You get asked if you trust the folder you’re opening every single time you open a new folder in VsCode. Everyone probably always just says yes but it’s not like it doesn’t tell you that opening untrusted folders is dangerous.

The reason it's worse in the js ecosystem is that you need way more packages than your average language to build anything functional.

This may only provide a flalse sense of security. Afaik, there is no way to disable workspace settings taking priority over user settings, so a malious repo can easily override them and reenable automatic tasks.

Even if you lock everything now, what if the thing autoupdates with new helpful "features". You can't patch bad development culture.

  On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely

Sounds like autorun on usb drives all over again. They cant learn

Yes, uninstall the whole thing. It's just a Chromium covered with a bunch of JavaScript.

When I used it, the one use case I used it was to automatically launch a Jekyll server - if I'm working on a site I'm almost certainly going to want to look at my changes in the browser. Now that I've switched I just run one extra command, it wasn't a big saving, but it was kind of nice.

It's a good idea so it can't take over your dev machine.

But not sufficient since it'll still F over whatever code you are working on resulting in a backdoored app getting deployed + infected dev scripts etc bringing interesting times to your teammates, downstream open source project users, your api keys and cloud credentials getting compromised etc.

Apple did actually introduce its own container framework in Tahoe, but it’s still early days. https://github.com/apple/container

UTM is free and spins up native macOS VMs. If I absolutely have to write JavaScript that’s where I do it, since Sha1 Hulud.

apple has pretty good containers actually. why do you say they are a poor abstraction?

That what stuff like XPC and entitlements are for, which naturally programs from UNIX culture background don't care to use.

Next up: Javascript virtual operating systems.

> Coming from the perspective of an eclipse fan, why is VS code the defacto answer nowadays?

Is eclipse good now? I used it 15 years ago. It took ages to start. It was a memory hog and it was dog slow besides. My entire team got RAM upgrades on our computers because the default company issued machines (which were quite good at the time) didn't have enough RAM to use eclipse properly.

I can't imagine why it went out of favour...

I switched to VSCode because it has a free editor with a really great jump to file hotkey.

I remember when the big VS added jump to file but it was so damn miserably implemented as to be useless.

Having worked at Microsoft for a decade, the most frequent way I navigated a large source tree was dir /s *partialfilename*.*

Then again while I was there, most code bases couldn't even open in Visual Studio. (highly team dependent, I was mostly on older C/C++ code bases.)

Some teams at MS paid for an editor called Source Insight, which indexed your code and could also parse C #defines and other preprocessor macros, which was super unique and powerful. It had an incredibly powerful symbol and fuzzy filename search capabilities, I'd frequently have Source Insight open just so I could find where in a folder structure a file was and then I'd open it up in my preferred editor.

Back when I got my first SSD the largest boost to my dev productivity was not in compile times (large C++ code bases tend to template bound more so than IO bound), it was how fast I could find files in the directory structure.

I'm sure Vi/Emacs users have some magic set of plugins that do all of this for them, but as someone back on Windows back in the 2000s and 2010s, the supported MS tooling was horrible at all this.

Then VS Code comes along with amazing fuzzy file name matching. Holy cow. Sure it is missing 90% of the power of real Visual Studio (being able to have a debugger step from front end web code to your backend and then into stored procedures in SQL, running on a remote machine, that your debugger transparently auth'd to, is something Microsoft had working 20 years ago and would be considered impossible dark magic with today's tooling), but wow can I navigate a project quickly!

Eclipse is not safer it just has fewer people looking for holes in it. The problem is not the software but how we trust code from the internet. Even if you used Eclipse a fake recruiter could still trick you into running a bad script. We cannot fix social engineering by changing the text editor.

For me vscode is super-lightweight and at the same time has enough functionality. I didn't use Eclipse for many years, but from my memory it was super-heavyweight. And it didn't really support anything except Java.

Interestingly Java is the only language that I've found vscode support poor, so I keep buying Idea license exclusively for Java projects. For rest of languages that I use (JS/TS, Go, Python, Shell, YAML, XML) I'm using vscode and happy about it.

In recent years vscode starting to get bloated, mostly with AI stuff. But so far I can disable everything AI with a single setting and it works good afterwards. I'd prefer for all AI features to be contained in a separate plugin that I can just not install, but I guess managers these days want to shove AI in everyone's throat.

