THE Eclipse Foundation has announced plans to enforce security checks before publishing VS Code extensions to the Open VSX Registry, a move aimed at countering supply-chain threats. According to Eclipse Foundation, the change shifts from a primarily post-publication response to a proactive pre-publish vetting process, designed to limit the window of exposure and help keep bad extensions out of the ecosystem.
The verification program is expected to roll out in February 2026 in a staged fashion, with maintainers monitoring newly published extensions and fine‑tuning the system rather than blocking publication at once. It will flag scenarios such as clear extension name or namespace impersonation, accidentally published credentials or secrets, and known malicious patterns, and will quarantine suspicious uploads for review.
The initiative comes alongside similar practices in the Microsoft Visual Studio Marketplace, which already conducts multi-step vetting, including malware scanning and rescans after publication. Guindon, the Eclipse Foundation’s director of software development, said the goal is to raise the security floor and maintain a fair, predictable experience for good-faith publishers.