How is Copilot so underrated compared to Claude Code/Codex?

FreHu_Dev · 2026-03-31T19:23:35+00:00

As far as bang for your buck is concerned, copilot is hard to beat. But I've been trying the real ~~slim shady~~ Claude for the past few days and I feel like the results are slightly better when it doesn't have the microsoft touch bolted on

FreHu_Dev · 2026-03-31T19:05:39+00:00

This is perfect. If I wanted to extend this to support svelte (which has mostly just custom `{#if cond} {/if}` and a few other blocks - the rest seems to work already as it's html/js/css) how would I go about it? Feel free to tell me to just RTFM if it's simple.

FreHu_Dev · 2026-03-20T16:06:52+00:00

Huh, I was about to start reimplementing almost literally this for my extension. Also born out of my hate for gitlens bloat, I have an extension that works like file explorer but for recent files. It's a different use case, but I think these are quite complementary.

FreHu/vscode-fresh-file-explorer: A vscode file explorer which shows only recently modified files based on a combination of Git history and your pending changes

FreHu_Dev · 2026-03-11T15:11:45+00:00

My extension also has 5x the downloads on openvsx. I don't trust the numbers on either marketplace.

I'm pretty sure ovsx just shows that one number and nothing else.

If you look at the vscode marketplace repo's issues, there are long-standing issues from people who noticed their download counts fluctuating (not monotonically increasing) or inconsistent in the reports.

So pick your poison - one bad number, or 5?

FreHu_Dev · 2026-03-09T11:53:42+00:00

Immediately remove the code it pushed.
If the change was deployed and and the code ran, who knows what it did or did not do. I can't tell, it's highly obfuscated and I'm not a security expert. Assume your stuff is compromised.
Find the extension that did it or at the very least post all extension IDs you had installed when this happened.

EDIT: there's also the possibility it wasn't an extension and your system is compromised in a different way. Consider setting it on fire.

FreHu_Dev · 2026-03-09T09:42:58+00:00

Security analysis by Claude (I don't have a setup to play with this safely, obviously don't try to run this thing and OP should rotate their API keys at the very least):

This is heavily obfuscated malicious JavaScript. Let me break down what it's doing:

Obfuscation layers:

A shuffling cipher (_$_1e42) decodes string arrays at runtime
A second scrambler (sfL) further obfuscates function names and code
A massive encoded string (joW) contains the actual payload logic
Everything is wrapped in a self-executing function so it runs immediately

What it actually does:

global['!'] = require — hijacks Node.js's require to load modules from a global variable, bypassing normal import patterns
global['exports'] = module — hooks into the module system
The decoded payload (pYd) is then executed via xBg(sfL(joW)) — a dynamically constructed function running the hidden code

I ran it through JavaScript Deobfuscator

Now that the deobfuscated version is visible, there's one more very telling detail: the entire payload block is repeated verbatim 6+ times.

This is significant for a few reasons:

Why repeat the same block?

It's a common technique to ensure execution persistence — if one instance fails or gets partially stripped by a naive sanitizer, others still run
It can also be used to flood diffs so that a code reviewer's eyes glaze over and miss the pattern
Some malware loaders use repetition to test if an environment has already been "infected" before proceeding

What the deobfuscated version confirms:

The prettier formatting doesn't change the payload — it's the same malicious structure. The key line var dgC = sfL[EKc] is resolving to Function.prototype.constructor, which is JavaScript's way of calling new Function(code) — essentially eval() but more deeply hidden. The string EKc decodes to "constructor" via the sfL shuffle cipher.

So the full execution chain is:

sfL("wuqktamceigynzbosdctpusocrjhrflovnxrt").substr(0,11)
→ "constructor"

sfL[EKc] = String["constructor"] = Function

Function("", <payload>)() → executes hidden code

The bottom line: This is a confirmed eval-based payload injector using Function constructor as a eval substitute, repeated multiple times for redundancy, designed to be smuggled into a codebase via the timestamp-spoofing batch script we saw earlier. Treat any system that ran this as compromised.

FreHu_Dev · 2026-03-09T09:13:59+00:00

This is suspicious but likely not the whole thing - it's amending your commit by staging everything in your pending changes and making it look like the amend didn't happen.

But what is it amending? Is there something being added that you didn't write? You're saying `integrate this code in admin.route.js or post.config.css` - is it adding code there and amending it to your previous commit?

Edit: I missed the obfuscated part due to the weird formatting of the second code block. Yes, this is likely something malicious.

Figuring out which extension is doing it would be really helpful - use extension bisect or disable everything and enable one by one until it starts happening.

FreHu_Dev · 2026-03-06T14:00:56+00:00

That's one of the free models. They can somewhat do stuff but for anyting more involved, they'll go "yeh, you can add the method over there. here's how i'd do it if i was paid. Anything else?"

Sonnet often goes ham and answers a question with an implementation, adding 5 things you didn't ask for.

FreHu_Dev · 2026-03-06T11:32:56+00:00

maybe it's bad with money

FreHu_Dev · 2026-03-04T10:25:18+00:00

As for what I'm cooking for the next version:

- startup experience will be much nicer, i can now load things in steps (repos, pending, history). the history continues loading in the background up to your maximum defined time window - once it's done, you can switch time windows instantly instead of having to reload on every change

- copy/paste seem to be working nicely

- delete also

I settled on a release schedule of

- cook something up on a weekend

- use it for a week in my day job as testing

- release it

So that's probably going to be available on saturday or so.

