[skydhash]

I don't think it's a security nightmare per-se. Most of the time, you're not installing a lot of packages (the built-in are extensive) and most of these are small and commonly used.

It's like saying the AUR is a security nightmare. You're just expected to be an adult and vet what you're using.

[spauldo]

I'm not sure I agree with the number and size of packages people install (unless you're comparing them to, say, org-mode), but that's not really what I'm talking about.

Emacs runs all elisp code as if it's part of Emacs. Think about what Emacs is capable of, and compare that to what a browser allows its extensions to do. No widely used software works like that because it's way too easy to abuse. Emacs gets away with it because it's not widely used.

I don't know the first thing about VSCode but I'm willing to bet there are strict limits to what its plugins are allowed to do.

[skydhash]

I don't know if that's changed since last I wrote an extension for a web browser, but the API is pretty open for the current context (tab) that it's executing in. As long as it's part of the API, the action is doable. Same with VSCode or Sublime. Sandboxed plugins would be pretty useless.