VS Code 1.123 Adds Two-Hour Extension Update Delay to Limit Supply Chain Attacks
VS Code 1.123 adds a two-hour delay before auto-updating extensions to newly published versions, creating a revocation window against supply chain attacks. The delay does not apply to trusted publishers like Microsoft, GitHub, and OpenAI. Similar cooldown mechanisms have now spread across pip, RubyGems, npm, pnpm, Yarn, and Bun. By Steef-Jan Wiggers
The increasing prevalence and impact of software supply chain attacks necessitate proactive security measures from widely used development tools.
This move by VS Code, followed by other package managers, indicates a broader industry response to software supply chain vulnerabilities, impacting developer workflows and application security practices.
A standard two-hour delay for extension updates in VS Code (and similar cooldowns across major package managers) introduces a new security window for detecting and revoking malicious updates.
- · Developers
- · Application Security Teams
- · Software Supply Chain Security Vendors
- · End Users of Software
- · Malicious Actors
- · Attackers targeting Software Supply Chains
Reduced immediate exposure to newly published malicious package updates across a wide range of development ecosystems.
Increased pressure on developers and publishers to ensure the integrity of their packages before publication, knowing a revocation window exists.
Potential for new automated threat detection and incident response tools to emerge, leveraging this delay as a critical window for intervention.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at InfoQ