New Safety Mechanism for Extension Updates
Microsoft has announced a security enhancement for Visual Studio Code that introduces a mandatory two hour waiting period before extensions are automatically updated to a newer version. This change, rolling out with VS Code 1.123, aims to reduce the risk of supply chain attacks where malicious updates could be pushed to millions of developers before being detected. When automatic updates are enabled, the IDE will now wait 120 minutes after a new extension version is published before installing it, giving the community and security researchers time to identify and flag problematic releases. Users can still manually apply updates immediately by clicking an ‘Update’ button if they choose, and the extension details view will show the reason for any pending update along with the scheduled automatic update time.
Ecosystem Wide Trend Towards Installation Delays
The two hour delay does not apply to extensions from trusted publishers including Microsoft, GitHub, and OpenAI, which will continue updating without delay. This feature follows similar controls recently added to package managers like npm, pnpm, Yarn, and Bun, where minimum age requirements for newly published packages have become a standard defense against supply chain threats. RubyGems also added an opt in cooldown feature to Bundler 4.0.13 that delays installation of fresh gem versions. These measures respond to a significant increase in software supply chain incidents targeting developer ecosystems, where attackers publish malicious versions that spread rapidly before registry maintainers can take them down.
Source: The Hacker News
