VS Code Adds 2-Hour Extension Auto-Update Delay to Mitigate Supply Chain Risks
Visual Studio Code now delays automatic extension updates by two hours, introducing a crucial buffer to combat software supply chain attacks.
Microsoft has implemented a new security measure in Visual Studio Code (VS Code) that introduces a two-hour delay before automatically updating extensions. This change, available in VS Code version 1.123, is designed to provide a critical buffer period, allowing for earlier detection of potentially malicious or compromised extensions before they are deployed to a wide user base.
The new default behavior aims to significantly mitigate risks associated with software supply chain attacks, a growing concern across the developer ecosystem. By delaying automatic updates, the development team hopes to catch malicious code or unintended consequences in newly published extensions before they can impact numerous developers and their projects.
While the automatic update process now includes this delay, users retain the ability to update any extension immediately by manually clicking the "Update" button. For extensions with pending updates, VS Code will display a reason for the delay and the scheduled time for the automatic update, offering transparency to the user.
Notably, this two-hour delay does not apply to extensions published by trusted partners such as Microsoft, GitHub, and OpenAI. Updates for extensions from these publishers will continue to be applied immediately, reflecting a tiered approach to security based on publisher reputation and established trust.
This initiative by Microsoft follows similar security enhancements implemented across various package managers. For instance, RubyGems recently introduced an opt-in cooldown feature in Bundler 4.0.13, allowing developers to configure a delay for installing new gem versions. Similar controls, such as minimumReleaseAge or npmMinimalAgeGate, have also been integrated into Bun, npm, pnpm, and Yarn.
The surge in software supply chain incidents has underscored the need for such defensive measures. Attackers increasingly target open-source ecosystems to infiltrate developer systems and distribute malware to downstream users. By introducing a time-based gate, these platforms can minimize the window during which a malicious package might spread before being identified and removed by registry maintainers.
This proactive approach by VS Code and other development tools is crucial in building a more resilient software development lifecycle. As the reliance on third-party code and extensions grows, safeguarding the integrity of the supply chain becomes paramount to protecting developers and the software they create from evolving threats.