Issue #113  (VS Code Extension Security)06/19/24

Advertisement
Workshop: Frontend Issues with Backend Solutions

Frontend issues are often triggered by backend problems. Join us as we discuss common sources for poor web vitals and how to use Tracing to connect issues through your stack at the code-level.

Workshop: Frontend Issues with Backend Solutions

Once in a while there always seems to be some talk about how insecure VS Code extensions are and how easy it is for extension developers to secretly push malware to users. Last week I featured an article on this subject and there's another one linked below that summarizes some of these problems.

For example, you might install an extension but eventually the ownership may change or the owner becomes malicious. A subsequent update may push something to your system that's harmful or invades your privacy.

One way you can minimize the chances of this happening is by turning off automatic updates on extensions. Search for the word "update" in your settings and you'll notice the top three results are related to extension updates and VS Code updates in general.
 
Disabling auto updates for VS Code extensions

If you're concerned about all updates, you can disable all update checks by unchecking the setting "Auto Check Updates". That might be overkill, so instead you can change the "Auto Update" setting to a value of "none", which allows you to manually update your extensions.

Once this is changed, you can still allow specific extensions to auto-update if you trust them. Go to your installed extensions, then click the extension you want to 'trust', and you'll notice there's now an empty check box you can tick that tells VS Code that you want to update this extension automatically.
 
Auto Updating a Single VS Code Extension

You can use the little cog icon to choose "Auto Update All (From Publisher)" which will allow this specific extension to be automatically updated.

And one last thing I'll mention here is a quote from the VS Code docs on the topic of extension security, where they answer the question Can I trust extensions from the Marketplace?
 
"The Marketplace runs a virus scan on each extension package that's published to ensure its safety. The virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage."

There's more info on that page about the potential for 'name squatting' and a few other points. So it does seem that, for the most part, Microsoft is doing what they can to ensure the safety of the extensions.
 
Now on to this week's hand-picked links!
 

VS Code Tools
Pythagora (GPT Pilot) — Official VS Code extension for Pythagora, a GPT-based tool that brings a full AI developer right into your favorite editor.

Bread Jam — A VS Code extension that makes your code variables easier to distinguish with different render patterns, to enhance readability.

Workshop: Frontend Issues with Backend Solutions — Frontend issues are often triggered by backend problems. Join us as we discuss common sources for poor web vitals and how to use Tracing to connect issues through your stack at the code-level.   Sponsor 

VSJournal — A VS Code extension that lets you create journal entries and notes in VS Code, which you can sync to a remote repository.


VS Code Theme of the Week
Blue Light — A simple light theme that mainly features various blues in the UI and has decent contrast in the syntax highlighting.

Blue Light Theme for VS Code

If you like light themes, this is probably one you'll enjoy. Pictured above is the standard theme but it also has a newer version with italics and some subtle changes to the syntax colors.

VS Code Articles & Videos
Using WebAssembly for Extension Development – Part Two — Second part of the series from the VS Code blog on using WebAssembly for extension development.

📺 VS Code Tips – How to Solve All Your CSS Problems Instantly — Evidently Zoran did not post this on April 1st, but it's a bit of an older short that humorously points out the 'exclude' feature in File Explorer in VS Code.

The Morning Paper for Tech — Want a byte-sized version of Hacker News that takes just a few minutes to read? Try TLDR's free daily newsletter. It covers the most interesting tech, startup, and programming stories in just 5 minutes. No sports and no politics.  Sponsor 

Visual Studio Code Extensions are Much Less Secure than Browser Extensions or Even npm Packages — This covers some of the recent points that have been made elsewhere, but the overall problem outlined is pretty much the same as what's been discussed before.
 

Best of the Rest
calcul.io — An online math playground that makes learning and solving math problems enjoyable and includes comprehensive functionality and is mobile friendly.

MarsCode — A cloud-based IDE that includes a powerful AI assistant, doesn't require configuration, and offers extensions that support over 100 languages and mainstream IDEs.

Pop Quiz: What’s the Body’s Most Abundant Protein? — The answer: Collagen. NativePath's Certified Grass-Fed Collagen Powder is made from grass-fed, pasture-raised cows and contains 18 grams of protein per suggested serving. Start incorporating it daily to support skin elasticity, joint health, bone strength, and muscle growth and maintenance.  Sponsor 

strudel — A live coding platform, or REPL, that lets you write dynamic music pieces in the browser.

Suggestions?
If you have any link suggestions, including a tool, article, or other resources related to VS Code or another IDE, send it via DM on X: @LouisLazaris or just hit reply on this email.

That's it for this issue.

Happy VS Coding!
Louis
VSCode.Email
@LouisLazaris
Copyright © VSCode.Email. All rights reserved.

Not affiliated with Microsoft, Visual Studio Code, or any of its trademarks.