Setting "python.analysis.nodeExecutable" requires a manual confirmation?

[pcasdf]

Is there any way to change this behavior?

With python.analysis.nodeExecutable overridden, our devs often get this prompt. It doesn't always appear, but it also doesn't only appear once. I've had to confirm multiple times. Is there any way to get this to auto-accept? If we're specifying the python.analysis.nodeExecutable value ourselves, I don't understand why users have to additionally manually confirm this with a click. I think this is a bad experience, since in our workspace, there are a bunch of other notifications that appear and this one can be easy to miss.

[rchiodo]

It should be a bug that you have to answer multiple times. The answer to this question is stored in a global memento on the user's machine (using this VS code API: https://code.visualstudio.com/api/references/vscode-api#Memento).

We ask though to ensure that you aren't running an executable that isn't protected.

Are you changing the path? The answer to the question is keyed off of the path. If there's no key, it would ask again.

[pcasdf]

I see. I found some other threads about the thinking behind the confirmation. I dislike that behavior, but it doesn't sound like there's any plan to change that. Although, I still think there should at least be a config to let us disable that explicitly.

I don't know what could be changing our path. Is that memento stored somewhere in .vscode-server? There's definitely a bug here, but it doesn't occur every time. Happens both on our remote machines and locally. I'll try to assess what might be triggering this to pop up again since I don't have a solid repro now.

[rchiodo]

It should pop up on every new machine (or remote machine). So if it popped up for you locally and then you connect to a remote, it would pop up again. The memento is stored on the machine AFAIK.

We were told to ask by the security team at Microsoft. It's a potential attack vector if you set this node executable to a path that's writable by multiple users. You might not be using the node you thought you were. It does seem like overkill to me too though. You explicitly typed it in as it can't be set in a workspace settings.json.

[pcasdf]

Big agree. Just to confirm, it does happen to me on the same machine, i.e. it happens to me locally multiple times without me consciously changing my path, and it happens on my remote machine multiple times. I believe there's a good chance that it's due to something I'm doing on my end unconsciously, like having to re-install the extension after removing the .vscode-server directory or something similar. Feel free to close this out, thank you for your insight!