Over my career I have used several different editors, and I have usually customized them more or less extensively. With emacs/vim one can easily inspect the plugin/extension code for any security issue and if using a package manager, lock it to specific git commit hashes so that even if moving to a new machine, one still has the exact same code.<p>For example Doom Emacs is predicated on using specific commits, and not head versions of plugins, and in vim/neovim it's easy to achieve it using say minpac (although extensions like CoC in vim would be more problematic of course)<p>These days having to work in Java I am using IntelliJ quite a bit, but plugins in intellij are basically compiled java applications that can do anything and do not seem to be sandboxed in any way (I have not found any discussions about plugins sandbox/permissions when searching, but given plugins available it seems that is not happening). I have been considering switching to VSCode for its remote functionality, but given that its extensions are basically arbitrary javascript also with huge amounts of dependencies, it makes me a bit uneasy. VSCode has had a github issue open about sandboxing/permissions for a significant amount of time, but it does not seem to have been implemented yet. This is a bit surprising because I would've thought that an electron based editor would at least have a plugins can access only editor buffers / can not open network connections kind of permissions.<p>What do you do / what do you feel comfortable with in your day to day life? Not use plugins at all? Use plugins only made by the editor developer (Microsoft/Jetbrains, although of course you're still exposed to dependency security issues)? Use other plugins say firewalling the editor (via Little Snitch say)? Only ever manually install plugins and never auto update them after building them yourself from source? And does your company have any security policies about this?