Does corporate IT need to whitelist every VSCode extension that's being used? I can see the logic -it's running arbitrary code on your system as your user on their network- but damn! How does that even work? A self-hosted VSCode marketplace or something?

Basically. VSCode supports airgap install or offline install of plugins. Store them in Artifactory like an arbitrary location like vs-code-plugins and then ask an admin to install them on your VM.

Ouch. We are headed that direction. The problem is, if a vulnerability is found in a plugin, then you have to get everyone to manually upgrade. Doing it this way means everyone’s software is always out of date, which has its own drawbacks too.