News

Eclipse Foundation Launches Managed Open VSX Service as Extension Registry Use Grows

  • By John K. Waters
  • May 5, 2026

Key Takeaways

  • Eclipse is adding a commercial support layer to Open VSX. The new Open VSX Managed Registry provides enterprise and platform users with uptime guarantees, monitoring, usage tiers, incident response, and other production-oriented services, while keeping the public registry free.
  • Extension registries are becoming critical developer infrastructure. Open VSX is no longer just a community marketplace. It now supports AI-native IDEs, cloud development environments, automated workflows, and VS Code-compatible platforms at a large scale.
  • Security is becoming central to IDE extension ecosystems. Eclipse’s new researcher recognition program reflects growing concern that extensions and marketplaces are part of the software supply chain and need clearer vulnerability reporting, review, and remediation processes.

The Eclipse Foundation has launched a managed service for Open VSX, the open, vendor-neutral extension registry used by VS Code-compatible developer tools, as commercial platforms place heavier operational demands on open-source developer infrastructure.

The new service, called Open VSX Managed Registry, is aimed at companies that use Open VSX as production infrastructure inside commercial products, AI-scale services, or enterprise development environments. The Foundation said the service provides a 99.95% uptime service-level agreement, service credits, usage tiers, multi-region infrastructure, 24/7 monitoring, tier-based incident response, capacity planning, identity-based access controls, and usage dashboards.

Open VSX is used by tools built on the VS Code extension API. The Foundation said it supports a growing ecosystem that includes AI-native IDEs, cloud development environments, and VS Code-compatible platforms, including AWS Kiro, Google Antigravity, Cursor, VSCodium, Windsurf, IBM Bob, Ona, and others.

The Foundation said Open VSX now handles more than 300 million downloads per month, with peak daily traffic exceeding 200 million requests. The registry hosts more than 12,000 extensions from more than 8,000 publishers.

The move reflects a broader change in how developer tooling infrastructure is used. Extension registries that once primarily served individual developers and community projects are now being used by automated workflows, AI coding agents, cloud IDEs, and commercial development platforms. Those use cases can generate sustained machine-driven traffic and require more predictable availability than community-scale infrastructure was originally designed to provide.

Initial customers for Open VSX Managed Registry include AWS, Google, and Cursor, according to the Foundation. The service is available immediately, while the public Open VSX Registry remains freely accessible. Individual developers and open-source projects will not pay to use the registry, and standard publishing, search, and development workflows remain unchanged, the Foundation said.

The managed service follows a related security initiative announced a week earlier. On April 14, the Foundation launched the Open VSX Security Researcher Recognition Program, an effort to encourage responsible vulnerability disclosure and recognize researchers who report security issues affecting the Open VSX ecosystem.

The recognition program is not structured as a cash bug bounty. Instead, eligible contributors may receive public recognition in the Open VSX Security Hall of Fame, digital badges, certificates of recognition, and swag rewards based on the impact and quality of their reports.

The Foundation said the program is open to independent researchers, academic institutions, security consultancies, open-source contributors, and developers who identify real-world risks in Open VSX. It is intended to provide a clearer reporting path, support coordinated remediation, and expand collaboration with the security research community.

The security program comes as software supply chain risks increasingly extend into IDE extensions and developer marketplaces. The Foundation said attackers have shown they can exploit extension ecosystems to distribute malicious code, compromise development environments, and access sensitive data. The Foundation said Open VSX has added measures, including pre-publication verification, malicious-pattern detection, and infrastructure improvements.

Together, the two announcements show the Foundation trying to balance open access with the operational and security demands of commercial adoption. Open VSX remains an open-source, self-hosted registry, but the managed service provides larger users with a supported path to production-scale use while helping fund the infrastructure behind the public service.

For development teams, the significance is practical. Extensions are now part of the software supply chain, and the registries that distribute them are becoming shared infrastructure for local IDEs, cloud workspaces, and AI-assisted development environments. The Foundation's new managed and security programs are designed to make that infrastructure more reliable and better governed without moving it into a proprietary marketplace model.

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

Most   Popular