Another good thing about vscode is that its written with JavaScript and can be launched in browser, so in the future I want to put my development environment in the browser, but so far I didn't do that.

I don't really like VS Code either, but I personally use it because I tend to jump between a half-dozen semi-obscure languages, and VS Code is the only [0] editor that supports all of them.

[0]: Vim and Emacs have almost as good or slightly better language support, but I prefer GUIs over TUIs.

Never liked Eclipse, but I’ve been forced to use VSCode over my preferred JetBrains IDEs because it is the only modern mainstream editor with a competent client-server mode. As in, actually rendering the UI locally while doing all the code indexing and intelligence on the server. Corporate world would much rather maintain disposable remote VMs than help you unfuck your laptop after whatever required security upgrade installs the wrong version of a scripting language and sends everything to hell.

Seems very odd to me that someplace would force the use of a particular development tool. I've seen it only one time while interviewing, where they wanted everyone to have identical setups so they could easily hop onto each others computers when needed... it was weird and I took it as a red flag and didn't follow through them them.

My personal reason for switching some years ago was the excellent remote session support via ssh.

I haven't reevaluated that choice in a while, but that plus LSP support (and to a lesser extent ML Auto-complete) are must-haves for me nowadays.

Because it is fast enough, easy to onboard to with sane defaults. MS provided initial plug-ins and the ecosystem developed.

Threat model described is not unique to VS Code

I've also used Eclipse in the past but almost exclusively used vscode in recent years. It's just a phenomenal text editor. It's got fantastic multi-line selection and editing tools and searching for files is instant and you don't even need to be fully accurate with the filename. Nowadays I hardly ever use the sidebar to look for the file, I just type thr ctrl+e shortcut and insert several letters of the file and I instantly get the result. It's a small thing with a huge impact. VS, for comparison, lags a few seconds when searching files, and it misses files that are not imported into the workspace. That difference makes VS useless to me.

The only thing that matters is extensibility/customization and speed. I want the lightest, most customizable thing that isn't emacs (for real reasons, trying to set up emacs at work is too much of pain in the ass) as my single pane of glass on any OS I care to use. If it can't do that, it doesn't live long.

It's free, it has support for loads of languages, and it's kind of fashionable.

Personally I'm kind of lukewarm on VS Code, it's fine, but CLion, Visual Studio Proper, and RustRover are better for me.

I see why people use it though, it's not a bad editor at all.

For Java, I'm all over IntelliJ.

I bucket Eclipse under "heavyweight IDE". I used to use it, plus the CDT plugin, for my C++ nonsense.

Then Visual Studio's Express and later Community SKUs made Visual Studio free for ≈home/hobby use in the same bucket. And they're better at that bucket for my needs. Less mucking with makefiles, the mixed ability to debug mixed C# and C++ callstacks, the fact that it's the same base as my work tools (game consoles have stuff integrating with Visual Studio, GPU vendors have stuff integrating with Visual Studio, the cool 3rd party intellisense game studios like integrates with Visual Studio...)

Eclipse, at least for me, quickly became relegated to increasingly rare moments of Linux development.

But I don't always want a heavyweight IDE and it's plugins and load times and project files. For a long time I just used notepad for quick edits to text files. But that's not great if you're, say, editing a many-file script repository. You still don't want all the dead weight of a heavy weight IDE, but there's a plethora of text editors that give you tabs, and maybe some basic syntax highlighting, and that's all you were going to get anyways. Notepad++, Sublime Text, Kate, ...and Visual Studio Code.

Well, VSC grew some tricks - an extension API for debuggers, spearheading the language server protocol... heck, I eventually even stopped hating the integrated VCS tab! It grew a "lightweight IDE" bucket, and it serves that niche for me well, and that's a useful niche for me.

In doing so, it's admittedly grown away from the "simple text editor" bucket. If you're routinely doing the careful work of auditing possibly malicious repositories before touching a single build task, VSC feels like the wrong tool to me, despite measures such as introducing the concept of untrusted repositories. I've somewhat attempted to shove a round peg into a square hole by using VSC's profiles feature - I now have a "Default" profile for my coding adventures and a "Notes" profile with all the extensions gone for editing my large piles of markdown, and for inspecting code I trust enough to allow on disk, but not enough to autorun anything... but switching editors entirely might be a better use of my time for this niche.

