this post was submitted on 16 Aug 2024
20 points (100.0% liked)
VS Code
773 readers
1 users here now
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Hm, yeah ok, should really be careful with that "I trust the developers of this repo" button (or whatever it says)
100%
I know a guy that considers git pre-commit hooks a form of code injection and thus a security risk. So he disables them on repos he works with. And to be fair, it’s absolutely a viable vector for attacking developer machines. I think a tasks.json fits into that exact same bucket.
These kinds of automations are suuuper useful and I do like to use them. But also review a code base before cloning!
Yeah, it's a little insane to me to automatically run code that exists in a file in the current directory, by default.
Like there's a reason that
direnv
requires you to executedirenv allow
if you enter a directory with an.envrc
that you hadn't previously approved.I don't know of any other editor that has this as standard behavior, and for good reason.