A Hacker News thread got spicy after Jamf reported repo-based attacks abusing VS Code tasks. A VS Code team member jumped in and basically said: The protection is already there. Workspace Trust is the line, and if you trust a sketchy repo, you’re opting in.
That didn’t sit well with everyone. Folks called out warning fatigue, vague messaging, and the reality of opening repos just to poke around. To their credit, the VS Code team acknowledged the UX gaps and hinted at changes, including safer defaults and a task-related tweak coming in VS Code 1.109.
Worth a read if you live in VS Code and trust repos on autopilot: VS Code Team Member Blames User Trust Decisions in Repo-Based Attacks
Do you actually read the trust warning?