From 0137201903c05d748da99a36e0f68b512d24ed6b Mon Sep 17 00:00:00 2001
From: aivong-openhands <ai.vong@openhands.dev>
Date: Thu, 19 Mar 2026 14:36:22 -0500
Subject: [PATCH] fix: remove vulnerable VSCode extensions in
 build_from_scratch path (#13399)

Co-authored-by: openhands <openhands@all-hands.dev>
Co-authored-by: Ray Myers <ray.myers@gmail.com>
---
 openhands/runtime/utils/runtime_templates/Dockerfile.j2 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/openhands/runtime/utils/runtime_templates/Dockerfile.j2 b/openhands/runtime/utils/runtime_templates/Dockerfile.j2
index 78ee532fe7..9bf06c54b2 100644
--- a/openhands/runtime/utils/runtime_templates/Dockerfile.j2
+++ b/openhands/runtime/utils/runtime_templates/Dockerfile.j2
@@ -360,6 +360,14 @@ RUN chmod a+rwx /openhands/code/openhands/__init__.py && \
     chown -R openhands:openhands /openhands/code
 
 
+# ================================================================
+# Install VSCode extensions for build_from_scratch
+# (must be after setup_vscode_server and source file copy)
+# ================================================================
+{% if build_from_scratch %}
+{{ install_vscode_extensions() }}
+{% endif %}
+
 # ================================================================
 # END: Build from versioned image
 # ================================================================