> Not clicking yes for every language server.

How many language servers are we talking about here for the average dev? Three?

Yes, but you would have it for each time you opened a new workspace.

The only point of this would be if you didn't want to download the language server for untrusted code.

I think what people really want is workspace location permissions...

Wait, what. Why should you keep downloading Node per workspace? If you have one installed already?

Not downloading, but enabling. The downloading of Node isn't really the issue that people are trying to make it.

The real problem is "running" the language server on untrusted code. That's where there should be a confirm dialog.

But it's a separate issue about workspace permissions.

That's the only vulnerability here and it exists on at least one some level in all editors in language servers. (VSCode's workspace permissions aren't that secure)

>Because people want a fast out of the box editing experience. Not clicking yes for every language server.

That strikes me as more of a UX problem. Doing a bunch of sketchy things behind the user's back is absolutely not a solution though.

The versions should generally match what's specified in the user's package.json. It doesn't make much sense then to have a separate registry.