My first reaction has been: when we install some node modules, import them and eventually run them, we do grant local execution permissions to whatever the authors of those modules coded in their scripts, right? More or less every language already suffer from the same problem. Who vets the code inside a Ruby gem, a Python package, etc? Add your favorite language.
However I did not know about tasks.json (I don't use VSC) and when I googled it I found the example at https://code.visualstudio.com/api/extension-guides/task-prov... and that is about running rake (Ruby.) So this is a little worse than installing malicious packages: the trigger is opening a malicious repository from the editor. Is this a common practice? If it is, it means two things: 1) the developer did not take an explicit choice of installing and running code, so even the possibility of an attack is unexpected and 2) it affects users of any language, even the ones that have secured package installation or have no installation of packages from remote.
I do feel like better application sandboxing is needed but so much open source software is built on the Unix abstraction meaning you have to run in a container, but macOS doesn’t have containers as far as I can see, and containers themselves are a bit of a poor abstraction, although maybe the best we can do with Unix at the core. I think something closer to Roblox studio would be cool where when you open an environment stuff just spins up in the background, but there is a good debugger, logging, developer ide, good rendering, eg 3d graphics, separate projects are separate, and when you spin down a game (read app or project) everything spins down.
It's a good idea so it can't take over your dev machine.
But not sufficient since it'll still F over whatever code you are working on resulting in a backdoored app getting deployed + infected dev scripts etc bringing interesting times to your teammates, downstream open source project users, your api keys and cloud credentials getting compromised etc.
> Coming from the perspective of an eclipse fan, why is VS code the defacto answer nowadays?
Is eclipse good now? I used it 15 years ago. It took ages to start. It was a memory hog and it was dog slow besides. My entire team got RAM upgrades on our computers because the default company issued machines (which were quite good at the time) didn't have enough RAM to use eclipse properly.
This is exactly what I was going to say. I used eclipse in college when learning Java. Back then it was bloated, slow, had really bad UX, and would occasionally crash for no reason I could ascertain (I was just doing basic school projects. Linked lists, binary search trees, etc...)
VS Code, although it is starting to go get a bit bloated, has always been extremely responsive and snappy. Yeah I've had it crash, but I was never surprised that it crashed. (e.g. opening enormous files, running several instances at once with tons of tabs open, long debugging sessions, etc...)
Definitely, it has been at least a decade since I had plugins corrupt my workspace, and there are old Reddit comments of me complaining about in on /r/java.
Load VSCode with the same amount of plugins, each requiring its own process, to see how "fast" it runs, not to mention Electron crap, there is a reason so many Microsoft plugins are actually written in C++ and Rust.
Todays hard drives are faster then memory was back then, so it's probably not an issue now. Could probably reparse your entire code base at every key stroke without you noticing.
> It took ages to start. It was a memory hog and it was dog slow besides. My entire team got RAM upgrades
The more things change, the more they stay the same. I used to use VS Code on some very large C projects with 16GB of RAM, and my machine would grind to a halt while intellisense was indexing.
How much ram did you have, and when was this? I remember being extremely happy with Eclipse on an 8GB machine - this was back in the jvm7 days. Heck, I did jvm6 development with Eclipse on Windows XP with 4GB of ram and was content.
Eclipse gets a lot of automatic hate - I believe mostly since a lot of people first use it in university and struggled with their first real IDE.
For years and years I had people telling me how great IntelliJ was, etc. I eventually switched - lo and behold, IntelliJ had just as many quirks (even some of the same) as Eclipse.
It was 2010. Our default work machines had 16gb of ram. Eclipse ran, but it was tight. Especially while debugging. Some developers also apparently liked to open a second eclipse instance for some reason. You'd go OOM pulling stunts like that.
They upgraded all of us to 32gb. 32gb doesn't sound like a lot of ram now, but in 2010 it seemed pretty wild to me. Especially for just running an IDE.
In eclipse's defence, we were working on a very large java codebase. But that shouldn't have been a surprise to anyone. I've never seen a java codebase come in any other size.
I'm running intellij (RustRover) right now, and its sitting on about 4.5gb of ram. That still seems very inefficient to me. But it doesn't sound that bad compared to eclipse.
That seems incredible. 16GB of ram to run (presumably windows 10) and Eclipse?
Eclipse, unlike IntelliJ offers "project" view were you have have many "solutions" open at once. Even with multiple Eclipse instances open, it's hard to imagine it consuming so much ram.
Perhaps you had other company-required software running. I was working on relatively largeish codebases and very happy with 8GB of ram until 2018ish.
Regardless, an IDE is more than a text editor, so your claim that RustRover with 4.5GB of ram is inefficient is misguided.
