Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats.
“When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases,” Microsoft said.
The new feature is available starting in VS Code 1.123.
The tech giant noted that users still have the option to update any extension immediately at any point in time by using the “Update” button. When extensions have pending updates, a reason for why they haven’t been updated yet will be available in the details view, along with when the automatic update will take place.
That said, this two-hour delay does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI, it added. Extensions from such publishers will continue to be updated immediately.
The development comes days after RubyGems added an opt-in cooldown feature to Bundler 4.0.13 that delays installation of newly published gem versions for a pre-defined period.
Specifically, the feature allows developers to configure Bundler to introduce a time-based install delay with an aim to reduce potential exposure arising from newly published malicious versions.
Over the past year, similar installation controls have also been added to Bun, pnpm, npm, and Yarn –
- Bun – minimumReleaseAge (Bun 1.3+)
- npm – min-release-age (npm v11.10.0+)
- pnpm – minimumReleaseAge (pnpm 10.16+)
- Yarn – npmMinimalAgeGate (Yarn Berry 4.10.0+)
These changes arrive against the backdrop of a surge in software supply chain incidents targeting various ecosystems to breach developer systems and propagate malware to downstream users.
Before enforcing a minimum age threshold before a particular package version can be installed, the defensive control minimizes the window during which it spreads before it’s flagged as malicious and taken down by the registry maintainers.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
