What VS Code’s Two-Hour Extension Delay Actually Does
VS Code’s new two-hour extension auto-update delay is a security measure that slows automatic updates of most marketplace extensions so malicious or problematic releases can be detected and blocked before they spread widely to developer machines. Instead of updating extensions as soon as a publisher pushes a new version, Visual Studio Code 1.123 now waits two hours when automatic updates are enabled, creating a short buffer for review and incident response. This feature targets supply chain attacks that abuse trusted extensions to inject malicious code into development environments at scale through instant auto-updates. The delay does not disable updates or change default settings; it changes when those updates arrive. Developers can still opt to update any extension immediately, but the default behavior now favors a brief pause to improve VS Code extension security without removing the benefits of automation.
How Auto-Update Delays Help Contain Supply Chain Attacks
Supply chain attacks often start by compromising a trusted maintainer account or publishing token, then shipping a malicious update that spreads through automatic installs. With instant auto-updates, a poisoned VS Code extension can reach thousands of developers in minutes, turning their machines into entry points for malware or data theft. By inserting a two-hour auto-update delay, Microsoft shortens this exposure window. Security teams, marketplace maintainers, and community watchers get time to spot suspicious behavior, reports, or code changes before the compromised version becomes the default on developer desktops. When a malicious extension is discovered quickly, registry operators can pull or block the release before the auto-update timer expires. This approach does not guarantee safety, but it makes mass exploitation harder by forcing attackers to operate under tighter time pressure and making their campaigns more visible.
Developer Workflow Trade-Offs and Trusted Publishers
The new policy tries to balance security and productivity by slowing, not disabling, automatic extension updates. Developers still get auto-updated extensions without manual management, but the feed of new versions is now slightly delayed. Microsoft states that “new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases.” For teams that prioritize immediacy, there is a manual escape hatch: the Update button lets users apply pending versions on demand, overriding the waiting period for individual extensions. Notably, the two-hour delay does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI. Those extensions continue to update immediately, on the assumption that their publishing pipelines and monitoring practices provide stronger guarantees, and that developers depend heavily on their frequent changes for daily workflows.
Part of a Wider Shift Toward Supply Chain Defenses
VS Code’s auto-update delay is one example of a broader industry move toward built-in supply chain defenses. RubyGems recently added an opt-in cooldown to Bundler 4.0.13, letting developers define a time-based delay before newly published gem versions can be installed. Similar minimum age controls are now present in several package managers: Bun’s minimumReleaseAge, npm’s min-release-age, pnpm’s minimumReleaseAge, and Yarn’s npmMinimalAgeGate. The Hacker News notes that these measures respond to a “surge in software supply chain incidents targeting various ecosystems.” By enforcing a minimum age before packages or extensions auto-install, ecosystems reduce the window in which malicious versions can spread before maintainers flag and remove them. VS Code’s change aligns editor extensions with these package-level protections, signaling that extension marketplaces are now treated as critical supply chain components rather than optional add-ons.
