Still amazed by the amount of external production dependencies these VSCode extensions all seem to require. I wonder how tight Microsoft's grip is on extension security and how deep any of their automated checks might go.

The extension functionality does look great though. I wrote some similar functions in my nvim which I would have really a hard time living without.

It's no different or worse than the security model of any other text editor or IDE. It runs as your user (unless you're doing something zany like running an admin account), and it can do anything your user can do like launch programs or subprocesses you have access to execute. A vs code extension isn't going to get some unexpected power like root privilege to start messing with your system, opening low ports, etc.

You're right, what I'm curious about is how difficult it'd be to sneak a malicious command into some VSCode extension update trough these production dependencies, and how far, say, an rm -rf <allthethings> could reach from the trusted project root directory from which it is executed.

I'm not a VSCode user myself, but it's pretty much the same story with nvim.

edit: I suppose what I'm really getting at, is that, depending on what their security measures look like, the VSCode extension store might be giving some false sense of security.

A lot of supply chain security relies on trusted actors doing the right thing. It’s similar to how you can trust an ingredients label.

I suppose I could mention that on a Mac, I use Objective-See’s tools to watch what programs do in the background. And also on a Mac, you have to grant access to apps first otherwise they can’t normally access files. Of course, that breaks down in reality as most apps are useless if they can’t access files.

If you really want a scare, consider that if you compromise an ecosystem package (e.g. npm), you can run on developer machines, CI systems and possibly in production, while if you compromise a VS Code extension, you only get dev machines.

If you’re looking for a bit of extra protection, you can run VS Code from a virtual machine or even run it from Docker. Though the usual docker approach, using remote containers extension, still runs on your local computer. There’s GitHub Codespaces or Google Cloud Shell that can run VS Code remotely in a VM, though.

Most projects I'm involved with require measures that go a bit further still. Got to be honest though, it can be frustrating at times.

Just sprinkling bits of awareness around by bringing some of these considerations up whenever I can. It's an uphill battle, although, the general carelessness around extension and dependency use I'm seeing - and that even after all the shit that's been going on in that space - makes it one worth to fight.

Edit: Regarding the chain of trust you mention, that one has sort of come and gone, and there is not a whole lot of trust involved in the processes I'm saddled up with.

That's an aspect from mobile OSes I miss on desktops: apps run as their own user, and have to be granted permissions to do things like read & write files outside their own "home" directory.

Programs should run as their own users. Programs should be granted access to files opened via system (desktop environment) file picker APIs or when passed in via a shell. Desktop environments & shells would need to be modified to allow this, of course.

Mobile OS permissions are way too limited. It's one of the reasons there are no good programming environments on mobile.

> Programs should be granted access to files opened via system (desktop environment) file picker APIs or when passed in via a shell.

For example, this would render the file tree of any IDE or advanced editor (like VS code) completely useless. I can count on one hand the number of times I've used the system file picker when programming.

It should also be possible to manually grant broader permissions. I'm just hoping to avoid how automatic grants tend to be missing from mobile OSes.

It's not like simpler editors have saner defaults https://groups.google.com/g/vim_dev/c/sRT9BtjLWMk/m/BRtSXNU4... (yeah, I got bit by a variation of that one recently) (pro-tip: don't let your autoloader scan for non php file)

That thread turned from a pretty straight-forward permission issue discussion to a display of some esoteric dark arts in only a few posts!

Not sure if I consider vim either simple or sane, but then again, it was first released quite a while ago, in 1991 for the Amiga, and it was based on the even older original vi from 1971 - the era of physical TTYs, no mice, and punchcard programming (ugh! glad I wasn't born yet).

Can hardly blame grandpa for forgetting and acting strange every once in a while at his age :)

> Can hardly blame grandpa for forgetting and acting strange every once in a while at his age :)

When grandpa refuses to wear glasses even though he can't see jack then it's time to take his car's key off of his hands.

His spawn - NeoVim - is truly trying his best but Gramps just won't let go!

+1. Also, Copy Image to File. Very very handy for snipping and just pasting it in the Markdown document you're editing.

This is an incredibly difficult plugin to search for. Can you post a link to it or provide the author's name?

I was also curious. I found an extension called Markdown Paste[0], by searching for an extension to automatically base64 encode images into markdown in VSCode, which is not how this extension works at all.

0: https://marketplace.visualstudio.com/items?itemName=telesoho...

Really sorry! I was not on my laptop so couldn't post an extension link. Here it is: https://marketplace.visualstudio.com/items?itemName=mushan.v...

Not the same extension, but Dendron actually has one:

https://marketplace.visualstudio.com/items?itemName=dendron....

the reason we have our own extension is because dendron is also available on vscodium and the `paste image` extension was not available there

I use VSCode + Foam (wikilinks) + MAIO. It is the best note tool I've found.