Is Microsoft ever going to implement proper VS Code plugin sandboxing? There are so many good extensions I would like to use, but I hate the security implications of loading yet more unvetted code for a nice-to-have.
Then again, I see that the top buzz in the industry is about Claws and letting LLMs run loose with only a handshake agreement to be safe, and I already know the answer.
StrangeSound 1 days ago [-]
And it's only getting worse with the waves of vibe-coders.
I actually wrote about this recently after poking around a popular extension that Antigravity users were installing. It's wild what people are doing with your credentials, and you'd have no idea! https://opista.com/posts/blind-trust-in-vs-code-extensions
dawnerd 1 days ago [-]
I got in an argument with someone the other day that said their vibe coded app was more secure than something hand written because the ai “knows all exploits”.
We’re cooked.
christoph-heiss 1 days ago [-]
That's why any repo with a README ridden with emojis (and other telltale signs) is just an instant nope nowadays.
(One of the only good things about GH is, that if you block some account, it will tell you if that account contributed to some repo at the top. Makes it very easy to filter out slopcode.)
disintegrator 10 hours ago [-]
This is in part why I've been developing inside a VM for the last 2 years. Interestingly, VS Code has nice support for installing and running extensions on the remote. Only themes live on the host.
MantisShrimp90 1 days ago [-]
The only real answer is something like web assembly and that would be a major breaking change for them.
This is why allot run dev containers but agreed this really should be top priority but instead is probably in the "maybe if we have a major security incident" bucket of concerns as these things often are
pjmlp 15 hours ago [-]
This is already supported for a while and is the way to have those Rust and C++ processes run in the Web IDE version on Github and Azure DevOps.
socalgal2 19 hours ago [-]
which other text editors implement sandboxing?
bandrami 18 hours ago [-]
emacs can but for some reason by default only does it with themes
pjmlp 15 hours ago [-]
Not really, because it only works for Elisp code, and nothing else that might be called as external process.
bandrami 15 hours ago [-]
Oh I see what you're saying; right, if elisp launches a process it's just a normal process (unless the elisp itself containerizes it when it launches it)
frehu 1 days ago [-]
There's no malware in it currently, but I understand your concerns - I could be lying, go rogue later, or just get my access stolen.
One option is to vet a version yourself and disable auto-update, but that's not really feasible to spend time on for most people.
3eb7988a1663 1 days ago [-]
Sorry, no sleight intended against you, just a general concern as more and more cool utilities keep getting built into the platform.
frehu 1 days ago [-]
No offense taken, you actually made me reconsider trying out random extensions that sound like mine to make sure i'm not reinventing the wheel
benatkin 1 days ago [-]
Doesn't seem like it. It will be stuck in a security theater situation, just like Chrome extensions. Not an upgrade from the old highly powerful firefox extensions or those of the Atom text editor.
frehu 1 days ago [-]
[dead]
msephton 2 hours ago [-]
I made an approximation of this for Nova editor on macOS. Though its extension system is quite limited, especially sidebar customisation, so it's missing a fair bit. But it was fun to do and it's quite useful as it is. I mention your project in the readme, though it's not a fork but a reimplementation. https://extensions.panic.com/extensions/com.gingerbeardman/c...
frehu 1 hours ago [-]
Nice! I don't have a mac to check it out, but having copycat extensions within a day of posting this is just telling me i'm on to something really useful here.
msephton 59 minutes ago [-]
Cheers! I thought it was a fun concept and I wanted a project to ease me back into work after being away for a week. I'm also kinda addicted to making extensions and have done a dozen or so.
Nova has a git sidebar which does some of the same thing, but I do think there's something more that is useful to yours. Yours is definitely better because of the heatmap colouring, sadly I can't do that in Nova.
helle253 1 days ago [-]
This is really neat - i especially like the heatmap, makes it very easy to immediately figure out what is actively being worked on, even in the regular file explorer view
that said, I'm not sure i plan on using it long term - as someone else pointed out, the lack of extension sandboxing does make me feel a bit uncomfortable for extensions like this that aren't backed by large entities.
botusaurus 24 hours ago [-]
code is free now, ask the agent to fork it, study it for malware, and maintain it for you
timfsu 1 days ago [-]
Love this idea. Working with AI assistants, I find it easier to push to GitHub to look at the changes, rather than use my IDE. I wish that wasn’t the case, so this makes a ton of sense.
matteogauthier 22 hours ago [-]
Really cool and lots of settings to tweak. Feedbacks :
- a button to toggle view as list / as tree
- a better search file feature
- some deleted files are shown while they where only on feature branches and never on the main branch
- looking for an setting to hide some file types (binary for example)
Nice work !