> Why is VS code the defacto answer nowadays?

For what I do, there's no reasonable alternative at the moment.

I'm sure someone will correct me, but it's the only editor that correctly (for some definition of correct) allows remote editing and devcontainers:

[desktop OS] -> ssh -> [dest box]

[desktop OS] -> [devcontainer]

[desktop OS] -> ssh -> [dest box] -> [devcontainer]

[desktop OS] -> ssh (jumphost) -> [dest box] -> [devcontainer]

I won't name and shame other editors (or IDEs), but either they simply can't do that, or their performance is absolutely, shockingly, abysmal.

> Im guessing the answer is probably Java is why eclipse is out of favor.

Some people just want a text editor, whereas eclipse is “an IDE and Platform”.

  > everything seems worse than eclipse

In general, I believe most people see VSCode as "good enough". Maybe not the best text editor, but it's good enough at everything it does and extensible enough to the point that there's really no point to go for anything else unless you have a really good reason to.

   > Im guessing the answer is probably Java is why eclipse is out of favor.

I’ve never written a line of Java in my life. Why would I ever use Eclipse?

VSCode is defacto standard because it’s kinda mediocre but works ok enough for every language and every platform. Microsoft created and popularized LSP so VSCode isn’t a single language IDE.

I use a mixture of code editors. My favorite is probably 10x but it only works with C++. So VSCode is just a reasonably standard unless a different editor is better for a specific use case.

It just happens. I was happy on netbeans, then I was forced over to eclipse, which I got used to. Then I got forced over to intellij. I'm still pissed about that (even though it's rider for me these days).

I don't mind VSCodium that much because I can put my tooling on the side (like a good unix fanboy) instead of hoping that jetbrains reimplements every other tool. Ag, grep beat IDE searches any day.

But yeah we have reach a stupid point in the industry where VSCodium asks me to trust a codebase before it will let me edit it.

As I remember it, VS code was Microsoft’s response to Sublime.

Sublime was exceptionally popular for web developers throughout the 2010s.

Sublime was maintained by a single person as far as I know.

VS code was pretty much a copy of Sublime but with a much better extensions system and relatively quickly there were some great plugins that made VS code the de-facto editor for web development.

why is VS code the defacto answer nowaday?

  1. It's free
  2. A million plug-ins

I loved Eclipse. I still like it quite a lot.

I stopped using it because none of the plugins for the languages I was using at the time (Ruby, Python, Erlang) were either worth a damn, or getting updated to track new language features.

I started using VSCode because IntelliJ-family IDEs will report incomplete search results as complete when they are rebuilding their search indices. To put it another way, they will tell you that a string that definitely appears in the project does not appear, if they haven't gotten around to re-adding the files that contain that string to the search index.

This to me is intolerable behavior. Others find it perfectly acceptable.

> Im guessing the answer is probably Java is why eclipse is out of favor.

Dude, Eclipse has been out of favor for well over ten years now due to Jetbrains IDEs (IntelliJ IDEA).

To myself and many others, vscode is not the defacto answer. JetBrains is. IntelliJ was miles ahead of eclipse last time I checked. Rider is miles ahead of Visual Studio. WebStorm is miles ahead of vscode for js etc.

It's not even a competition, to me. I've had to use Visual Studio instead of Rider for work the past year and it's been a very bad experience.

The biggest difference is JetBrains intellisense feels like it's reading my mind, I'll just type a couple characters and hit tab most of the time. Visual studio on the other hand has the worst intellisense I can imagine. It very frequently just messes up what I'm doing - I'll write what I want correctly, hit space and VS will just change it to something entirely different and import a package while it's at it. It's incredibly annoying. And when I actually want to use auto complete, say for example I've declared a variable on the line above and I want to use it, I'll write a couple characters and then without fail the variable I just declared on the line above is like option 6 down the list behind a bunch of crap that doesn't even make sense in the context at all. And as if it wasn't enough that the IDE is crap when it's working correctly, it very frequently craps out and just stops providing syntax highlighting and such in .razor files, or showing errors in files that compile just fine, forcing me to restart it and delete the .vs folder. Like every day.

