top | item 47113609

(no title)

Is Microsoft ever going to implement proper VS Code plugin sandboxing? There are so many good extensions I would like to use, but I hate the security implications of loading yet more unvetted code for a nice-to-have.

Then again, I see that the top buzz in the industry is about Claws and letting LLMs run loose with only a handshake agreement to be safe, and I already know the answer.

discuss

StrangeSound|7 days ago

And it's only getting worse with the waves of vibe-coders.

I actually wrote about this recently after poking around a popular extension that Antigravity users were installing. It's wild what people are doing with your credentials, and you'd have no idea! https://opista.com/posts/blind-trust-in-vs-code-extensions

dawnerd|7 days ago

I got in an argument with someone the other day that said their vibe coded app was more secure than something hand written because the ai “knows all exploits”.

We’re cooked.

MantisShrimp90|7 days ago

The only real answer is something like web assembly and that would be a major breaking change for them.

This is why allot run dev containers but agreed this really should be top priority but instead is probably in the "maybe if we have a major security incident" bucket of concerns as these things often are

pjmlp|6 days ago

This is already supported for a while and is the way to have those Rust and C++ processes run in the Web IDE version on Github and Azure DevOps.

disintegrator|6 days ago

This is in part why I've been developing inside a VM for the last 2 years. Interestingly, VS Code has nice support for installing and running extensions on the remote. Only themes live on the host.

benatkin|7 days ago

Doesn't seem like it. It will be stuck in a security theater situation, just like Chrome extensions. Not an upgrade from the old highly powerful firefox extensions or those of the Atom text editor.

socalgal2|6 days ago

which other text editors implement sandboxing?

bandrami|6 days ago

emacs can but for some reason by default only does it with themes

frehu|7 days ago

There's no malware in it currently, but I understand your concerns - I could be lying, go rogue later, or just get my access stolen.

One option is to vet a version yourself and disable auto-update, but that's not really feasible to spend time on for most people.

3eb7988a1663|7 days ago

Sorry, no sleight intended against you, just a general concern as more and more cool utilities keep getting built into the platform.

frehu|7 days ago

[deleted]