>They upgraded all of us to 32gb. 32gb doesn't sound like a lot of ram now, but in 2010 it seemed pretty wild to me. Especially for just running an IDE.
I used eclipse in university around that time (2005), then first switched to netbeans which I already liked more, then discovered IntelliJ and have been using that ever since. Everything about Eclipse felt worse in ways neither of the others did, but all of that was still during university (though I now use JetBrains professionally).
I switched to VSCode because it has a free editor with a really great jump to file hotkey.
I remember when the big VS added jump to file but it was so damn miserably implemented as to be useless.
Having worked at Microsoft for a decade, the most frequent way I navigated a large source tree was dir /s *partialfilename*.*
Then again while I was there, most code bases couldn't even open in Visual Studio. (highly team dependent, I was mostly on older C/C++ code bases.)
Some teams at MS paid for an editor called Source Insight, which indexed your code and could also parse C #defines and other preprocessor macros, which was super unique and powerful. It had an incredibly powerful symbol and fuzzy filename search capabilities, I'd frequently have Source Insight open just so I could find where in a folder structure a file was and then I'd open it up in my preferred editor.
Back when I got my first SSD the largest boost to my dev productivity was not in compile times (large C++ code bases tend to template bound more so than IO bound), it was how fast I could find files in the directory structure.
I'm sure Vi/Emacs users have some magic set of plugins that do all of this for them, but as someone back on Windows back in the 2000s and 2010s, the supported MS tooling was horrible at all this.
Then VS Code comes along with amazing fuzzy file name matching. Holy cow. Sure it is missing 90% of the power of real Visual Studio (being able to have a debugger step from front end web code to your backend and then into stored procedures in SQL, running on a remote machine, that your debugger transparently auth'd to, is something Microsoft had working 20 years ago and would be considered impossible dark magic with today's tooling), but wow can I navigate a project quickly!
Site license to source insight was something I missed badly after Microsoft. Bought my own copy. It did wonders when looking at Snowflake monorepo, which was otherwise impossible to understand . Great piece of software, still going strong too.
Same here! Easily jumping between files is one of the best features. I always have VS and vscode open simultaneously, doing about 99% of the work in vscode and only using VS to compile and to debug.
I don't really like VS Code either, but I personally use it because I tend to jump between a half-dozen semi-obscure languages, and VS Code is the only [0] editor that supports all of them.
[0]: Vim and Emacs have almost as good or slightly better language support, but I prefer GUIs over TUIs.
Eclipse is not safer it just has fewer people looking for holes in it. The problem is not the software but how we trust code from the internet. Even if you used Eclipse a fake recruiter could still trick you into running a bad script. We cannot fix social engineering by changing the text editor.
For me vscode is super-lightweight and at the same time has enough functionality. I didn't use Eclipse for many years, but from my memory it was super-heavyweight. And it didn't really support anything except Java.
Interestingly Java is the only language that I've found vscode support poor, so I keep buying Idea license exclusively for Java projects. For rest of languages that I use (JS/TS, Go, Python, Shell, YAML, XML) I'm using vscode and happy about it.
In recent years vscode starting to get bloated, mostly with AI stuff. But so far I can disable everything AI with a single setting and it works good afterwards. I'd prefer for all AI features to be contained in a separate plugin that I can just not install, but I guess managers these days want to shove AI in everyone's throat.
Another good thing about vscode is that its written with JavaScript and can be launched in browser, so in the future I want to put my development environment in the browser, but so far I didn't do that.
Never liked Eclipse, but I’ve been forced to use VSCode over my preferred JetBrains IDEs because it is the only modern mainstream editor with a competent client-server mode. As in, actually rendering the UI locally while doing all the code indexing and intelligence on the server. Corporate world would much rather maintain disposable remote VMs than help you unfuck your laptop after whatever required security upgrade installs the wrong version of a scripting language and sends everything to hell.
They're not using the remote VM as a server but as the development machine though. You don't want to have to git commit and push every time you need to run or even type-check your code.
I think what GP describes is actually a pretty okay solution for orgs that don't want to provider their devs with local admin privileges.
Seems very odd to me that someplace would force the use of a particular development tool. I've seen it only one time while interviewing, where they wanted everyone to have identical setups so they could easily hop onto each others computers when needed... it was weird and I took it as a red flag and didn't follow through them them.
Some software development workflows require specific tooling, with complex setups. While it may be possible to do with other tools, it's often very difficult, and not really worth the trouble when there is a known working setup. It's easier to onboard new people if they use the established toolchain with known working configs. I worked at a place once where it took several days to get the dev environment set up. It would have taken far longer if someone wanted to use whatever random tool they'd prefer to use.
