What VS Code’s New 2‑Hour Delay Does
VS Code’s new two-hour extension auto-update delay is a security feature in version 1.123 that slows down automatic updates to newly published extension releases so potential supply chain attacks can be caught before they spread widely to developer machines. When automatic updates are enabled, Visual Studio Code now waits two hours after an extension version is published before installing it in the background, creating a time buffer between release and deployment. Microsoft notes that this delay adds “an extra layer of protection against problematic or potentially compromised releases,” giving registries and security teams a small but meaningful review window. Developers can still trigger immediate updates manually from the Extensions view, so the delay affects only unattended auto-updates instead of blocking urgent fixes or features that teams decide to install right away.
Why Automatic Updates Create Supply Chain Risk
Automatic extension updates are convenient, but they can be abused by attackers as a powerful supply chain attack vector. If a popular VS Code extension is compromised—through a hijacked publisher account, dependency confusion, or malicious code inserted in a new build—auto-update delivers that malicious version straight into thousands of developer environments. From there, attackers may exfiltrate tokens, alter builds, or inject malware into downstream applications. The new auto-update delay narrows this exposure by slowing the initial blast radius. It echoes package manager features such as minimumReleaseAge and min-release-age, which introduce a minimum age threshold for new package versions. In the broader context of VS Code extension security and developer security tools, this change reflects a growing focus on stopping attacks earlier in the software development pipeline, before they reach production systems.
How the Auto‑Update Delay Works in Practice
For developers, the two-hour auto-update delay is largely invisible until an extension release appears and sits in a pending state. When VS Code detects a new version for an extension and automatic updates are enabled, it queues the update to occur two hours after publication instead of updating instantly. The extension details view explains why an update has not installed yet and shows when the automatic update will run, so users can see what is pending. Importantly, this behavior does not apply to extensions from trusted publishers such as Microsoft, GitHub, and OpenAI, which still update immediately. If you need a fix right away, you can click the Update button to bypass the delay. This approach balances supply chain attack prevention with developer control, keeping security guardrails in place without blocking urgent workflows.
What This Means for Security Teams and Workflows
The two-hour window is designed for security and platform teams who monitor extension ecosystems and registry alerts. Instead of racing against instant auto-updates, they gain a small, predictable review period to flag suspicious versions, update internal allowlists or blocklists, and communicate with developers if a release appears compromised. This mirrors time-based install delays added in tools such as Bundler, Bun, npm, pnpm, and Yarn, which all aim to reduce exposure to freshly published malicious packages. For organizations, the change strengthens VS Code extension security with minimal operational cost. It encourages pairing the editor’s built-in buffer with other developer security tools such as code scanning, dependency auditing, and strict extension policies. Together, these measures help secure the software development pipeline and reduce the chance that a compromised extension quietly reaches critical projects.
