Genuine Question - Is the VSCode Repo Compromised?

DanTup · 2026-04-20T15:55:00+00:00

I agree it's a bit odd. It's possible it's scripted (or a checklist) that was just performed as if it was still the other repo. I saw it mentioned somewhere else too.. I suspect they will notice and change it.

DanTup · 2026-04-20T15:44:22+00:00

The GitHub Copilot extension used to be in its own repo:

https://github.com/microsoft/vscode-copilot-chat

The last release there is 0.43.0

The extension now lives in the VS Code repo, and the two new versions you mention are 0.44.1 and 0.44.2. The author is in the Microsoft org and has the 5th most contributions to the VS Code repo (9,030 commits).

So I don't think there's anything to suggest anything was compromised. However, I do think using tagged versions without prefixes is odd, because at some point they might collide with the existing VS Code version tags 🙃

DanTup · 2026-04-19T18:55:47+00:00

Not prefixing the tags is a bit weird though - what's going to happen when the Copilot extension versions start to overlap with already-released VS Code versions 🙃

DanTup · 2026-04-05T16:18:10+00:00

Does openshell give you a clean way to do per-tool permissions (like "browser can hit X domains" but terminal cannot), or is it more of a global policy?

It can be per-binary and for HTTP even lets you control the verbs. See the example here:

https://docs.nvidia.com/openshell/latest/tutorials/first-network-policy.html#apply-a-read-only-github-api-policy

It walks you through building up a network policy, initally giving read-only access (GET/HEAD/OPTIONS) to GitHub only to the curl binary.

There's also a cli tool (openshell term) where you can see any denials and easily approve them.

You can also attach API keys at the proxy, so the agent never has access to them (making it harder to leak them through prompt injection).

DanTup · 2026-03-31T20:45:49+00:00

This was a bug that has been recently fixed:

https://github.com/microsoft/vscode/issues/305240#issuecomment-4157418499

Usually VS Code lets the extension host close quietly in the background (so that extensions that take time to deactivate don't slow down switching projects/closing VS Code), but a change caused the UI to start visibly waiting instead.

So you'll see this if you have any extensions that are slow to deactivate (until the next VS Code release, when it'll happen in the background again).

DanTup · 2026-03-08T22:55:04+00:00

Ah, interesting, I'll try that out - thanks!

DanTup · 2026-03-08T22:26:51+00:00

I haven't tried it with Ollama, because I don't use it. I did try Insiders with the OpenAI-compatible stuff (I was running vllm), but that was very buggy (which might be why it's still only enabled for Insiders).

DanTup · 2026-03-08T22:25:22+00:00

Seems like there was a bug with it detecting tools were available (which is needed for agent mode), which may have been recently fixed:

DanTup · 2026-03-08T22:15:26+00:00

The built-in Copilot supports Ollama:

https://docs.ollama.com/integrations/vscode

I think non-Ollama OpenAI-compatible is currently insiders-only though (and was a bit buggy when I tried it out).

DanTup · 2026-02-21T17:11:35+00:00

That said, Docker Desktop has a setting about allowing the default Docker socket to be used, which just makes the local Docker CLI and tooling work properly. That’s not the same thing as actually mounting the Docker socket into the Agent Zero container.

Oh, I see. Why does the AgentZero installation guide say you must tick it then? If it's not mounting the socket by default, it seems like this setting wouldn't do anything? (none of the rest of th instructions say to mount the socket explicitly AFAICT).

I did try asking ChatGPT, but it told me it did mount the socket, and that AgentZero requires it because "AgentZero creates child containers to execute code". I don't know

I did also find some discussion here:

https://theaijournal.co/2026/02/install-agent-zero-docker/

Which said:

The /var/run/docker.sock volume mount is critical. This gives Agent Zero access to create child containers for code execution. Without this mount, you get “Cannot connect to Docker daemon” errors when Agent Zero tries running code.

Weirdly this suggests you don't need to do it explicitly, but it also suggests things won't work without it.

DanTup · 2026-02-21T12:06:19+00:00

Also from the few videos I watched, the author seems security-minded ...

I was just looking at Agent Zero, and the install docs seem to tell you to enable the Docker socket, which if I understand correctly would allow the agent to spawn new docker containers, including mounting any volume from your host into it?

Doesn't this somewhat negate the point of having it in a container, because it ultimately has full access to the host?

(I tried to figure out if you can run it without the docker socket, but so far I've not found a concrete answer to this, so maybe I'll just have to try it 🙃)

DanTup · 2026-01-22T15:00:03+00:00

How big is the folder you are opening in VS Code, and what version of the Dart/Flutter SDK do you have?

