Comment by jasode

reply to multiple comments :

mjdv : > it wasn't clear to me that just opening and trusting a directory

andy_ppp : >obviously I wasn’t explicit enough in explaining I’m talking about code execution simply by opening a directory.

Understandably, there's a disconnect in the mental model of what "opening a folder" can mean in VSCode.

In 99% of other software, folders and directories are purely navigation and/or organization and then you must go the extra step of clicking on a particular file (e.g. ".exe", ".py", ".sh") to do something dangerous.

Furthermore, in classic Visual Studio, solutions+projects are files such as ".sln" and ".vcsproj" or a "CMakeLists.txt" file.

In contrast, VSCode projects can be the folders. Folders are not just purely navigation. So "VSCode opening a folder" can act like "MS Excel opening a .xlsm file" that might have a (dangerous) macro in it. Inside the VSCode folder may have a "tasks.json" with dangerous commands in it.

Once the mental model groks the idea that a "folder" can have a special semantic meaning of "project+tasks" in VSCode, the warning messages saying "Do you trust this folder?" make more sense.

VSCode uses "folders" instead of a top-level "file" as a semantic unit because it's more flexible for multiple languages.

To re-emphasize, Windows File Explorer or macOS Finder "opening a folder" do not run "tasks.json" so it is not the same behavior as VSCode opening a folder.