Microsoft said Visual Studio Code will wait two hours before automatically updating extensions for the editor, a change in VS Code 1.123 aimed at reducing supply chain risk. The delay does not apply to extensions from trusted publishers such as Microsoft, GitHub and OpenAI.
KEY FACTS
- Delay window Automatic extension updates now wait two hours after publication.
- User control Users can still install updates immediately with the Update button.
- Trusted publishers Extensions from Microsoft, GitHub and OpenAI update right away.
- Related move RubyGems added an opt in cooldown for Bundler 4.0.13.
In a product update notice from Microsoft, the company said the delay gives users an extra layer of protection against problematic or potentially compromised releases. The details view for pending extensions now shows why an update has not yet been applied and when it will occur.
The feature is available in VS Code 1.123. Microsoft said the two hour hold does not apply when automatic updates are enabled for trusted publishers, where new versions continue to install immediately.
The disclosure said the change follows a broader trend across package managers and registries that have added time based release controls. It cited Bundler 4.0.13, along with recent minimum age features in Bun, npm, pnpm and Yarn.
Those controls are meant to reduce the time a malicious package version can spread before registry maintainers detect and remove it. The report said supply chain incidents have increased across software ecosystems and have targeted developer systems and downstream users.
WHY IT MATTERS
The change adds a short buffer that can slow the spread of a bad extension version without blocking manual installs. It also shows how software tools are increasingly using release delays to limit supply chain exposure.