### Bolstering VS Code Security **Microsoft** is enhancing the security posture of its popular integrated development environment (**IDE**), **Visual Studio Code (VS Code)**, by introducing a two-hour delay for automatic extension updates. This new feature, available starting in **VS Code 1.123**, is designed to create a crucial buffer against potential software supply chain threats. "When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases," **Microsoft** stated in its announcement. This delay provides a critical window for security teams and automated systems to identify and flag malicious or buggy updates before they are widely deployed across developer workstations. Users retain the option to manually update any extension immediately via the "Update" button. The details view will indicate why an extension hasn't updated automatically and when the scheduled update will occur. It's important to note that this two-hour delay does not apply to extensions from trusted publishers such as **Microsoft**, **GitHub**, and **OpenAI**, which will continue to update immediately. ### A Growing Industry Standard **Microsoft**'s initiative reflects a broader trend within the software development ecosystem to mitigate supply chain risks. Just days prior, **RubyGems** introduced an opt-in cooldown feature in **Bundler 4.0.13**, allowing developers to configure a time-based installation delay for newly published gem versions. Similar installation control mechanisms, enforcing a minimum release age, have been adopted by other prominent package managers: * **Bun**: `minimumReleaseAge` (Bun 1.3+) * **npm**: `min-release-age` (npm v11.10.0+) * **pnpm**: `minimumReleaseAge` (pnpm 10.16+) * **Yarn**: `npmMinimalAgeGate` (Yarn Berry 4.10.0+) These changes arrive amidst a surge in software supply chain incidents, where attackers leverage vulnerabilities in development tools and libraries to inject malware into downstream applications. By enforcing a minimum age threshold before a package version can be installed, these defensive controls significantly reduce the window during which a malicious package can spread before it is identified and removed by registry maintainers. This proactive approach is critical for protecting developer systems and preventing the propagation of malware to end-users.