In a nutshell: VSCode automatically delays extension updates by two hours after release to minimize the distribution time of compromised versions.
Microsoft is introducing a default two-hour delay for automatic extension updates in Visual Studio Code 1.123 to complicate supply-chain attacks and create a detection window for compromised packages.
Microsoft is implementing a security-driven update mechanism with VSCode 1.123: when users have automatic updates enabled for extensions, their installation is delayed by default two hours after release. This artificial cooling-off period creates a time window in which security analysts and platform operators can detect compromised versions and remove them from registries before they spread widely.
Users retain full control: a button allows them to install updates immediately at any time without waiting for the two hours. In the detail view, the delay and scheduled installation time are displayed transparently. However, this protective measure does not apply to extensions from trusted publishers – Microsoft, GitHub, and OpenAI as certified partners receive updates without delay.
This strategy is part of a broader movement in developer infrastructure: RubyGems recently integrated a cooldown function into Bundler 4.0.13. Other package managers are already employing similar minimum-age thresholds – npm (from 11.10.0), pnpm (from 10.16), Bun (from 1.3), and Yarn (from Berry 4.10.0) all offer configuration options for time-delayed package installations.
The background to this coordinated defense is a rising tide of supply-chain incidents in which attackers take over developer accounts or infiltrate systems to inject malicious code into trusted packages. The artificial time window minimizes the risk that a compromised version circulates undetected among tens of thousands of installations for an extended period before security analysis classifies it as malicious.
Source: www.it-daily.net · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.6.5.