Zed Editor automatically downloads binaries and NPM packages without consent

Original Article ↗ Hacker News Discussion ↗

Automatic Downloads vs. User Consent

  • Many see silent downloads and execution of binaries/LSPs (language servers) as a serious violation of user trust, especially for untrusted code.
  • Others argue prompts for each tool would be unbearable and prefer a smooth, “it just works” experience.
  • Several suggest middle-ground options: one-time global choice (“yes/no and remember”), per-workspace trust, install-time setting, or compile-time configuration for distro builds.

Security, Supply Chain, and Trust Boundaries

  • Key concern: opening a project with malicious npm packages or language tools could execute arbitrary code without the user realizing.
  • Comparisons are drawn to supply‑chain attacks (e.g., xz) and the lack of guarantees that GitHub releases match source.
  • Some argue that everyone already draws a trust line (OS packages, Vim plugins, VS Code extensions), while others insist defaults must be “offline by default” or tightly controlled.
  • Corporate and high‑sensitivity environments especially object to unvetted network access and automatic installs.

Comparisons to VS Code and Other Editors

  • VS Code is criticized for popup “spam,” telemetry, and network‑unrestricted extensions, but also praised for explicit consent prompts and workspace trust.
  • Some like that Zed previously had strong built‑in language support without extra setup; others already disable LSPs entirely or rely on AI autocomplete.
  • Several users cite alternatives: Vim/Neovim (with Mason/ALE), JetBrains IDEs, Sublime, Kate, and distro‑managed tools.

Zed Team’s Explanation and Future Plans

  • A Zed co‑founder explains current language support: built‑in, pre-bundled extensions, and user-installable extensions.
  • States that auto-downloads are currently vetted and sourced from known projects, but agrees consent is needed and plans to:
    • Add prompts before installing executables.
    • Eventually move all language support to installable extensions for user choice.
  • Some appreciate the transparency and pace of development; others respond that “small team / pre-1.0 / free” does not justify weakening security or privacy.