VS Code adds 2-hour delay for extension updates to combat supply chain threats

The Hacker News reports that Microsoft is implementing a two-hour delay for automatic updates of Visual Studio Code (VS Code) extensions to enhance protection against software supply chain attacks. This new measure aims to provide an additional buffer against potentially compromised or problematic releases.

Starting with VS Code version 1.123, extensions will undergo a two-hour waiting period after publication before being automatically updated, provided automatic updates are enabled. Users retain the ability to manually update extensions immediately. This delay does not apply to extensions from trusted publishers like Microsoft, GitHub, and OpenAI, which will continue to update instantly. This initiative follows similar moves by package managers such as RubyGems, Bun, npm, pnpm, and Yarn, which have introduced cooldown periods or minimum release age settings.

These changes are a direct response to a rise in software supply chain attacks across various ecosystems, where malicious packages are used to compromise developer systems and distribute malware to end-users. The delay aims to reduce the window of exposure for newly published malicious versions before they can be identified and removed.

Source: The Hacker News