Visual Studio Code's NPM integration has two newly discovered vulnerabilities that can be exploited even when the Workspace Trust security feature is enabled, allowing attackers to inject arbitrary commands and access configuration files. The vulnerabilities were addressed by Microsoft in Visual Studio Code 1.82.1, which includes improved validation of package names and separation of options from positional arguments. However, some experts worry about the ease with which these issues can be bypassed and the potential for future security patches to introduce new vulnerabilities. They also suggest that Workspace Trust should not be relied upon as a sole security measure when dealing with potentially malicious material or high security requirements. The experience of security-conscious users could be improved by allowing them to not trust any project by default, and third-party security researchers may be less incentivized to look for Workspace Trust bypasses without monetary rewards.