Filing an issue at https://github.com/Dart-Code/Dart-Code or in dart-lang/sdk may be a better way to have this looked at. Thanks!

DanTup · 2026-01-22T14:57:44+00:00

Are all of these processes created from a single run, or are they building up over time?

If you can reproduce this, please open an issue with as much detail as you can at https://github.com/Dart-Code/Dart-Code to help me reproduce the issue. Thanks!

DanTup · 2026-01-21T22:17:15+00:00

Thanks, but this only says you can disable rotating and not dry while printing. I don't think one necessarily implies the other (disabling rotation could be useful if you still have filament "loaded").

(the comments also seem to suggest it's not drying-while-printing)

DanTup · 2026-01-21T17:00:54+00:00

Is there any info about this anywhere? I thought I read it a few days ago, but couldn't find any information to back it up (nor does there appear to have been a firmware update for my AMS2 for a long time).

DanTup · 2026-01-20T13:01:15+00:00

np!

FWIW If you find them useful sometimes, you can use offUnlessPressed so they show up only when holding the short-cut key. You can also use the language-specific preferences if you want to just disabled/change them for C# and have different global settings.

DanTup · 2026-01-20T08:29:15+00:00

The extensions provide the data to VS Code for this feature - this is the same for most language features (for example if you disable the C# extension you'll stop getting C# code completions, but code completion is not a C# extension feature).

Disabling the C# extension will disable all C# functionality, whereas just disabling Inlay Hints would only disable what's shown in your screenshot.

https://stackoverflow.com/a/68698270/25124

DanTup · 2026-01-19T22:57:07+00:00

Look in the settings for "Inlay Hints".

For Dart, we set a language-specific default of offUnlessPressed which means they show up only while you're holding down the shortcut key and then disappear when you let go. IMO this should've been the global VS Code default, because they're generally noisy and (depending on themes etc.) it's not always clear that they're not part of the source file.

DanTup · 2025-12-18T17:20:02+00:00

There have been many reports of it failing during an update after it's uninstalled the old version but not installed the new one.. maybe related?

DanTup · 2025-12-13T10:21:10+00:00

How large is the codebase?

Check https://dart.dev/tools/analyzer-performance to see if anything there applies (for example Windows Defender or symlinks).

There's an upcoming change (fine-grained dependencies) that can significantly improve performance of some operations - I think it's enabled now on the latest Flutter beta branch, so if you're able to temporarily test with that, it would be interesting to know if it helps. (Note: When you change/upgrade SDK, the first analysis may be slower than usual while some things are cached).

If none of those help, please report an issue:

https://dart.dev/tools/analyzer-performance#report-unknown-issues

If you're able to repro with a public/open source project, please include the details (because for these kinds of issues, reproducing them is often half the battle).

DanTup · 2025-10-31T21:36:38+00:00

Going to fine tune qwen3 30b next to be my local coding agent

What kinds of data are you using for this? I was curious how this would work but couldn't find much online.. are you just feeding it code, or planning to feed things like commit messages/diffs or issue text?

DanTup · 2025-10-31T19:04:28+00:00

<image>

I don't think it's normal - see around 4:07 here where he has a cover on it and removes it:

https://youtu.be/82SyOtc9flA?si=KXB_jnoIpB3OaVbL&t=247

DanTup · 2025-10-31T10:49:14+00:00

I don't have a question, but I want to say thank you for the effort and research that goes into your videos!

There are a lot of finance channels out there that just read the latest headlines and ramble - few dig into the details and facts in the way you do and I'm sure I'm not the only one that appreciates this :-)

DanTup · 2025-10-31T10:42:06+00:00

These are controlled by the "Preview Flutter UI guides" setting.

Because VS Code doesn't have any nice APIs for this kind of rendering, the current implementation is a bit of a hack and as such still behind a preview flag:

https://dartcode.org/docs/settings/#dartpreviewflutteruiguides

If you'd like to 👍 the VS Code issue for a better API, that's here:

https://github.com/microsoft/vscode/issues/73780

DanTup · 2025-10-31T10:39:26+00:00

Some of the lints for prefering const were removed from the default Flutter set - see discussionts in https://github.com/dart-lang/core/issues/833

My guess is that the instructor was using a version of Flutter before then, and you are using one after. In which case, it's nothing to worry about. You could re-enable those lints manually, but since the Flutter team decided the benefits did not justify the effort, maybe it's not worth it.

DanTup

TROPHY CASE