Wanting to be able to use anybody's machine is very strange, agreed.
From a support/IT perspective though, the closer everybody's machine is, the easier the job is.
The last software shop I worked at, we had a default set of tools and configs. It was a known happy path. You were allowed to adventure off of that path, but you were mostly on your own.
> Wanting to be able to use anybody's machine is very strange, agreed.
Very useful if people are struggling to create reliable repro steps that work for me - I can simply debug in situ on their machine. Also useful if a coworker is struggling to figure something out, and wants a second set of eyes on something that's driving them batty - I can simply do that without needing to ramp up on an unfamiliar toolset. Ever debugged a codegen issue that you couldn't repro, that turned out to be a compiler bug, that you didn't see because you (and the build servers) were on a different version? I have. There are ways to e.g. configure Visual Studio's updater to install the same version for the entire studio, which would've eliminated some of the "works on my machine" dance, but it's a headache. When a coworker shows me a cool non-default thing they've added a key binding for? I'll ask what key(s) they've bound it to if they didn't share it, so we share the same muscle memory.
Devcontainers[1] or some similar technology are a must. Use whatever specific IDE you want, but the development environment itself should be identical across everyone on the team.
No more "works on my computer" issues. The environment is always identical.
It's quite common if you work in a team of engineers, or in a large company with many engineers.
Having consistent machine and OS and app configurations enables better (lower cost, higher reliability) scripting and tooling solutions in things like repos and infrastructure.
Not unlike consistency in language and compiler choices.
Having a consistent setup makes it easier for your organization's IT team to support you, troubleshoot issues, etc. It also makes it easier for you to collaborate with other members of your team, or even other teams. If your coworker Fred comes to you asking for help on how to refactor something, for instance, it will go much more easily if you're running the same IDE with the same refactoring tools.
Organizations establish and enforce standards for a reason.
I've also used Eclipse in the past but almost exclusively used vscode in recent years. It's just a phenomenal text editor. It's got fantastic multi-line selection and editing tools and searching for files is instant and you don't even need to be fully accurate with the filename. Nowadays I hardly ever use the sidebar to look for the file, I just type thr ctrl+e shortcut and insert several letters of the file and I instantly get the result. It's a small thing with a huge impact. VS, for comparison, lags a few seconds when searching files, and it misses files that are not imported into the workspace. That difference makes VS useless to me.
The only thing that matters is extensibility/customization and speed. I want the lightest, most customizable thing that isn't emacs (for real reasons, trying to set up emacs at work is too much of pain in the ass) as my single pane of glass on any OS I care to use. If it can't do that, it doesn't live long.
I bucket Eclipse under "heavyweight IDE". I used to use it, plus the CDT plugin, for my C++ nonsense.
Then Visual Studio's Express and later Community SKUs made Visual Studio free for ≈home/hobby use in the same bucket. And they're better at that bucket for my needs. Less mucking with makefiles, the mixed ability to debug mixed C# and C++ callstacks, the fact that it's the same base as my work tools (game consoles have stuff integrating with Visual Studio, GPU vendors have stuff integrating with Visual Studio, the cool 3rd party intellisense game studios like integrates with Visual Studio...)
Eclipse, at least for me, quickly became relegated to increasingly rare moments of Linux development.
But I don't always want a heavyweight IDE and it's plugins and load times and project files. For a long time I just used notepad for quick edits to text files. But that's not great if you're, say, editing a many-file script repository. You still don't want all the dead weight of a heavy weight IDE, but there's a plethora of text editors that give you tabs, and maybe some basic syntax highlighting, and that's all you were going to get anyways. Notepad++, Sublime Text, Kate, ...and Visual Studio Code.
Well, VSC grew some tricks - an extension API for debuggers, spearheading the language server protocol... heck, I eventually even stopped hating the integrated VCS tab! It grew a "lightweight IDE" bucket, and it serves that niche for me well, and that's a useful niche for me.
In doing so, it's admittedly grown away from the "simple text editor" bucket. If you're routinely doing the careful work of auditing possibly malicious repositories before touching a single build task, VSC feels like the wrong tool to me, despite measures such as introducing the concept of untrusted repositories. I've somewhat attempted to shove a round peg into a square hole by using VSC's profiles feature - I now have a "Default" profile for my coding adventures and a "Notes" profile with all the extensions gone for editing my large piles of markdown, and for inspecting code I trust enough to allow on disk, but not enough to autorun anything... but switching editors entirely might be a better use of my time for this niche.
I would say the answer is that's not the general perception of the software. I'm personally migrating out of VSCode, because having to use the OpenVSX registry to have open-source builds makes me mad (I've since migrated to Zed for now, since I've never adapted well to neovim nor emacs).
