The registry is used in AI-enabled and cloud-based developer platforms, including Amazon’s Kiro, Google’s Antigravity, Cursor, IBM’s Bob, VSCodium, Windsurf and Ona (formerly Gitpod).
A new pre-publication verification network will identify security risks. The framework enables the registry to:
- Detect namespace impersonation and extension name spoofing
- Flag exposed credentials or embedded secrets
- Scan for known malicious patterns
- Quarantine suspicious uploads for review prior to publication
The registry is also implementing responsible rate limiting and traffic management to ensure sustainable growth and consistent availability during periods of elevated demand.
The registry is also transitioning to a hybrid, multi-region architecture,with core services in AWS in Europe – the primary production environment and on-premises deployment in Canada as an independent secondary environment.
All registry data, backups, and telemetry remain within these regions and are encrypted in transit and at rest. This architecture reduces single points of failure and strengthens resilience for the expanding ecosystem of AI-native and cloud-based development platforms that rely on the Open VSX Registry, said the Eclipse Foundation.
“Open VSX has evolved into foundational infrastructure for the global developer ecosystem,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “As adoption accelerates across AI-native and cloud-based development platforms, we are investing to ensure the registry remains secure, resilient, and vendor-neutral. Support from leading commercial adopters reinforces Open VSX as trusted, shared infrastructure.”
At Embedded World, Eclipse Foundation reported that daily traffic has exceeded 50m requests and there are over 10,000 extensions from more than 6,500 publishers.
