Skip to content

VS Code Footguns

Mistakes that slow you down, break your environment, or create security risks.

1. Committing .vscode/settings.json with absolute paths

You configure "python.defaultInterpreterPath": "/home/yourname/.pyenv/versions/3.11.5/bin/python" in .vscode/settings.json and commit it. Every teammate's VS Code now points to a path that does not exist on their machine. Python features break silently.

Fix: Use workspace-relative paths or leave machine-specific settings in User settings (not workspace). Only commit .vscode/settings.json with portable, project-level settings. Add machine-specific paths to .gitignore or use ${workspaceFolder} variables.

2. Extension conflicts clobbering each other

You install both Prettier and the Red Hat YAML extension as YAML formatters. On save, they fight — one formats, the other reformats, producing a different result. Files oscillate between two formats on every save.

Fix: Set explicit per-language formatters in settings: "[yaml]": {"editor.defaultFormatter": "redhat.vscode-yaml"}. Disable format-on-save for languages where you do not want automatic formatting. Only one formatter per language.

3. formatOnSave breaking generated files

You have "editor.formatOnSave": true globally. You open a generated file (Helm template, Terraform state, minified JSON) and save it. The formatter rewrites the file. The next pipeline run produces a diff, or worse, the file is now invalid.

Fix: Exclude generated files from formatting: "files.exclude" or language-specific "editor.formatOnSave": false. Add generated paths to .vscode/settings.json exclusions. Never save generated files with format-on-save active.

4. Extensions with unrestricted permissions running silently

You install an obscure extension from the marketplace. It has access to your filesystem, terminal, and network. It phones home with telemetry, reads your .env files, or injects code. You never checked its permissions or source.

Fix: Review extension permissions before installing. Prefer extensions from verified publishers (Microsoft, Red Hat, HashiCorp). Check download counts and ratings. Use VS Code's extension bisect (Help > Start Extension Bisect) to identify misbehaving extensions.

5. Remote-SSH with agent forwarding exposing keys

You connect to a server via Remote-SSH with SSH agent forwarding enabled. Someone with root on that server can use your forwarded agent to authenticate as you to other systems. Your SSH keys are exposed to every hop.

Fix: Disable agent forwarding unless specifically needed: ForwardAgent no in ~/.ssh/config. Use ProxyJump instead of agent forwarding for bastion access. If you must forward, use ssh-add -c to require confirmation for each key use.

6. Integrated terminal inheriting wrong environment

You open VS Code from a GUI launcher. The integrated terminal does not source your .bashrc or .zshrc properly. Environment variables (KUBECONFIG, AWS_PROFILE, PATH additions) are missing. kubectl, terraform, and AWS CLI behave differently than in your regular terminal.

Fix: Set "terminal.integrated.defaultProfile.linux": "bash" and ensure your shell profile is loaded. Or set "terminal.integrated.env.linux" with critical variables. Test by running echo $PATH and echo $KUBECONFIG in the integrated terminal.

7. Workspace trust disabled globally

You disable workspace trust because the prompts are annoying. You open a cloned repo containing a malicious .vscode/tasks.json that runs a script on folder open. The script executes automatically with your permissions.

Fix: Keep workspace trust enabled. Only trust repositories you have reviewed. The trust prompt exists because .vscode/ configs can execute arbitrary code via tasks, launch configs, and extension settings.

8. Auto-save causing constant file-watcher triggers

You enable auto-save with a short delay. Every keystroke triggers a save, which triggers file watchers: nodemon restarts, pytest reruns, Webpack rebuilds, or terraform fmt runs. Your CPU spikes and the feedback loop is unusable.

Fix: Use "files.autoSave": "afterDelay" with a reasonable delay (1000ms+), or use "files.autoSave": "onFocusChange" to save only when switching files. For hot-reload workflows, manual save (Ctrl-S) gives you control over when rebuilds trigger.

9. Git autofetch pulling on metered/slow connections

"git.autofetch": true runs git fetch every 3 minutes by default. On a slow or metered connection (mobile hotspot, airplane WiFi), this consumes bandwidth and can time out, causing VS Code to hang.

Fix: Set "git.autofetch": false when on slow connections. Or increase the interval: "git.autofetchPeriod": 300 (5 minutes). Disable entirely when working offline.

10. Multi-root workspace confusing tool paths

You open a multi-root workspace with app/, infrastructure/, and k8s-config/. VS Code's Python extension picks the wrong interpreter. Terraform extension scans the app folder. The terminal opens in the wrong root.

Fix: Configure per-folder settings in the .code-workspace file. Set "python.defaultInterpreterPath" per folder. Use terminal profiles with explicit working directories. Be explicit about which root each tool operates on.