search

microsoft / vscode

Visual Studio Code
https://code.visualstudio.com
MIT License
164.49k stars 29.37k forks source link

Better handle first-time opening of workspaces with explicit typescript.tsdk specified #91674

Closed IanKemp closed 4 years ago

IanKemp commented 4 years ago

See #26046 for context.

The reason why VS Code does not implicitly use the workspace TS version is claimed to be for security reasons: if you clone a repo that has a malicious TS version in its node_modules, the current behaviour prevents that code from being run implicitly.

This is a nonsensical argument because it assumes that nothing should be done implicitly when the user performs an explicit action - if we follow said argument to its conclusion, then nothing should happen when you open a VS Code workspace, or when you press the power button on your computer. An explicit user action always has implicit elements.

A more convincing argument is likely "Microsoft doesn't want to get sued/have its name in the news because an idiot cloned a malicious repo and it stole all his bitcoins" or "we don't want script kiddies making a plethora of repos with hacked TS versions in them to try and catfish unwary devs".

Regardless, the current behaviour of having to explicitly select the workspace TS version the first time you open a workspace is both irritating and barely a step above just implicitly using that version. After all, there is no "hey this could pwn your machine are you sure?" prompt when you actually select the workspace version.

A global setting "preferWorkspaceTypeScriptVersion" would essentially cover this scenario. By default it's false which means do the current behaviour. If a user sets it to true (implicit action, therefore safe!) then the workspace TS version is always used.

If that's not suitable (because a user could copy someone else's global VS Code config with "preferWorkspaceTypeScriptVersion" = true and then they would not explicitly assent to running the TS code they downloaded, oh the humanity!) then the least-effort best-experience way of making this better is to simply add a Yes/No dialog that pops up the first time opening a workspace with typescript.tsdk specified, that asks the user if they want to use the workspace TS version (with appropriate "you could get pwned and Microsoft won't be held responsible" warnings), or the VS Code builtin version.

mjbvz commented 4 years ago

No need to make it so complicated. The reason we don't load the workspace tsdk automatically without prompting is simple: opening a folder/file should never be able to automatically run code from that workspace. That's seems like a reasonable goal

Having said that, this is a duplicate of #65546