Microsoft is taking a significant step to bolster security in its Visual Studio Code (VS Code) environment by implementing a two-hour delay on automatic updates of extensions. This new measure aims to mitigate risks associated with software supply chain attacks.
The newly introduced delay will ensure that updates for VS Code extensions are automatically applied two hours after their release. Microsoft states that this precaution adds a crucial layer of security, helping to prevent the installation of compromised or problematic versions.
How the Delay Affects Extension Updates
Available with VS Code version 1.123, the update delay feature allows users to manually update extensions at any time via the ‘Update’ button. Additionally, the details view will provide users with information on pending updates and the scheduled automatic update time.
Importantly, this update delay does not affect extensions from trusted publishers, including Microsoft, GitHub, and OpenAI. Extensions from these sources will continue to receive immediate updates, maintaining their regular update schedule.
Comparison with Other Development Tools
This move by Microsoft follows a similar path taken by RubyGems, which recently introduced an optional cooldown feature in Bundler 4.0.13, allowing developers to set a delay for installing new gem versions. This feature aims to reduce the risk of exposure to malicious versions.
Other development tools have also adopted similar strategies. For instance, Bun, npm, pnpm, and Yarn have all implemented controls to delay installations of new package versions. These measures collectively aim to curb the spread of malicious software within developer ecosystems.
Why These Measures Matter
The introduction of these update delays comes amid a rise in software supply chain attacks that target development environments to distribute malware. By enforcing a waiting period before new package versions can be installed, developers have a better chance to identify and mitigate potential threats before they cause widespread harm.
These protective steps are essential in maintaining the integrity of developer tools and ensuring that malicious software does not compromise downstream users. With these changes, Microsoft and other tech giants are demonstrating a proactive approach to safeguarding their ecosystems against evolving security threats.
