VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Summary
Microsoft is implementing a two-hour delay for automatic VS Code extension updates to mitigate software supply chain risks. This change aims to provide an additional security buffer by allowing time for potential issues in new extension versions to be identified before they are automatically applied.
IFF Assessment
This is good news for defenders as it introduces a proactive security measure to reduce the impact of compromised extensions in the software supply chain.
Defender Context
Developers and security teams should be aware of this change in VS Code's update mechanism. While intended to improve security, it might delay the deployment of legitimate extension updates. Defenders should monitor for any potential side effects and ensure their own development workflows account for this new delay.