In general, I believe most people see VSCode as "good enough". Maybe not the best text editor, but it's good enough at everything it does and extensible enough to the point that there's really no point to go for anything else unless you have a really good reason to.
> Im guessing the answer is probably Java is why eclipse is out of favor.
My previous answer is thinking about editors in general. But in the case of Eclipse I'd say you're right LOL.
People forget that there was a period of time during which the Java runtime installer tried to install actual adware. You had to jump through hoops to deselect adware from being forced onto your machine, it was infuriating.
Setting up a new machine, I could choose between Eclipse (free, took forever to open, slow, asked me a million questions before it let me start working) or Visual Studio (cost money, incredibly powerful, written in C++ and was really damn fast.)
It just happens. I was happy on netbeans, then I was forced over to eclipse, which I got used to. Then I got forced over to intellij. I'm still pissed about that (even though it's rider for me these days).
I don't mind VSCodium that much because I can put my tooling on the side (like a good unix fanboy) instead of hoping that jetbrains reimplements every other tool. Ag, grep beat IDE searches any day.
But yeah we have reach a stupid point in the industry where VSCodium asks me to trust a codebase before it will let me edit it.
I’ve never written a line of Java in my life. Why would I ever use Eclipse?
VSCode is defacto standard because it’s kinda mediocre but works ok enough for every language and every platform. Microsoft created and popularized LSP so VSCode isn’t a single language IDE.
I use a mixture of code editors. My favorite is probably 10x but it only works with C++. So VSCode is just a reasonably standard unless a different editor is better for a specific use case.
As I remember it, VS code was Microsoft’s response to Sublime.
Sublime was exceptionally popular for web developers throughout the 2010s.
Sublime was maintained by a single person as far as I know.
VS code was pretty much a copy of Sublime but with a much better extensions system and relatively quickly there were some great plugins that made VS code the de-facto editor for web development.
Nope it started as a Web IDE, going against Atom was their pivot to win market share, there are a few talks from the team if you search for VSCode history.
Yes, Atom was an earlier shot at building a Sublime competitor too.
I don’t know how usage of Atom compared to Sublime, but within my friends and colleagues it was only when VS code got good that people started moving away from Sublime.
I can only speak for $MY_JOB, but I'm pretty sure everyone was on Atom before VSC "got good". Atom had a good plugin ecosystem; what really drove the change was Atom's horrible performance issues whereas VSC was snappy and responsive.
What I believe also influenced the shift was that at that point in time MS had accumulated a decent amount of developer trust by giving us TypeScript and later on by acquiring GitHub. They appeared to care and have the right vision for open source.
Load time is in seconds, even with the program cached. I can still load vim with a ton of plugins[0] and still load a project in a few hundred milliseconds.
Maybe VS Code is faster with fewer plugins but it's still "dog slow" to load and run. Only thing I'm "missing" in vim is the bloat
[0] personal I only use a handful but I've played around because why not
With LazyVim (requires NeoVim) and its load-on-demand architecture, startup time usually stays below 50 milliseconds even with a ton of plugins. Below 50ms is fast enough that it feels instant. Aliasing `nvim` to `n` in my ~/.bash_aliases just makes it even faster. cd to a project directory, run `n .` and I'm looking at the NeoVim file explorer plugin for that project directory. No break in thought flow, no standing up to get coffee while the IDE loads, just keep going.
Your focus on startup speed feels really alien to me. When working on a project I just keep vscode open. I reboot maybe once a week and starting vscode again takes about a second, and then maybe 10s of seconds of background processing, depending on the project size, for the language server to become fully operational. That's more than good enough for me.
I've done a lot of shell-driven development in the 00s though, and I remember it did involve frequently firing up vim instances for editing just a single file. I no longer understand the appeal of that approach. Navigating between files (using fuzzy search or go-to-definition) is just a lot faster and more convenient.
Thing that IntelliJ and even NetBeans have going for them is that they seem like tools for getting work done. Eclipse puts more emphasis on being a platform which means you have to download and configure plugins just to get started. Great if you're a corporate shop with a standard setup that's force-pushed to every machine. Not so much if you're just getting started or working on side projects or in a startup, which is how languages and frameworks gain mindshare in the web era.
Visual Studio Code—I dunno. It's an editor more than an IDE. It lets Webdev Andys create an empty directory, put an index.ts in there, and get started right away. Yes, WebStorm does the same, but VS Code comes with decent multilanguage support for free. It's like vim or Emacs but crappier and more bloated, but a lot of people don't care about that.
It's the license. The MIT license is what makes VSCode the defacto answer.
