Before we all conclude that supply chain attacks only happen on NPM, last time I used VS Code I discovered that it auto-installed, with no apparent opt-out, Python typing stubs for any package (e.g., Django in my case) from whatever third-party, unofficial PyPI accounts it saw fit. (Yes, this is why it was the last time I used VS Code.)

The obscurity of languages other than JavaScript will only work as a security measure for so long.

▲

maleldil 3 days ago | parent [-]

I've never seen Pylance automatically install anything. Are you talking about the stubs that come packaged with Pylance, which Microsoft maintains?

▲

strogonoff 3 days ago | parent [-]

It was the Microsoft’s official Python extension, as far as I recall. It was possible to use some other extension for typechecking but there were some other issues with it. (Now everything works perfectly in Neovim, and my setup respects to only use typing stubs I specify in the project.)

	▲	maleldil 2 days ago \| parent [-]
		The Microsoft official Python extension uses Pylance, which is a closed-source extension of Pyright with additional features such as built-in type stubs. This is probably what you saw.