Microsoft announced today that Visual Studio Code will delay automatic extension updates by two hours. The change applies to all VS Code installations that have auto‑update enabled. The policy takes effect immediately across Windows, macOS, and Linux platforms. It aims to give users a window to review changes before they install.
Supply‑chain attacks have increasingly targeted IDE extensions, compromising developer environments. By inserting a pause, Microsoft hopes to reduce the speed at which malicious code spreads. The delay also lets security tools scan new versions before they reach the IDE. Microsoft will log update attempts and alert users if a version is flagged.
The two‑hour window gives developers time to verify extension integrity. If a new version appears suspicious, users can postpone installation until they confirm safety. Microsoft cites internal testing that shows many attacks exploit the instant update mechanism, leaving little chance for detection.
Extension authors also benefit from the pause. They receive a brief alert before the update rolls out, allowing them to address accidental bugs or security flaws. Microsoft plans to surface the pending update in the Extensions view, so developers can see what will change.
Some developers worry that a two‑hour lag could slow down rapid iteration cycles. In practice, most extensions release updates weekly or monthly, so the pause rarely interferes with daily work. Microsoft assures that critical security patches will still be delivered promptly after the buffer.
By adding a short delay, Microsoft hopes to make the VS Code ecosystem harder to weaponize. The move signals a broader industry shift toward proactive defenses against supply‑chain threats. If the buffer proves effective, other development tools may adopt similar safeguards.
How does the two‑hour delay work technically? When an extension update is published, VS Code records the timestamp. The IDE will not download the new version until two hours have passed, unless the user manually triggers an update.
Can users change the delay period? The delay is fixed for now; Microsoft plans to expose a setting in future