[hajola]

Auditing each tool by ourselves would cost a lot of time. Not to mention that it would not be a one-time thing. At each update, another check would be required for "peace of mind".

Curious to discuss if there is a way to trust these extensions without establishing ourselves that the code is not harmful.

[crabbone]

But you don't audit it entirely by yourself. Nor were you expected to before. It's the same idea as with other programs or add-ons you use. Don't you use some add-ons in the code editor you use not authored by the authors of the editor itself? And why would you believe the authors of the editor in the first place?

Of course you need to do some due diligence, but it isn't anywhere near as taxing as you seem to think.

Security is worthless if it prevents you from doing useful things. Given a choice between a chance of security breach and not being able to do the useful thing at all, in the circumstances like using a Web browser, I'd definitely choose to have the useful thing w/o security.

[hajola]

It seems it would depend on the persons risk tolerance.

And assessing risk of freely available open source software is still difficult, you either rely on all the authors being standup citizens, or on the bulk of the reviewers to be truthful and knowledgeable.