Kevin Beaumont4d ago

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Show threadChris Adams
@GossiTheDog especially bad in light of rejecting the requests for cooldowns in the past https://github.com/microsoft/vscode/issues/79689
[Feature Request] Fine grained control on extension auto updates · Issue #79689 · microsoft/vscode

BACKROUND When an extension is updated, I am notified in the sidebar. I always check the changelog before clicking "update". Too often I will waste time by updating to a newer version, which is bug...

GitHub
May 20 at 11:39amWeb