Team Extensions Manager
A supply-chain security tool for development teams. It enforces an organization-managed approved extensions list, keeps VS Code extension settings locked to safe values, and lets developers browse and install only pre-approved extensions — all from a single sidebar panel.
Features
Accessed via the shield icon in the Activity Bar. The panel contains:
- Sync Approved Extensions button — pulls the latest configuration from your organization's repository and applies the approved extensions list and safety settings to VS Code. Does not modify installed extension versions.
- ▾ dropdown arrow next to the button reveals three additional actions:
- Sync & Update All — sync the configuration and update all already-installed extensions to their approved versions.
- Install All Approved — install every approved extension at its approved version.
- Update All Installed — update already-installed extensions to their approved versions without performing a sync.
- Min. version age input — controls how old a version must be before it is considered safe to use (for extensions without a pinned version). Changes persist to VS Code settings immediately.
- Search bar — filters the extension list by name or ID in real time.
- INSTALLED section — collapsible list of approved extensions currently installed, showing each extension's approved version. Displays an Update button on any extension not at its approved version.
- APPROVED section — collapsible list of approved extensions not yet installed. Displays an Install button that installs the approved version (not necessarily the latest marketplace version).
Enforced Settings
When the extension activates, after every sync, and after every update, it checks your VS Code settings for any values the organization has marked as required. If any settings differ from the required values, they are silently reset and you receive a warning notification listing what was changed.
Age-Gated Versions
Extensions without a pinned version in the configuration file use the minimum-age rule: the newest marketplace version that is at least as old as the Min. version age setting is selected. This reduces exposure to malicious updates while still allowing version progression over time.
Getting Started
- Install the extension from the Marketplace or via
.vsix.
- On first launch, the extension auto-detects your configuration repository from your open workspace. If it cannot be found, you will be prompted to provide the path.
- Your repository should contain an
allowed-extensions.json file at the configured path (default: vscode-extensions/allowed-extensions.json).
- Click Sync Approved Extensions to apply your organization's configuration.
Setup for Administrators
Administrators maintain a Git repository containing the allowed-extensions.json file. Developers configure teamExtensionsManager.repoPath to point at their local clone of that repository. The extension reads from the local clone — internet access to the repository is only needed when the developer runs a sync, which performs a git pull.
VS Code Settings
| Setting |
Type |
Default |
Description |
teamExtensionsManager.repoPath |
string |
(auto-detect) |
Absolute path to the repository root containing your approved extensions configuration. Auto-detected from workspace folders on first launch; prompts if not found. |
teamExtensionsManager.repoRemote |
string |
origin |
Git remote name used when pulling the configuration repository. |
teamExtensionsManager.repoBranch |
string |
main |
Git branch to pull from when syncing. |
teamExtensionsManager.repoAllowedExtensionsPath |
string |
vscode-extensions/allowed-extensions.json |
Path to the approved extensions JSON file, relative to the repository root. |
teamExtensionsManager.minimumVersionAge |
string |
7d |
Minimum age a version must be before it is used for extensions without a pinned version. Supports w (weeks), d (days), h (hours), m (minutes). Examples: 7d, 2h, 30m. |
The configuration file is a JSON file located at the path defined by teamExtensionsManager.repoAllowedExtensionsPath.
Top-level structure
{
"$schema": "./allowed-extensions.schema.json",
"version": "1.0.0",
"description": "My org's approved VS Code extension list.",
"extensions": [ ... ]
}
Extension entry fields
| Field |
Required |
Type |
Description |
id |
yes |
string |
The VS Code extension identifier in publisher.extensionName format. |
description |
yes |
string |
Human-readable name shown in the sidebar. |
pinnedVersion |
no |
string |
Exact version to enforce. If omitted, the age-gated version is used. |
enforcedSettings |
no |
object |
A map of VS Code setting keys to required values. If the user's setting differs, the extension resets it on startup and after every sync. |
Examples
Extension with a pinned version:
{
"id": "dbaeumer.vscode-eslint",
"pinnedVersion": "3.0.29",
"description": "ESLint JavaScript/TypeScript linting"
}
Extension using age-gated versioning (no pinnedVersion):
{
"id": "esbenp.prettier-vscode",
"description": "Prettier code formatter"
}
Extension with enforced settings:
{
"id": "github.copilot",
"pinnedVersion": "1.388.0",
"description": "GitHub Copilot AI pair programmer",
"enforcedSettings": {
"github.copilot.enable": { "*": false },
"github.copilot.editor.enableAutoCompletions": false
}
}
Publisher
Douglaseely