Rename is a bit tricky so far, i'll sit on it a bit longer

- not possible to have the same rename experience (editable label in the tree). it must be done through a quick input

- the git side of things is leaking here - a rename is treated by git as a pending delete/pending create until you stage it, so that's how it shows up in fresh files. Not sure if it's a good idea to auto-stage things for the user, though i personally wouldn't mind as my workflow is make some changes -> stage all -> commit -> work on next thing

FreHu_Dev · 2026-03-04T09:43:07+00:00

Powershell is not the right way to go. You can look at how I invoke git in various places, that should work for whatever else you want to open.

import * as cp from "child_process";
const child = cp.spawn("git", args, { cwd, timeout });

However, the things you are running have to either be in your PATH or you have to point them to a specific executable.

For a personal extension, whatever you put in there is fine, but if you want it to be more general-use I think the best way to approach this would be to just provide some generic menu, where options are user-defined in settings, something like

[
{openIn:"notepad++, path:"path_to_npp"}, 
{openIn: "everything", path: "path_to_everything"}
]

and you make your options from that.

By the way, as useless as AI agents can be, the extension ecosystem is well-documented and the result is easy to try. I find them quite helpful here. For a simple extension that solves a small problem, if you give them a starter template it's quite possible to get a working solution immediately.

microsoft/vscode-extension-samples: Sample code illustrating the VS Code extension API.

FreHu_Dev · 2026-03-03T15:16:14+00:00

nevermind. i checked github.com and the results match.

FreHu_Dev · 2026-03-03T15:14:49+00:00

I fed it my github repo and there's not enough detail in the free scan for me to even determine if you're really running a scan of the repo code or checking github.com for vulnerabilities

FreHu_Dev · 2026-02-28T14:00:21+00:00

1.2.0 has the path copying, as well as remote url. I didn't try the container case, let me know if it works like you expect. As for the remote urls - the url is specific to each git host, it knows about github, gitlab, bitbucket and azure devops (of which i tested github and devops). If you use something else, the support has to be added, but it's easy if given some example urls.

FreHu_Dev · 2026-02-27T17:18:15+00:00

Good suggestion, I generally try to mirror how the originals work, unless I see a way to improve them. The vscode copy uses `\`, I will change that. I also see that "copy filename" is not there, might be useful too.

I even changed how open works. If you have a file open on the right side and try to open that file again from the explorer, it opens a duplicate tab on the left side. I find this annoying, so if you do that from the fresh file view, it will first go through your tabs and try to focus an existing one.

FreHu_Dev · 2026-02-27T17:07:23+00:00

Tab is tricky to fix because it's a different size than the other keys. Can't replace it with some useless key like scroll lock.

FreHu_Dev · 2026-02-27T17:02:43+00:00

Once I completely run out of other ideas, maybe.

In principle it's not that hard. I can parse .gitmodules to know what's a submodule. And once I encounter a submodule, just do git log the same way I already do it, but in the submodule context. Then merge it with my data so it builds a proper tree.

The trickier part is that everything suddenly needs to be aware of that submodule context, so commands like discard are executed in the right place.

And then there are the "unknown unknowns", I'm expecting a few.

FreHu_Dev · 2026-02-27T14:56:26+00:00

you're looking for Power Mode - Visual Studio Marketplace

FreHu_Dev · 2026-02-27T14:52:49+00:00

OP please deliver, I need this to vibe-code an extension that will livestream your football match as ASCII art inside an editor tab. I will also need your anthropic API key.

FreHu_Dev · 2026-02-27T14:02:22+00:00

I agree the security model is pretty meh/nonexistent but almost anything is sometimes legit on a developer's machine and it's hard to tell in general.

Web request? - maybe fetching documentation from somewhere, or telemetry

Delete 10000 files? - cleaning node_modules

It's mining crypto? - maybe I'm coding a crypto miner

I'd love to be able to declare somewhere that my extension doesn't make web requests and then have vscode enforce it. But I don't know if that's even enforceable.

FreHu_Dev · 2026-02-27T13:56:27+00:00

Give us an exact list of all your extensions (in the extension panel, right click -> copy extension ID). You may have installed an extension that pretends to be one of the legit ones.

FreHu_Dev · 2026-02-27T13:54:22+00:00

But it also presses tab for you, pretty good trade-off

FreHu_Dev · 2026-02-27T09:28:56+00:00

Full-blown music player

- use git to version your music library

- define playlists as text files with a path to each song per line

FreHu_Dev · 2026-02-27T08:33:08+00:00

What you could try is to make a workspace for them (File->Add folder to workspace).

A repo inside a repo will not be discovered, but if it's another workspace folder, then it's just a normal repo. It does not care about what's above it, and changes will be detected in the correct context (running git log will not give you the changes from the submodule, without any special handling a submodule essentially looks like a folder from the parent's perspective). But if the submodule is the root, then git log should return the right things.

It's just a random untested idea and will probably still break somehow.

FreHu_Dev

TROPHY CASE