Update-cooldown guard for the dev surfaces that still auto-adopt brand-new versions instantly (VS Code extensions, IDE plugins, CI actions)

dev tool real project ••• trending

After npm (11.10.0, Feb 2026) and pnpm shipped minimum-release-age 'cooldown' settings, developers want the same protection for everything else that auto-updates, VS Code extensions most loudly. A 24-72h delay before adopting a freshly published version filters out the smash-and-grab supply-chain attacks that get yanked within hours, but IDEs and extension marketplaces have no such control and update by default.

builder note

VS Code will likely add this for its own extensions eventually, so the durable play is the cross-surface policy layer (extensions plus actions plus base images) with per-publisher allowlists, since npm already proved teams want the exemptions the official setting won't give them.

landscape (3 existing solutions)

Package managers solved cooldowns in 2026, but the rest of the auto-updating dev surface (IDE extensions, plugins, CI actions, base images) still adopts new versions the instant they publish, which is exactly where the demand sits.

npm minimum release age Added a cooldown in 11.10.0 (Feb 2026), but it only protects npm installs and cannot exempt specific trusted packages; it does nothing for editor extensions or CI actions.

pnpm minimumReleaseAge Cooldown defaults to 1 day in pnpm 11, but again only covers package installs in the dependency graph, not the IDE/extension auto-update surface.

VS Code extension auto-update VS Code has no release-age or cooldown control for extension updates; extensions auto-update the moment a new version publishes, which is the exposure the 286 upvoters are asking to close.

sources (1)

other https://github.com/microsoft/vscode/issues/316867 "I've disabled extension updates on my VSCode" 2026-05-17

supply-chain-securityvscodedevsecopsdependenciesextensions