Microsoft ships VS Code weekly, adds Autopilot mode so AI can wreak havoc without bothering you

Microsoft's Visual Studio Code (VS Code) is moving to a weekly release cycle, as well as joining Google in encouraging agentic AI development without manual approval with a new Autopilot feature.

VS Code has always had a rapid release cycle, formerly based on a monthly update which included an "Endgame" week where code was temporarily frozen, tested, and any identified issues fixed before release. Endgame plans were published on GitHub, for example this one for November 2025. There was also one or more recovery releases following the update, to address urgent issues discovered by users.

Now the release cycle has been further accelerated. Microsoft distinguished engineer Kai Maetzel, who runs the VS Code engineering team, said that after "streamlining our development and delivery process … we'll ship a new Stable release every week. Endgame will now be folded into our weekly activities."

VS Code users on Reddit had questions. "What's the point of Insider build?" said one, this being a monthly preview of the next release in the old schedule; and another asked, "Is there a way to stay behind a few versions so you can be sure that stuff is actually fixed?"

Another developer commented that the change is "confusing and concerning." Some releases require settings changes and having to review and amend settings every week is a burden.

In the release notes for version 1.111, the first weekly stable release, the team expanded on what has enabled the change. AI is part of it. "We added a one-click experience for creating test plans from feature request issues," state the notes, reducing the manual steps previously required.

All the new features in version 1.111 are AI-related, including a preview of Autopilot, in which an AI agent works autonomously until a task is completed. Autopilot is a permission level in Copilot Chat, in which all tool calls are approved automatically, errors are automatically retried, and questions raised by tools auto-respond "so that the agent does not stall waiting for a reply."

Autopilot is Copilot but without the manual checks - Click to enlarge

Although it speeds development, auto approval is a security risk because of the non-deterministic nature of generative AI and its vulnerability to prompt injection. Having agents call third-party tools using MCP (Model Context Protocol) adds risk since it widens the scope of the agent beyond the coding environment and is vulnerable to poorly coded tools or attacks such as tool poisoning. Having an agent auto-answer prompts raised by tools removes an important protection.

Microsoft intends to have Autopilot enabled by default, though this is not quite as bad as it sounds. Enabling Autopilot only makes it available as an option in Chat. There are three levels of agentic permission, these being Default, Bypass Approvals and the new Autopilot. Autopilot goes beyond Bypass Approvals by auto-answering tool prompts and continuing to work until it thinks that a task is done.

The documentation recommends enabling experimental terminal sandboxing to restrict file system and network access for agent-executed commands – but this only works on macOS and Linux. "If prompt injection is a concern, use terminal sandboxing or run VS Code in a dev container instead of relying on auto-approval rules alone," it states.

Microsoft is not alone in promoting YOLO (you only live once) development. Google yesterday bragged about its new Auto Approve Mode in Gemini Code Assist. According to the team, Auto Approve Mode lets the agent act without manual steps. We are told that this "transforms tedious, multi-file updates that once took hours into a single, automated command, powerfully freeing you up to focus on more complex architectural challenges."

Developers who head to Google's documentation though will find it littered with warnings. "The agent has access to your machine's file system and terminal actions as well as any tools you've configured for use. Be extremely careful where and when you automatically allow agent actions," it says.

The description of Auto Approve in the global setting is even more emphatic. "This is extremely dangerous and is never recommended … this feature disables critical security protections," it says.

It is perplexing that Google's blog post promotes this feature, while the documentation warns against using it.