What VS Code’s Two‑Hour Extension Delay Actually Does
VS Code’s new two-hour extension auto-update delay is a time-based safety buffer that slows down mass rollout of new releases to reduce exposure to compromised or faulty code in the developer ecosystem. In VS Code 1.123, when automatic updates are enabled, extension updates are now queued and applied two hours after the publisher releases them, instead of reaching users instantly. Microsoft says this “adds an extra layer of protection against problematic or potentially compromised releases,” giving security teams and registries a short window to detect malicious behavior before it spreads widely. Importantly, developers can still trigger an immediate update at any time via the Update button if they trust a release or need it urgently. The delay also excludes extensions from trusted publishers such as Microsoft, GitHub, and OpenAI, which continue to update without waiting.
Why Supply Chain Attacks Push Tools to Slow Down by Design
The change in VS Code security policy reflects how supply chain attacks have evolved from fringe incidents into a routine threat against developer security tools. Threat actors now specifically target open-source registries and plugin ecosystems to smuggle malware into the build process, knowing that auto-update can fan out a poisoned release to thousands of users in minutes. Microsoft’s delay joins a wider pattern: RubyGems has added an opt-in cooldown in Bundler 4.0.13, and similar minimum-age controls now exist in Bun, npm, pnpm, and Yarn. By enforcing a minimum age before new versions install, these tools shrink the critical window in which malicious releases can spread unchecked. For attackers who rely on speed and surprise, even a short delay makes it more likely that suspicious behavior is spotted and packages are removed before they become widespread.
A New Compromise Between Security and Developer Convenience
For many teams, extension auto-update is a core convenience feature, so disabling it outright would be a non-starter. The two-hour delay is a compromise: it keeps the default on, but adds friction tailored to the risk of supply chain attacks. Developers retain control because they can override the delay for any extension they want to update immediately, while the platform quietly protects less-attentive users who accept defaults. Exempting Microsoft, GitHub, and OpenAI extensions reflects a trust-based model that prioritizes ecosystem-critical tools, though it also concentrates responsibility on those vendors to maintain high security standards. In practice, the delay encourages more mindful update habits. Teams can watch for threat intelligence, suspicious changelogs, or registry takedowns before a new version lands automatically in every IDE in the organization.
WordPress and the Move Toward Moderated Auto‑Updates
VS Code’s strategy mirrors a wider shift beyond IDEs. WordPress has launched its Protect The Shire initiative and introduced a temporary 24-hour delay on auto-updates for plugins and themes distributed through WordPress.org. According to WordPress, the pause allows time to “check the updated plugins to ensure that they are secure before allowing them to be sent to WordPress users,” after a rise in supply chain attacks and incidents like the Essential Plugins sale to a malicious actor. The project describes this as a “liminal period” between updating fast to stay secure and holding back updates to stay secure. Community response has been mixed but mostly positive, with users praising the improved safety and some developers worrying about urgent bug fixes or coordinating freemium release marketing. Both VS Code and WordPress suggest future automation will shorten these delays without losing the added protection.
What This Means for the Future of Developer Security Tools
Taken together, VS Code’s extension delay, WordPress’s moderated plugin rollout, and registry-level cooldowns point to a new model for developer security tools: default “slow paths” for unvetted releases. Instead of assuming that fastest is safest, ecosystems are beginning to treat time as a security control: delay mass rollout, observe behavior, and intervene if a release proves malicious. For organizations, this means auto-update policies should now be tuned, not toggled on or off. Security teams can align internal update cadences with these minimum-age features, while still allowing power users to opt into quicker installations when required. As more platforms follow VS Code’s lead, supply chain defenses will likely move closer to where developers work every day, turning the IDE, package manager, and plugin directory into active participants in protecting the software supply chain.