It also runs on the web, which makes it extremely convenient to toss into...web things. It's the code editor for the Google Cloud console, the Lambda web console, the GitHub web editor, and so on.
I'm going to guess that Eclipse doesn't have the same amount of security issues because it's not a popular target. Everyone (relatively speaking) is using VSCode or something based on it.
It is scary that a text editor can run hidden code just by opening a folder. We traded our safety for convenience and now we are paying the price. Users will always click the button to trust a file if they think it helps them work faster. We cannot blame them when the software design makes it so easy to make a mistake.
You are right that the computer asks you. But people click yes because they are used to ignoring warning signs. The software relies on people making perfect choices every time and that never happens.
It should tell me what should I look before I trust it. Not trusting the workspace means I might as well use Notepad to open it. I wouldn't think that tasks.json include autorun tasks in addition to build actions.
The article doesnt' claim it's executed straight up either ("can result") but it's pretty ambiguous:
> When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.
In the screenshot the task is named "node" - so it's a bit like embedding a malicious Makefile target as a backdoor.
Except harder to spot since it's in a obscure .vscode/somethingsomething json file. (And probably you can easily fool GH Copilot to run it)
When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.
Sigh. It's so Microsoft to just run random stuff.
Of course, in the Linux world, we have "Install with"
Maybe I'm a dinosaur in this regard but I don't like nor trust any of these desktop application that are really just Web technologies with an embedded browser eg Discord.
They're resource hogs and the attack surface is huge. You're basically betting that automatic code that's run won't find a vulnerability and escape the sandbox from an entire browser.
I have way more trust in Jetbrains IDEs and the JVM as a sandbox vs HTML/CSS/JS.
Still, I'm always impressed at the ingenuity of the people who come up with these attacks and the people who find them.
Won’t IDEA automatically index/execute some Gradle code when possible? As soon as you execute an arbitrary binary/script from the project directory, the isolation of the JVM doesn’t matter.
This particular vulnerability relied upon passing the require function to a scope to allow the loading and running of arbitrary code. This is what I tend to call a blacklist approach. You're saying in this sandbox certain features can't be used because they will allow escape.
The alternative is a whitelist approach. Instead of disallowing dangerous features you're enabling only the features you need.
So a build system like Gradle or Maven (same thing really) has a limited set of primitives it is allowing access to. It's not loading, say, the entire JVM and all the Java core libraries and then listing all those you can't use.
You see the difference? If nothing else, the blacklist approach is going to fail when the virtual machine (or whatever) adds a new API call upstream and it's added without intent to the sandbox by simply doing an update where nobody has thought to disable it.
Another way of looking at this is Gradle isn't being compiled into Java bytecode and run in the same environment as the IDE (sandboxed or otherwise). That is inherently riskier.
Yep. You’d think using web tech would make it really easy to sandbox any 3rd party JavaScript that gets run. But I suppose sandboxing is simply too inconvenient.
Because that isn't how it happens, the plugin model relies on external processes with OS IPC, most of them rely on basic process security model, and aren't even implemented in JavaScript due to performance.
Agree. But the first build you do after that clone/checkout is risky too. Maybe not as wide open, as the build-tool makers are a line of defence if they're acting on classes of vuln.
"Code provides features that may automatically execute files in this folder. If you don't trust the authors of these files, we recommend to continue in
restricted mode as the files may be malicious."
If you proceed with "Trust Project" you're at your own fault.
You know what would be better? Telling me explicitly what file/script will run and asking permission for that. A blanket message every time is no better than the cookie popups and doesn’t tell me if the project has 0 files that will run.
The "trust project" feature has been designed to be so extremely intrusive and annoying that the first thing I do is to completely disable it whenever I install VS Code on a new computer. This "solution" was just done to tick some box and put the blame on the user when a security incident happens. It's pretty similar to Windows Vista where it annoyed you with a disruptive popup so many times during the normal course of actions that most people ended up disabling the whole UAC system. Overall security goes down, and Microsoft has a nice excuse.
Vista's annoyance had a purpose, to get program developers to change things to run without escalation. They didn't want you disabling UAC, and these days it breaks things to disable UAC.
By only having an upfront project-wide toggle, VS Code is much worse.
However I did not know about tasks.json (I don't use VSC) and when I googled it I found the example at https://code.visualstudio.com/api/extension-guides/task-prov... and that is about running rake (Ruby.) So this is a little worse than installing malicious packages: the trigger is opening a malicious repository from the editor. Is this a common practice? If it is, it means two things: 1) the developer did not take an explicit choice of installing and running code, so even the possibility of an attack is unexpected and 2) it affects users of any language, even the ones that have secured package installation or have no installation of packages from remote.
