Visual Studio Code now waits two hours before auto-updating extensions. Microsoft added the delay in version 1.123 as a security measure against supply chain attacks, giving the community time to spot malicious updates before they spread to millions of developers' machines.

Here's why this matters. VS Code has become the dominant code editor, with over 70% market share among professional developers. When a popular extension updates, that update can reach millions of machines within hours. If that update contains malicious code—whether from a compromised maintainer account or a deliberate attack—it can compromise countless development environments before anyone notices.

The two-hour delay creates a window for detection. Security researchers, automated scanning tools, and eagle-eyed users can spot suspicious changes before they propagate everywhere. Extension maintainers can pull updates that break things before the damage spreads. It's not foolproof, but it's a meaningful speed bump.

From a technical perspective, this is straightforward. Instead of immediately downloading new extension versions when auto-update is enabled, VS Code waits 120 minutes. Users can still manually update immediately using the Update button. The delay only affects automatic updates.

Interestingly, extensions from trusted publishers—Microsoft, GitHub, and OpenAI—bypass the delay entirely. Their updates install immediately, which is either reasonable (these are established organizations with security teams) or concerning (it creates a two-tier security model where some publishers are assumed safe).

This approach mirrors similar protections in package ecosystems. npm, Yarn, pnpm, and Bundler have all added configurable delays or confirmation prompts before installing dependencies. The pattern is clear: the developer community is taking supply chain security more seriously after several high-profile attacks.

The context here is important. Supply chain attacks work because of trust relationships. Developers trust extension authors, so they install extensions without scrutiny. Extension authors trust their own infrastructure, which might be compromised. A single compromised maintainer account can potentially compromise thousands of organizations.

We've seen this happen. The event-stream npm package was hijacked to steal cryptocurrency wallet credentials. The SolarWinds attack injected malicious code into a widely-used enterprise tool. The threat model is real, not theoretical.

Developer reactions have been mixed. Some appreciate the security-first approach. Others find the delay annoying, especially for extensions they maintain themselves and want to test immediately. The ability to manually update addresses the latter concern, at least.

What's notable is that this is opt-out security. The delay applies by default. Users who want immediate updates can disable auto-update entirely, but most users will get the protection without thinking about it. That's good security design—the safe path should be the default path.

The effectiveness of this measure depends on the community's ability to actually spot malicious updates within that two-hour window. A sophisticated attacker could craft code that evades automated scanning and doesn't trigger obvious red flags. The delay buys time, but it's not a comprehensive defense.

Microsoft could go further. They could require code signing for extensions, implement more aggressive automated scanning, or create a community-driven extension review process. Each option has trade-offs between security and ecosystem openness.

The technology is impressive—VS Code's extension ecosystem is genuinely powerful. The question is whether a two-hour delay provides meaningful security or just security theater. Based on the attacks we've seen, I lean toward meaningful. It's not enough by itself, but it's a useful layer in defense-in-depth.

For developers, this is a good reminder to think about your extension trust model. Do you auto-install updates? Do you review what permissions extensions request? Do you know what code is running in your editor? Most developers don't, which is exactly why this delay exists.