frehu 17 hours ago [-]
- List/tree toggle will make it at some point
- The search inside the tree is ass, it's what vscode provides for tree controls and I can't really change it aside from reimplementing a tree from scratch. But do try the quick pick (ctrl+q, f) which is like ctrl+p for fresh files only
- i don't really see how they'd show up, because i don't examine files outside the branch you are in. possibly something doesn't get cleaned up when switching branches. i'll look into it but if you have a way to reproduce, an issue would help here
- file type filters would be easy to add
frehu 1 days ago [-]
File explorer with a twist - instead of 5000 files of which you need to see 20, shows pending changes + files modified within a time window (pending, 3 days, 7 days, 30 days, etc.) pulled from Git history. This way you don't get lost browsing everything or lose track of your work immediately after a commit.
Beyond the core concept, there's also
- A heatmap that colors files based on recency
- Deleted files appear in the tree where they used to be
- A pinned section for files that are not recent but handy
- File history, diff search (pickaxe) and git log -L line/function history available from editor context menu
- File grouping based on the moon phase during the most recent commit (good luck finding alternative software for this)
vldszn 1 days ago [-]
Looks very cool, starred on github and downloaded extension :)
PS: unfortunately does not work on latest cursor (2.5.20). Can you please check?
frehu 24 hours ago [-]
Seems cursor is based on an older vscode 1.105, my config listed 1.106 as minimum. But as there's no real reason for the minimum requirement, I lowered it.
You'll need to wait for 1.1.2 to show up in the marketplace, it usually takes a few minutes to update. I'm going to sleep now and I'll check on it tomorrow.
vldszn 22 hours ago [-]
it works now, thank you =)
cbxyp 22 hours ago [-]
Nice and innovative which I love to see on an IDE feature, innovation. Boom.
banku_brougham 1 days ago [-]
looks pretty cool! Ive definitely been wanting some improvement in file discovery and exploration
aquir 1 days ago [-]
This is a great idea! I will give it a try!
brcmthrowaway 1 days ago [-]
Is there something like this integrated with Ctrl P vim?
frehu 1 days ago [-]
I don't use vim so i'm not sure what you mean exactly, but if you want a file quick pick like vscode's ctrl+p but for the fresh files, that's something i have - the default binding is ctrl+q, f.
Rendered at 23:04:46 GMT+0000 (Coordinated Universal Time) with Vercel.
Then again, I see that the top buzz in the industry is about Claws and letting LLMs run loose with only a handshake agreement to be safe, and I already know the answer.
I actually wrote about this recently after poking around a popular extension that Antigravity users were installing. It's wild what people are doing with your credentials, and you'd have no idea! https://opista.com/posts/blind-trust-in-vs-code-extensions
We’re cooked.
(One of the only good things about GH is, that if you block some account, it will tell you if that account contributed to some repo at the top. Makes it very easy to filter out slopcode.)
This is why allot run dev containers but agreed this really should be top priority but instead is probably in the "maybe if we have a major security incident" bucket of concerns as these things often are
One option is to vet a version yourself and disable auto-update, but that's not really feasible to spend time on for most people.
Nova has a git sidebar which does some of the same thing, but I do think there's something more that is useful to yours. Yours is definitely better because of the heatmap colouring, sadly I can't do that in Nova.
that said, I'm not sure i plan on using it long term - as someone else pointed out, the lack of extension sandboxing does make me feel a bit uncomfortable for extensions like this that aren't backed by large entities.
- a button to toggle view as list / as tree
- a better search file feature
- some deleted files are shown while they where only on feature branches and never on the main branch
- looking for an setting to hide some file types (binary for example)
Nice work !
- The search inside the tree is ass, it's what vscode provides for tree controls and I can't really change it aside from reimplementing a tree from scratch. But do try the quick pick (ctrl+q, f) which is like ctrl+p for fresh files only
- i don't really see how they'd show up, because i don't examine files outside the branch you are in. possibly something doesn't get cleaned up when switching branches. i'll look into it but if you have a way to reproduce, an issue would help here
- file type filters would be easy to add
Beyond the core concept, there's also
- A heatmap that colors files based on recency
- Deleted files appear in the tree where they used to be
- A pinned section for files that are not recent but handy
- File history, diff search (pickaxe) and git log -L line/function history available from editor context menu
- File grouping based on the moon phase during the most recent commit (good luck finding alternative software for this)
PS: unfortunately does not work on latest cursor (2.5.20). Can you please check?
You'll need to wait for 1.1.2 to show up in the marketplace, it usually takes a few minutes to update. I'm going to sleep now and I'll check on it tomorrow.