Cursor does bear significant responsibility in the sense that OpenVSX transformed from a niche service used by free software nerds into a major component of many developers’ process. There were a few months were Cursor were the scrappy upstarts, but now they’re a $200M/year company and they have $200M/year responsibilities. They can’t just wash their hands of it and pretend OpenVSX is a public service.
Why in the open source world do goal posts always move? It’s a public open source service. Speaking purely on this vulnerability, it’s an extension listed in the OpenVSX ecosystem. Regardless if Cursor vetted all of these extensions or not I would still be incredibly hesitant like everyone should be.
Now do we need better solutions? Definitely and I do hope cursor will contribute towards it but I won’t hold them to it. They switched to OpenVSX less than a month ago, too soon to really say much at this point.
I didn’t move any goalposts. Cursor set up the goalposts themselves by making a small volunteer-run service a critical component of their massive for-profit product. It’s greedy and irresponsible.
“Open VSX is an open-source registry for VS Code extensions. It can be used by any development environment that supports such extensions.”
Sure sounds like you are moving goalposts around. Of course I hope Cursor contribute back but it’s been 20days and I am not an insider I have no idea what the plan is.