Anything else that should be locked down?
But not sufficient since it'll still F over whatever code you are working on resulting in a backdoored app getting deployed + infected dev scripts etc bringing interesting times to your teammates, downstream open source project users, your api keys and cloud credentials getting compromised etc.
Which: They do actually have some container-like sandboxing tech around applications (“iTerm wants to access your downloads folder”).
Im forced to use vs code (so biased), but everything seems worse than eclipse, plus these repeated security issues from malware laced projects.
Theres been several posts about infected projects by fake recruiters here in the last year or two.
Im guessing the answer is probably Java is why eclipse is out of favor.
Is eclipse good now? I used it 15 years ago. It took ages to start. It was a memory hog and it was dog slow besides. My entire team got RAM upgrades on our computers because the default company issued machines (which were quite good at the time) didn't have enough RAM to use eclipse properly.
I can't imagine why it went out of favour...
VS Code, although it is starting to go get a bit bloated, has always been extremely responsive and snappy. Yeah I've had it crash, but I was never surprised that it crashed. (e.g. opening enormous files, running several instances at once with tons of tabs open, long debugging sessions, etc...)
But now I use NeoVim so none of that matters...
Load VSCode with the same amount of plugins, each requiring its own process, to see how "fast" it runs, not to mention Electron crap, there is a reason so many Microsoft plugins are actually written in C++ and Rust.
The more things change, the more they stay the same. I used to use VS Code on some very large C projects with 16GB of RAM, and my machine would grind to a halt while intellisense was indexing.
Relevant: https://news.ycombinator.com/item?id=43788332
Eclipse gets a lot of automatic hate - I believe mostly since a lot of people first use it in university and struggled with their first real IDE.
For years and years I had people telling me how great IntelliJ was, etc. I eventually switched - lo and behold, IntelliJ had just as many quirks (even some of the same) as Eclipse.
More like Eclipse struggled on the kind of hardware that people could afford as a student.
My main memories of Eclipse (15 years ago at this point) are waiting forever for it to start up, though it was pretty adequate after that.
No, it’s an IDE first. Not a text editor that’s extensible. It has a lot of features built-in, pre-enabled, and configured out of the box.
Yes, it can edit text. But it can do a lot more.
They upgraded all of us to 32gb. 32gb doesn't sound like a lot of ram now, but in 2010 it seemed pretty wild to me. Especially for just running an IDE.
In eclipse's defence, we were working on a very large java codebase. But that shouldn't have been a surprise to anyone. I've never seen a java codebase come in any other size.
I'm running intellij (RustRover) right now, and its sitting on about 4.5gb of ram. That still seems very inefficient to me. But it doesn't sound that bad compared to eclipse.
Eclipse, unlike IntelliJ offers "project" view were you have have many "solutions" open at once. Even with multiple Eclipse instances open, it's hard to imagine it consuming so much ram.
Perhaps you had other company-required software running. I was working on relatively largeish codebases and very happy with 8GB of ram until 2018ish.
Regardless, an IDE is more than a text editor, so your claim that RustRover with 4.5GB of ram is inefficient is misguided.
With the current prices it is still wild mate.
I remember when the big VS added jump to file but it was so damn miserably implemented as to be useless.
Having worked at Microsoft for a decade, the most frequent way I navigated a large source tree was dir /s *partialfilename*.*
Then again while I was there, most code bases couldn't even open in Visual Studio. (highly team dependent, I was mostly on older C/C++ code bases.)
Some teams at MS paid for an editor called Source Insight, which indexed your code and could also parse C #defines and other preprocessor macros, which was super unique and powerful. It had an incredibly powerful symbol and fuzzy filename search capabilities, I'd frequently have Source Insight open just so I could find where in a folder structure a file was and then I'd open it up in my preferred editor.
Back when I got my first SSD the largest boost to my dev productivity was not in compile times (large C++ code bases tend to template bound more so than IO bound), it was how fast I could find files in the directory structure.
I'm sure Vi/Emacs users have some magic set of plugins that do all of this for them, but as someone back on Windows back in the 2000s and 2010s, the supported MS tooling was horrible at all this.
Then VS Code comes along with amazing fuzzy file name matching. Holy cow. Sure it is missing 90% of the power of real Visual Studio (being able to have a debugger step from front end web code to your backend and then into stored procedures in SQL, running on a remote machine, that your debugger transparently auth'd to, is something Microsoft had working 20 years ago and would be considered impossible dark magic with today's tooling), but wow can I navigate a project quickly!
[0]: Vim and Emacs have almost as good or slightly better language support, but I prefer GUIs over TUIs.
