www.it-connect.fr
VS Code Adds a 2-Hour Delay to Extension Updates to Help Block Attacks
To respond to the surge in supply chain attacks targeting IT professionals, Microsoft has made an important decision regarding Visual Studio Code. When an extension update becomes available, VS Code will now wait 2 hours before installing it automatically. A relatively short window, but one that may be enough in some cases.
A two-hour window where everything can change
In the changelog for version 1.123 of Visual Studio Code (VS Code), Microsoft introduced a change to the extension update mechanism. It is also worth remembering that, by default, automatic updates are enabled for all extensions.
The new release, published on June 3, 2026, does not prevent extensions from updating automatically. However, and this is the subtle part, it adds a two-hour delay before VS Code triggers the action that moves to a newer version.
For VS Code users, it is still possible to force an extension update at any time by clicking the "Update " button on the extension page. In addition, when an extension is pending, the reason for the delay and the exact time when the automatic update will take place will be displayed.
Keep in mind that Microsoft has decided to make a few exceptions: extensions from trusted publishers, such as Microsoft, GitHub and OpenAI, will continue to update immediately. Honestly, I do not see why this new rule would not apply to all publishers.
A broader trend behind this change
What is the point of this 2-hour delay before VS Code installs extension updates? In reality, Microsoft’s initiative is designed to counter software supply chain attacks. Over the past few months, there have been numerous compromised packages and extensions, allowing attackers to distribute infected versions of legitimate extensions.
This defensive measure therefore gives Visual Studio Code extension maintainers a 2-hour window. Indeed, if an account were compromised and a malicious update were published, the maintainer would have 2 hours to detect the intrusion and respond. During that time, 0 infections, 0 victims, whereas today, the spread is immediate.
The change introduced by Microsoft is a good idea. Too bad it is not possible to customize this delay: 2 hours seems short to me. A longer delay, such as 24 hours, could be interesting. This is all the more true because it is very rare for an extension update to be this urgent. The alternative is to disable automatic updates, but that means manual checking...
What Microsoft has just done is not unique. Similar controls have been added by several other popular tools such as Bun, npm (since version v11.10.0 with the min-release-age directive), pnpm and Yarn.
