What the New VS Code Extension Auto-Update Delay Does
VS Code’s new extension auto-update delay is a security feature in version 1.123 that waits two hours before installing newly published extension versions when automatic updates are enabled, adding a time buffer that can reduce the risk of quickly spreading compromised releases and strengthen VS Code extension security against supply chain attacks. Microsoft now holds back auto-updates for most extensions for two hours after a new version appears on the marketplace. During this window, the extension remains at its previous version unless the user chooses to update manually. Microsoft explains that “new versions are auto-updated two hours after they are published, adding an extra layer of protection against problematic or potentially compromised releases.” The delay does not disable automatic updates; it changes when they occur, turning immediate, silent upgrades into slightly slower but more observable changes to a developer’s environment.
Why a Two-Hour Auto-Update Delay Matters for Supply Chain Security
The new auto-update delay directly targets software supply chain attacks that hide inside trusted ecosystems through malicious updates. Attackers often compromise a popular package or extension and push a tainted release; immediate auto-updates help such malware spread faster. By slowing extension auto-updates, VS Code gives security teams time to spot anomalies, community reports, or takedown notices before harmful versions reach every device. Similar time-based controls have appeared in package managers such as Bundler, Bun, npm, pnpm, and Yarn, all using minimum age thresholds to reduce exposure to freshly published, unvetted versions. The two-hour window in VS Code follows the same philosophy: it uses a small delay, short enough not to disrupt most workflows, yet long enough to reduce the blast radius when a compromised update slips into an ecosystem that many developers trust by default.
Exceptions for Trusted Publishers and Immediate Updates
Not every extension is subject to the two-hour auto-update delay. Microsoft notes that extensions from trusted publishers, including Microsoft, GitHub, and OpenAI, continue to update immediately when automatic updates are enabled. This distinction reflects a higher level of vetting and direct control over these publishers’ pipelines, which lowers—but does not remove—the perceived risk. Developers can still bypass the delay for any extension by clicking the Update button manually in the Extensions view, which triggers an immediate installation of the latest version. When an extension has a pending update, VS Code shows why it has not updated yet and indicates the expected time the automatic update will occur. These details help developers make informed decisions about whether to wait for the auto-update or move ahead with a manual update for features or fixes they need right away.
How Developers Should Adjust Their Workflows
For most developers, the new behavior will change expectations rather than break workflows. If you rely on automatic updates to receive fixes the moment they land, you now need to account for a two-hour gap before extensions refresh, unless they are from trusted publishers that still update instantly. Time-critical updates can be applied manually through the Update button, so teams should agree on when it is safe or necessary to bypass the delay. Consider adding a quick check in your daily routine: scan pending extension updates, read their change notes, and decide whether to update ahead of schedule. Teams with security responsibilities can use the delay to review newly published versions, watch for incident reports, and set temporary policies for specific extensions, treating the auto-update delay as a small but meaningful control in their wider VS Code extension security strategy.
Positioning VS Code Among Other Supply Chain Defenses
VS Code’s extension auto-update delay fits into a wider move across developer tooling to slow the spread of risky updates and limit supply chain attacks. RubyGems recently added an opt-in cooldown for Bundler 4.0.13 that delays installing new gem versions, and package managers like Bun, npm, pnpm, and Yarn have added configuration options such as minimumReleaseAge or min-release-age to gate the installation of very recent releases. These tools recognize that early adopters often bear the risk of discovering compromised packages. By enforcing a minimum age before updates arrive automatically, VS Code now shares the same defensive posture as those ecosystems. For organizations, this means one more layer of protection around their editors and build chains, turning immediate, invisible extension updates into changes that are spaced out, more observable, and easier to contain when something goes wrong.
