Wait, how do you arrive at the thought that Zed is more secure? The one time I gave it a try, it tried to silently run npm -- yes, THIS[1] npm -- in the background without telling me, and I noped the heck out. Did I miss something?
Maybe I am wrong about this, but I think Zed will run the npm stuff on the dev-container if you are using dev-containers. That can be your isolated virtual machine image or docker instances. But I believe you do need to use Zed (stdio or ssh) dev containers to get that security isolation. I know it’s a pain, but for me, I am going to pay the logistics price for security until a better solution comes along.
Zed plugins execute in wasm. LSPs execute outside of any sandbox, but that's still an obvious win. Your link isn't particularly relevant to an LSP unless the LSP itself is compromised.
Hopefully the system matures with time, but at least they're taking the problem seriously.
Not defending the default behavior of zed, but it is possible to disable this. Setting `"lsp.<server>.binary.path": <some-path>` will stop zed from trying to install that server.
On my machines, the "languages"/"node" directories for zed are empty and owned by root and the lsp servers are provided by nix. But you could also pin known good versions with npm.
As far as I know Vscode has no equivalent way to do this.
Pretty sure any IDE worth anything that has JS support pulls NPM packages at some point to lint code, no? You're not giving me much to be outraged about without more information. Zed tries to set things up for you so you're not wasting hours trying to figure out how to set them up in a brand new editor.
I do not use JS and certainly was not doing anything JS-related, and I do very much not expect my tooling to silently run code from insecure Internet sources on my machine. Which does not seem like an outlandish position to me? If you consider that acceptable, yourself -- fair enough, that's your call and it's your machine, but let's please not label that anything but grossly insecure?
No doubt an unpopular opinion, but if I install an app that is going to do things in the background, I'm going to hold that apps developers responsible for any breaches. If Zed needs javascript to do its job, it probably should be downloading it from their own servers, or even better, just ship the editor with all the code it needs to do its job.
Yes, please ship everything that's needed because otherwise when I run your app in an isolated network namespace it will break. This also applies to builds. If I can't build your project from a clean git repo without internet access you are doing something wrong. (Yes I am aware that I likely just accused the majority of software devs of being wrong. I don't care I'm yelling at clouds here.)