Don't mark the folder as trusted when you open in VsCode. The number of other hooks that may exist is going to be hard to track down (especially because each addon may add their own).
This may only provide a flalse sense of security. Afaik, there is no way to disable workspace settings taking priority over user settings, so a malious repo can easily override them and reenable automatic tasks.
On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely
Unrestricted outbound connections, specially from curl/wget/bash
I think that's a bit ungenerous: there is a push and pull between security and seamless user experience and it's never obvious where the line should be set. You really only figure out which way to move it after someone complains.
I'm not sure about the other ones, but I know that helix supports language servers by default and it does not have a workspace trust system like vscode, so LSPs can automatically execute code when you enter a directory
rcxdude|1 month ago
StingyJelly|1 month ago
Tyriar|1 month ago
So a malicious repo can easily override it... if you say you trust it.
gus_|1 month ago
Muromec|1 month ago
tclancy|1 month ago
exitb|1 month ago
ecshafer|1 month ago
2. Install Vim / Emacs / Sublime / Helix
3. ????
4. Profit
__jonas|1 month ago
I'm not sure about the other ones, but I know that helix supports language servers by default and it does not have a workspace trust system like vscode, so LSPs can automatically execute code when you enter a directory
https://github.com/helix-editor/helix/issues/9514#issuecomme...
So uninstalling VSCode would be a bit of a step back in that case
dude250711|1 month ago