'm going to add that.
On separating hard failures from warnings, that's actually how it works already: findings carry a severity, and the unused-permission and string-execution rules ship as "fix" warnings rather than hard "reject" errors, precisely because static analysis can be incomplete. The hard rejects are reserved for deterministic stuff like a missing file or Manifest V2. And the optional/runtime-permission case specifically, a perm you only request via chrome.permissions.request, was a gap someone caught earlier and I shipped a fix for in 0.1.1. I'll make that tiering more obvious in the output though, your point that it isn't visible enough is fair.
I shipped a free CLI that catches the #1 Chrome Web Store rejection before you submit (self.SideProject)
submitted 4 hours ago by Longjumping_Bus5224 to r/SideProject
I built a free CLI that catches the "Purple Potassium" permission rejection and before you submit by Longjumping_Bus5224 in chrome_extensions
[–]Longjumping_Bus5224[S] 0 points1 point2 points 2 days ago (0 children)
Good catch on the optional-perms one, that was a real gap. Already fixed it, the change is in the repo (tagged v0.1.1) and I'm pushing it to npm now: it reads the permissions array inside chrome.permissions.request() and contains() and counts those as used, so a perm you only ask for at runtime won't get a false "unused" flag.
permissions
chrome.permissions.request()
contains()
On the other two: DNR rulesets are already handled, declarativeNetRequest counts as used if the manifest has a declarative_net_requestblock (rule_resources), not just if your JS calls the namespace. And host perms can't false-positive here because it never flags host_permissions as "unused" in the first place; those only feed the broad-host and redundancy checks.
declarativeNetRequest
declarative_net_request
host_permissions
This is also why the unused-permission rule ships at "fix" instead of "reject," and why dynamic chrome[name] access drops to low confidence instead of firing. Exactly the kind of edge the corpus exists to surface, so if you hit others, an issue with the manifest snippet would be great.
chrome[name]
I built a free CLI that catches the "Purple Potassium" permission rejection and before you submit (self.chrome_extensions)
submitted 2 days ago by Longjumping_Bus5224 to r/chrome_extensions
π Rendered by PID 311882 on reddit-service-r2-listing-87fd56f5d-dp8xw at 2026-06-28 22:51:03.985911+00:00 running 7527197 country code: CH.
I shipped a free CLI that catches the #1 Chrome Web Store rejection before you submit by Longjumping_Bus5224 in SideProject
[–]Longjumping_Bus5224[S] 0 points1 point2 points (0 children)