.svg)
-2.png?width=1740&height=876&name=Untitled%20design%20(3)-2.png)
VS Code grows by 1 million users every two weeks during peak season.
That's not a typo. The "little editor that could" now powers 41 million developers worldwide, a number that Principal Product Manager Isidor Nikolic admits would have seemed impossible when the team started a decade ago.
In this episode of AI Giants, Codacy CEO Jaime Jorge sits down with Isidor to explore how a 10-person team at Microsoft built what's essentially become the default development environment for the AI era. The conversation reveals surprising decisions, like why Microsoft open-sourced their agent mode despite competitors building billion-dollar businesses on VS Code forks.
What is VS Code?
Visual Studio Code is Microsoft's free, open-source code editor that has become the dominant development environment across programming languages. Originally launched in 2015, it now serves as the foundation for GitHub Copilot, various AI coding assistants, and countless development tools through its extension marketplace.
TLDR: What Engineering Leaders Can Learn
- Small teams can outmaneuver giants: VS Code started with 10 people operating like a startup within Microsoft, not a typical big-company project
- Dogfooding isn't optional: The team used VS Code to build VS Code from day one, even before it was called VS Code
- Open-source creates defensibility, not vulnerability: Transparency about data collection and security actually increases enterprise adoption
- The ping-pong problem is real: VS Code pivoted from web to desktop to web and back again – flexibility in architecture matters
- Telemetry fears are overblown: Banks and high-security organizations use VS Code because telemetry is transparent and can be completely disabled
- AI adoption follows a pattern: Developers start with inline completions (low friction) before graduating to agent mode (delegation)
- Platform thinking beats product thinking: VS Code's extensibility is why it survived while forks struggle to differentiate
The Accidental Empire: From Monaco to 41 Million Users
"We never imagined it would have such a big impact," Nikolic admits. The VS Code team didn't set out to dominate the IDE market. They started with Monaco, a web-based editor, before even deciding to build a desktop application.
The most revealing part of VS Code's journey is the architectural flip-flopping that would have killed most projects. "We started as this editor in the browser... then we decided, oh, we actually want to be an app. Let's depend on Node," Nikolic explains. "And then we were like, oh, we actually need to run in the browser back again."
This constant pivoting between web and desktop was only possible because the team prioritized solving real developer problems over architectural purity. When GitHub Codespaces needed browser support, they refactored again. When developers needed desktop features, they pivoted. This flexibility, as opposed to rigid planning, enabled their growth.
Why Microsoft Open-Sourced the Golden Goose
With AI coding assistants built on VS Code forks reaching billion-dollar valuations, Microsoft's decision to open-source agent mode seems counterintuitive.
Nikolic reveals three strategic reasons:
- Security through transparency: "We hear from a lot of customers that they want more transparency into how data is collected from tools. With us open-sourcing, they can look at the source code."
- Team DNA matters: "The engineers are much more passionate and enthusiastic about the work once it's in the open... it helps us actually move fast."
- Platform ambitions over product protection: Every fork is "a testament to the success of the open source project," but also represents a missed opportunity for VS Code as a platform.
Microsoft isn't worried about forks because they're playing a different game. While competitors fork the code, Microsoft maintains the ecosystem—the marketplace, the protocols, the integration points that make VS Code valuable.
The Telemetry Controversy: What VS Code Actually Tracks
One of the most contentious topics in the developer community is VS Code's telemetry. Nikolic addresses this head-on with surprising transparency:
"We don't collect any of your source code, so zero source code. We just collect how you're basically interacting with the product."
Users can completely disable telemetry with one setting. For those who don't, the data directly impacts product decisions. Nikolic shares a practical example: "This item is clicked by a billion different people. This item is clicked by 700 people... Let's remove it."
Major banks and high-security organizations use VS Code specifically because the telemetry is auditable. Users can press F1 and view every telemetry event being sent in real-time.
The AI Balance: Why Half of VS Code Development Isn't About AI
Despite the AI hype, Nikolic reveals that 50% of VS Code commits remain focused on non-AI features—performance, security, and core editor functionality. The disconnect comes from visibility: "We usually put the AI features in the highlights. So if people really only read the highlights, it looks like we're just doing AI stuff."
This balance reflects a deeper philosophy about AI adoption. According to Nikolic, developers follow a predictable pattern:
- Start with inline completions (ghost text): low friction, easy to ignore
- Graduate to agent mode, delegating entire tasks
- Customize with instructions and workspace settings
"For novice AI users, a better fit is maybe completions, but for more experienced AI users...they can start using the agent."
Still using your AI agent without security and quality guardrails?
Security Lessons from 90,000 Extensions
The VS Code marketplace hosts 90,000 extensions without manual review, a scale that would terrify most security teams. Nikolic is refreshingly honest about the challenges:
"There's smart evil people out there who can work around our checks... If I'm doing crypto and there's a new extension that helps me do crypto development that was published five days ago, please don't install it."
The survival strategy relies on three pillars:
- Automated security scanning on every publish
- Community reporting (malicious extensions typically removed within 24 hours)
- User education about checking ratings, download counts, and publish dates
What's Next: The Agent Revolution
Looking forward, Nikolic sees the next six months focused on "background agents" and async coding: "I can run some agents which do coding tests for me while doing other stuff."
The vision is developers managing multiple agents working on different tasks simultaneously, reviewing results at their convenience. It's not about replacing developers, it's about parallelizing development work in ways that weren't possible before.
For Engineering Leaders: The Codacy Perspective
The openness that made VS Code successful (transparent telemetry, extensible architecture, open-source development) creates both opportunities and risks.
As AI-generated code becomes ubiquitous through tools built on VS Code's foundation, the security and quality challenges multiply. Every extension, every AI agent, every automated commit introduces potential vulnerabilities.
This is where plugins like Codacy Guardrails become essential, providing the automated security layer that ensures AI-generated code meets enterprise standards before it enters production.
The future Nikolic describes, where multiple AI agents work asynchronously on your codebase, is arriving faster than most organizations are prepared for. The question isn't whether to adopt these tools, but how to do so without compromising security or code quality.
Tired of bad AI code triggering a wall of PR alerts?
Get secure, compliant AI-code by design, before you can even hit commit.
