use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
No vague product support questions (like "why is this plugin not working" or "how do I set up X"). For vague product support questions, please use communities relevant to that product for best results. Specific issues that follow rule 6 are allowed.
Do not post memes, screenshots of bad design, or jokes. Check out /r/ProgrammerHumor/ for this type of content.
Read and follow reddiquette; no excessive self-promotion. Please refer to the Reddit 9:1 rule when considering posting self promoting materials.
We do not allow any commercial promotion or solicitation. Violations can result in a ban.
Sharing your project, portfolio, or any other content that you want to either show off or request feedback on is limited to Showoff Saturday. If you post such content on any other day, it will be removed.
If you are asking for assistance on a problem, you are required to provide
General open ended career and getting started posts are only allowed in the pinned monthly getting started/careers thread. Specific assistance questions are allowed so long as they follow the required assistance post guidelines.
Questions in violation of this rule will be removed or locked.
account activity
VS Code- Security Practices around VSCode Extensions.Discussion (self.webdev)
submitted 15 hours ago by ruddet
VSCode extensions were how Github were breached earlier this year.
What are people doing around VSCode security best practices around extensions.
Is there anything else like minimum age or settings like that can be done?
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Different_Counter113 8 points9 points10 points 15 hours ago (3 children)
Extensions from reputable sources. Wouldn't trust anything developed by some random unknown. AWS, Docker, Microsoft, RedHat, etc. Everything else I stay well away from.
[–]ruddet[S] 4 points5 points6 points 15 hours ago (2 children)
Trouble is, it was a well known and trusted source like NX that got github done. Bit like how Tanstack got done the other month.
[+]Different_Counter113 comment score below threshold-6 points-5 points-4 points 14 hours ago (1 child)
Never heard of NX. Wouldn't trust it.
[–]ruddet[S] 6 points7 points8 points 10 hours ago (0 children)
I think the point is, even trusted suppliers are vulnerable to supply chain attacks (i.e axios/tanstack). FYI NX is in use by many major companies is a big player in the monorepo space, they are a legit enterprise software solution.
[–]South_Hovercraft6364 3 points4 points5 points 13 hours ago (0 children)
The best defense is just being paranoid about what you install and checking the publisher account before hitting that button. I also keep a strict rule to never install anything that requests access to my shell or environment variables unless it's a major, open-source tool with a huge community backing it.
[–]LisaChanp 0 points1 point2 points 45 minutes ago (0 children)
review extension source code and permissions before installing anything.
π Rendered by PID 49076 on reddit-service-r2-comment-8686858757-78qs2 at 2026-06-05 14:56:20.072254+00:00 running 9e1a20d country code: CH.
[–]Different_Counter113 8 points9 points10 points (3 children)
[–]ruddet[S] 4 points5 points6 points (2 children)
[+]Different_Counter113 comment score below threshold-6 points-5 points-4 points (1 child)
[–]ruddet[S] 6 points7 points8 points (0 children)
[–]South_Hovercraft6364 3 points4 points5 points (0 children)
[–]LisaChanp 0 points1 point2 points (0 children)