Comment by jhancock
17 days ago
In VS Code settings search for "tasks" you will find "Task: Allow Automatic Tasks"...turn it off.
Anything else that should be locked down?
17 days ago
In VS Code settings search for "tasks" you will find "Task: Allow Automatic Tasks"...turn it off.
Anything else that should be locked down?
Don't mark the folder as trusted when you open in VsCode. The number of other hooks that may exist is going to be hard to track down (especially because each addon may add their own).
This may only provide a flalse sense of security. Afaik, there is no way to disable workspace settings taking priority over user settings, so a malious repo can easily override them and reenable automatic tasks.
Various settings are `restricted` in the codebase to only use them when the workspace is trusted. `allowAutomaticTasks` is one such setting: https://github.com/microsoft/vscode/blob/f7730c409e14af94d75...
So a malicious repo can easily override it... if you say you trust it.
Unrestricted outbound connections, specially from curl/wget/bash
Sounds like autorun on usb drives all over again. They cant learn
I think that's a bit ungenerous: there is a push and pull between security and seamless user experience and it's never obvious where the line should be set. You really only figure out which way to move it after someone complains.
Even if you lock everything now, what if the thing autoupdates with new helpful "features". You can't patch bad development culture.
1. Uninstall VSCode
2. Install Vim / Emacs / Sublime / Helix
3. ????
4. Profit
> Helix
I'm not sure about the other ones, but I know that helix supports language servers by default and it does not have a workspace trust system like vscode, so LSPs can automatically execute code when you enter a directory
https://github.com/helix-editor/helix/issues/9514#issuecomme...
So uninstalling VSCode would be a bit of a step back in that case
Yes, uninstall the whole thing. It's just a Chromium covered with a bunch of JavaScript.