VS Code

758 readers

1 users here now

founded 1 year ago

MODERATORS

Do you know the .vscode/tasks.json file? You can add it to your project, and will run your configured commands automatically when you open the project ✨ (files.mastodon.social)

submitted 1 month ago* (last edited 1 month ago) by pascalbaljet@mastodon.social to c/vscode@programming.dev

9 comments fedilink hide all child comments

Do you know the .vscode/tasks.json file? You can add it to your project, and @vscode will run your configured commands automatically when you open the project ✨

I use this for the Inertia Table so it starts the web server and Vite without me having to open terminals for them 👌

#Laravel #PHP #JS #coding

top 9 comments

sorted by: hot top controversial new old

[–] mumblerfish@lemmy.world 13 points 1 month ago (1 children)

Hm, yeah ok, should really be careful with that "I trust the developers of this repo" button (or whatever it says)

[–] Lodra@programming.dev 5 points 1 month ago* (last edited 1 month ago) (3 children)

100%

I know a guy that considers git pre-commit hooks a form of code injection and thus a security risk. So he disables them on repos he works with. And to be fair, it’s absolutely a viable vector for attacking developer machines. I think a tasks.json fits into that exact same bucket.

These kinds of automations are suuuper useful and I do like to use them. But also review a code base before cloning!

[–] expr@programming.dev 2 points 1 month ago

Yeah, it's a little insane to me to automatically run code that exists in a file in the current directory, by default.

Like there's a reason that direnv requires you to execute direnv allow if you enter a directory with an .envrc that you hadn't previously approved.

I don't know of any other editor that has this as standard behavior, and for good reason.

[–] FizzyOrange@programming.dev 1 points 1 month ago

I mean... You're probably going to run the code in the repo eventually anyway right? At least in the majority of cases. Tbh I don't think it really changes the threat model significantly.

[–] kogasa@programming.dev 1 points 1 month ago (1 children)

Pre-commit hooks aren't committed to the repo though. What's to disable? Unless it's something like python's precommit module I guess

[–] Lodra@programming.dev 1 points 1 month ago (1 children)

The configuration is often committed to the repo. And some repos heavily rely on the precommit actions running before you can push or have pipelines function correctly

[–] kogasa@programming.dev 1 points 1 month ago

You'd still need to manually install the git hooks though, the .git folder isn't part of the repo

[–] Miaou@jlai.lu 4 points 1 month ago

Can't wait to see CVEs popping up exploiting this feature

[–] emd@cosocial.ca 2 points 1 month ago

@pascalbaljet @vscode no I did not know, thanks!