Recently, a malicious VS Code extension caused GitHub itself to be hacked. Currently, many different actions cause VS Code to auto-update extensions, such as:
- The application being launched
- The extensions panel being opened
This is scary, because it means that a malicious extension update will immediately compromise all installed systems without warning. Currently, the only alternative is to disable automatic extension updates entirely, which is not a positive user experience (manually updating tens of extensions is tedious).
It would be excellent if there were options to allow users to:
- Control how often VS Code checks for extension updates (eg once per week)
- Control how old a new extension version must be for it to be considered for updates (eg only updating an extension if the new version has been released for 1 week)
On a large scale, this would significantly reduce the scope of the damage caused by a compromised extension, meaning that far fewer VS Code instances would have auto-updated to the malicious version before it was noticed and yanked, even if automatic extension updates were enabled for all users.
These options would be similar to features offered in package managers such as UV's tool.uv.exclude-newer option, or pnpm's minimumReleaseAge.
Of course, this is not a substitute for proper security features such as those mentioned in #52116, but it is certainly faster to implement, and wouldn't involve breaking changes for extension authors.
Recently, a malicious VS Code extension caused GitHub itself to be hacked. Currently, many different actions cause VS Code to auto-update extensions, such as:
This is scary, because it means that a malicious extension update will immediately compromise all installed systems without warning. Currently, the only alternative is to disable automatic extension updates entirely, which is not a positive user experience (manually updating tens of extensions is tedious).
It would be excellent if there were options to allow users to:
On a large scale, this would significantly reduce the scope of the damage caused by a compromised extension, meaning that far fewer VS Code instances would have auto-updated to the malicious version before it was noticed and yanked, even if automatic extension updates were enabled for all users.
These options would be similar to features offered in package managers such as UV's
tool.uv.exclude-neweroption, or pnpm'sminimumReleaseAge.Of course, this is not a substitute for proper security features such as those mentioned in #52116, but it is certainly faster to implement, and wouldn't involve breaking changes for extension authors.