Interestingly Java is the only language that I've found vscode support poor, so I keep buying Idea license exclusively for Java projects. For rest of languages that I use (JS/TS, Go, Python, Shell, YAML, XML) I'm using vscode and happy about it.
In recent years vscode starting to get bloated, mostly with AI stuff. But so far I can disable everything AI with a single setting and it works good afterwards. I'd prefer for all AI features to be contained in a separate plugin that I can just not install, but I guess managers these days want to shove AI in everyone's throat.
Another good thing about vscode is that its written with JavaScript and can be launched in browser, so in the future I want to put my development environment in the browser, but so far I didn't do that.
Corporate never seems to get that git is the kind of interface you want between your computer and their servers.
Then when you trash your computer you can just get it back to the state of being able to git.
I think what GP describes is actually a pretty okay solution for orgs that don't want to provider their devs with local admin privileges.
I haven't reevaluated that choice in a while, but that plus LSP support (and to a lesser extent ML Auto-complete) are must-haves for me nowadays.
From a support/IT perspective though, the closer everybody's machine is, the easier the job is.
The last software shop I worked at, we had a default set of tools and configs. It was a known happy path. You were allowed to adventure off of that path, but you were mostly on your own.
Very useful if people are struggling to create reliable repro steps that work for me - I can simply debug in situ on their machine. Also useful if a coworker is struggling to figure something out, and wants a second set of eyes on something that's driving them batty - I can simply do that without needing to ramp up on an unfamiliar toolset. Ever debugged a codegen issue that you couldn't repro, that turned out to be a compiler bug, that you didn't see because you (and the build servers) were on a different version? I have. There are ways to e.g. configure Visual Studio's updater to install the same version for the entire studio, which would've eliminated some of the "works on my machine" dance, but it's a headache. When a coworker shows me a cool non-default thing they've added a key binding for? I'll ask what key(s) they've bound it to if they didn't share it, so we share the same muscle memory.
No more "works on my computer" issues. The environment is always identical.
[1] https://containers.dev/
Having consistent machine and OS and app configurations enables better (lower cost, higher reliability) scripting and tooling solutions in things like repos and infrastructure.
Not unlike consistency in language and compiler choices.
Organizations establish and enforce standards for a reason.
Threat model described is not unique to VS Code
Personally I'm kind of lukewarm on VS Code, it's fine, but CLion, Visual Studio Proper, and RustRover are better for me.
I see why people use it though, it's not a bad editor at all.
For Java, I'm all over IntelliJ.
Then Visual Studio's Express and later Community SKUs made Visual Studio free for ≈home/hobby use in the same bucket. And they're better at that bucket for my needs. Less mucking with makefiles, the mixed ability to debug mixed C# and C++ callstacks, the fact that it's the same base as my work tools (game consoles have stuff integrating with Visual Studio, GPU vendors have stuff integrating with Visual Studio, the cool 3rd party intellisense game studios like integrates with Visual Studio...)
Eclipse, at least for me, quickly became relegated to increasingly rare moments of Linux development.
But I don't always want a heavyweight IDE and it's plugins and load times and project files. For a long time I just used notepad for quick edits to text files. But that's not great if you're, say, editing a many-file script repository. You still don't want all the dead weight of a heavy weight IDE, but there's a plethora of text editors that give you tabs, and maybe some basic syntax highlighting, and that's all you were going to get anyways. Notepad++, Sublime Text, Kate, ...and Visual Studio Code.
Well, VSC grew some tricks - an extension API for debuggers, spearheading the language server protocol... heck, I eventually even stopped hating the integrated VCS tab! It grew a "lightweight IDE" bucket, and it serves that niche for me well, and that's a useful niche for me.
In doing so, it's admittedly grown away from the "simple text editor" bucket. If you're routinely doing the careful work of auditing possibly malicious repositories before touching a single build task, VSC feels like the wrong tool to me, despite measures such as introducing the concept of untrusted repositories. I've somewhat attempted to shove a round peg into a square hole by using VSC's profiles feature - I now have a "Default" profile for my coding adventures and a "Notes" profile with all the extensions gone for editing my large piles of markdown, and for inspecting code I trust enough to allow on disk, but not enough to autorun anything... but switching editors entirely might be a better use of my time for this niche.
Some people just want a text editor, whereas eclipse is “an IDE and Platform”.
Eclipse failed because it was slow and janky and had abysmal UX and it only supported Java well.
VSCode succeeded because it has a much more sane UX, it's way less janky, it's highly extensible and language neutral.
In general, I believe most people see VSCode as "good enough". Maybe not the best text editor, but it's good enough at everything it does and extensible enough to the point that there's really no point to go for anything else unless you have a really good reason to.