Personally I think the only people who prefer other products than JB are people who don't know what they're missing. JB is literally just better in pretty much every way. At least the products I've used. I think I'll turn down the next job that asks me to use VS.

Wild. I would quit my job and start selling jam at the Farmer’s Market before I went back to Eclipse! :)

Thing that IntelliJ and even NetBeans have going for them is that they seem like tools for getting work done. Eclipse puts more emphasis on being a platform which means you have to download and configure plugins just to get started. Great if you're a corporate shop with a standard setup that's force-pushed to every machine. Not so much if you're just getting started or working on side projects or in a startup, which is how languages and frameworks gain mindshare in the web era.

Visual Studio Code—I dunno. It's an editor more than an IDE. It lets Webdev Andys create an empty directory, put an index.ts in there, and get started right away. Yes, WebStorm does the same, but VS Code comes with decent multilanguage support for free. It's like vim or Emacs but crappier and more bloated, but a lot of people don't care about that.

If you did webshit in eclipse, especially with NPM involved, it would be just as bad. Running arbitrary code from a downloaded bundle seems normal in that world.

> Im guessing the answer is probably Java is why eclipse is out of favor.

I don't get the connection, but Java had log4j, i.e. a remote code execution vulnerability.

It's the license. The MIT license is what makes VSCode the defacto answer.

It also runs on the web, which makes it extremely convenient to toss into...web things. It's the code editor for the Google Cloud console, the Lambda web console, the GitHub web editor, and so on.

I'm going to guess that Eclipse doesn't have the same amount of security issues because it's not a popular target. Everyone (relatively speaking) is using VSCode or something based on it.

This is so insane to me. Eclipse is... Fine for Java in the sense Visual Studio is for dotnet. But man can they both be slow.

Use case depending sometimes you just need a quick editor, thats why sublime had and probably still has a huge userbase, its fast startup and flexibility. Vim, emacs and derivatives of it are the same story.

I can't imagine ever opening up eclipse to edit a zig/go/js file or project. It's too bloated.

The answer is neovim anyway. That's all anyone needs. /s

VSCode main architect is one of the Eclipse authors, Erich Gamma.

Other than that, it is more fashionable to ship Chrome with applications and JavaScript is hot. /s

Eclipse remains my main Java IDE at work.

Tooooo be fair

Vim had also had its share of execution vulnerabilities over the years.

https://github.com/numirias/security/blob/master/doc/2019-06...

Doesn't it ask you if you trust a folder when you open it?

> We traded our safety for convenience

Not the first time. Same with LLMs.

The article doesnt' claim it's executed straight up either ("can result") but it's pretty ambiguous:

> When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.

In the screenshot the task is named "node" - so it's a bit like embedding a malicious Makefile target as a backdoor.

Except harder to spot since it's in a obscure .vscode/somethingsomething json file. (And probably you can easily fool GH Copilot to run it)

Agree. But the first build you do after that clone/checkout is risky too. Maybe not as wide open, as the build-tool makers are a line of defence if they're acting on classes of vuln.

Won’t IDEA automatically index/execute some Gradle code when possible? As soon as you execute an arbitrary binary/script from the project directory, the isolation of the JVM doesn’t matter.

Same here, I only use VSCode because in some scenarios I have no choice, from regulated IT environments, or product SDKs with plugins only for it.

When I can avoid it, the better.

Yep. You’d think using web tech would make it really easy to sandbox any 3rd party JavaScript that gets run. But I suppose sandboxing is simply too inconvenient.

You know what would be better? Telling me explicitly what file/script will run and asking permission for that. A blanket message every time is no better than the cookie popups and doesn’t tell me if the project has 0 files that will run.

The "trust project" feature has been designed to be so extremely intrusive and annoying that the first thing I do is to completely disable it whenever I install VS Code on a new computer. This "solution" was just done to tick some box and put the blame on the user when a security incident happens. It's pretty similar to Windows Vista where it annoyed you with a disruptive popup so many times during the normal course of actions that most people ended up disabling the whole UAC system. Overall security goes down, and Microsoft has a nice excuse.