VS Code: Weekly Recap - Security & Chat Enhancements
This week brought significant security improvements and chat functionality enhancements, with 4 merged pull requests and 30 additional commits focused on authentication, file handling, and user experience improvements.
Duration: PT2M23S
Transcript
Good morning. This is your VS Code weekly recap for May 17th through 24th, 2026.
Four PRs merged and 30 additional commits this week, with a strong focus on security hardening and chat feature development.
Starting with fixes: The team resolved an issue with Copilot's customization updates during terminal steering operations. Previously, the system was incorrectly emitting empty customization blocks that confused the language model. The fix now preserves frozen system prompts instead of signaling false removals.
Infrastructure updates included two PRs addressing build validation. The team excluded MXC SDK binaries from version info sanity checks, as these signed binaries don't include ProductName resources. A follow-up commit resolved related build failures. Additionally, Copilot CLI smoke tests were updated to use existing environment variables for better reliability.
Several major commits enhanced security and functionality. The team implemented secure storage for MCP OAuth client secrets, moving them from plain-text configuration files to the OS secret storage service. Users now see a codelens interface for managing secrets, with proper masking and deletion options.
Chat improvements were significant this week. The agent host system received a major refactor, replacing the legacy editing session with a direct external edit progress system. This reduces complexity while maintaining diff visualization capabilities. The team also enhanced logging for language model resets and fixed authentication regressions affecting non-OAuth Copilot token pathways.
Security received particular attention with path traversal protection in the Create Workspace feature. The system now validates file tree node names and rejects unsafe patterns like empty names, parent directory references, and path separators. Runtime guards prevent any traversal attempts from escaping workspace boundaries.
Additional notable work included browser view CDP emulation support, chat session state migration improvements for backwards compatibility, and fixes for background conversation compaction across model switches.
Development continues on authentication improvements and chat feature enhancements. Expect continued focus on security hardening and user experience refinements.
That's your VS Code update for this week. We'll be back next Monday with more development news.