My previous answer is thinking about editors in general. But in the case of Eclipse I'd say you're right LOL.Setting up a new machine, I could choose between Eclipse (free, took forever to open, slow, asked me a million questions before it let me start working) or Visual Studio (cost money, incredibly powerful, written in C++ and was really damn fast.)
I don't mind VSCodium that much because I can put my tooling on the side (like a good unix fanboy) instead of hoping that jetbrains reimplements every other tool. Ag, grep beat IDE searches any day.
But yeah we have reach a stupid point in the industry where VSCodium asks me to trust a codebase before it will let me edit it.
VSCode is defacto standard because it’s kinda mediocre but works ok enough for every language and every platform. Microsoft created and popularized LSP so VSCode isn’t a single language IDE.
I use a mixture of code editors. My favorite is probably 10x but it only works with C++. So VSCode is just a reasonably standard unless a different editor is better for a specific use case.
Sublime was exceptionally popular for web developers throughout the 2010s.
Sublime was maintained by a single person as far as I know.
VS code was pretty much a copy of Sublime but with a much better extensions system and relatively quickly there were some great plugins that made VS code the de-facto editor for web development.
I don’t know how usage of Atom compared to Sublime, but within my friends and colleagues it was only when VS code got good that people started moving away from Sublime.
What I believe also influenced the shift was that at that point in time MS had accumulated a decent amount of developer trust by giving us TypeScript and later on by acquiring GitHub. They appeared to care and have the right vision for open source.
> I don't use it because it's so dog slow.
You might find it runs better with fewer plugins.
Maybe VS Code is faster with fewer plugins but it's still "dog slow" to load and run. Only thing I'm "missing" in vim is the bloat
[0] personal I only use a handful but I've played around because why not
I've done a lot of shell-driven development in the 00s though, and I remember it did involve frequently firing up vim instances for editing just a single file. I no longer understand the appeal of that approach. Navigating between files (using fuzzy search or go-to-definition) is just a lot faster and more convenient.
Visual Studio Code—I dunno. It's an editor more than an IDE. It lets Webdev Andys create an empty directory, put an index.ts in there, and get started right away. Yes, WebStorm does the same, but VS Code comes with decent multilanguage support for free. It's like vim or Emacs but crappier and more bloated, but a lot of people don't care about that.
It also runs on the web, which makes it extremely convenient to toss into...web things. It's the code editor for the Google Cloud console, the Lambda web console, the GitHub web editor, and so on.
I'm going to guess that Eclipse doesn't have the same amount of security issues because it's not a popular target. Everyone (relatively speaking) is using VSCode or something based on it.
Other than that, it is more fashionable to ship Chrome with applications and JavaScript is hot. /s
Eclipse remains my main Java IDE at work.
Vim had also had its share of execution vulnerabilities over the years.
https://github.com/numirias/security/blob/master/doc/2019-06...
They're pawning off responsibility without giving people a real choice.
It's like the old permission dialog for Android that was pretty much "do you want to use this app?". Obviously most people just say yes.
There's a reason Google changed that.
To be fair I'm sure Microsoft would switch to a saner permission model if they could but it's kind of too late.
Not the first time. Same with LLMs.
> When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.
In the screenshot the task is named "node" - so it's a bit like embedding a malicious Makefile target as a backdoor.
Except harder to spot since it's in a obscure .vscode/somethingsomething json file. (And probably you can easily fool GH Copilot to run it)
Sigh. It's so Microsoft to just run random stuff.
Of course, in the Linux world, we have "Install with"
They're resource hogs and the attack surface is huge. You're basically betting that automatic code that's run won't find a vulnerability and escape the sandbox from an entire browser.
I have way more trust in Jetbrains IDEs and the JVM as a sandbox vs HTML/CSS/JS.
Still, I'm always impressed at the ingenuity of the people who come up with these attacks and the people who find them.
The alternative is a whitelist approach. Instead of disallowing dangerous features you're enabling only the features you need.
So a build system like Gradle or Maven (same thing really) has a limited set of primitives it is allowing access to. It's not loading, say, the entire JVM and all the Java core libraries and then listing all those you can't use.
You see the difference? If nothing else, the blacklist approach is going to fail when the virtual machine (or whatever) adds a new API call upstream and it's added without intent to the sandbox by simply doing an update where nobody has thought to disable it.
Another way of looking at this is Gradle isn't being compiled into Java bytecode and run in the same environment as the IDE (sandboxed or otherwise). That is inherently riskier.
When I can avoid it, the better.
If you proceed with "Trust Project" you're at your own fault.
By only having an upfront project-wide toggle, VS Code is much worse.