| ▲ | deepsun 8 hours ago | |
Same thing with IDE plugins. At least some are full-featured by the manufacturer, but I couldn't get on with VS Code as for every small feature I had to install some random plugin (even if popular, but still developed by who-knows-who). | ||
| ▲ | willvarfar 4 hours ago | parent | next [-] | |
The amount of browser extension authors who have talked openly about being approached to sell their extension or insert malicious code is many, and presumably many others have taken the money and not told us about it. It seems likely there are IDE extensions doing or going to do the same thing... | ||
| ▲ | packtreefly 2 hours ago | parent | prev [-] | |
It's painful, but I've grown distrustful enough of the ecosystem that I disable updates on every IDE plugin not maintained by a company with known-adequate security controls and review the source code of plugin changes before installing updates, typically opting out unless something is broken. It's unclear to me if the code linked on the plugin's description page is in amy way guaranteed to be the code that the IDE downloads. The status quo in software distribution is simultaneously convenient, extraordinarily useful, and inescapably fucked. | ||