Copilot SDK mutates shared extension host process.env (GIT_CONFIG_*=safe.bareRepository=explicit), breaking git for other extensions — Flutter iOS builds fail with "xcodebuild encountered an error (74)"

[NaxxHua]

Does this issue occur when all extensions are disabled?: No

• VS Code Version: 1.122.1 (8761a55, arm64)
• OS Version: macOS 26.4 (Apple Silicon)
• Built-in GitHub Copilot Chat: 0.50.1 / bundled @github/copilot SDK 1.0.49
• Also involved: Dart-Code + Flutter iOS build (SwiftPM), Xcode 26.5

Summary

The @github/copilot SDK bundled inside the built-in Copilot Chat extension mutates the shared extension host's process.env to inject git hardening config (safe.bareRepository=explicit). Every child process spawned by any other extension afterwards inherits it, breaking any tool that operates on bare git repos. It broke all Flutter iOS device builds launched from VS Code with a misleading error, costing ~3 hours to diagnose:

Failed to build iOS app
Could not build the precompiled application for the device.
Uncategorized (Xcode): xcodebuild encountered an error (74)

Terminal flutter run and Xcode both work fine — only VS Code launches fail, because only the extension-host environment is poisoned.

Root cause (from the shipped bundle)

extensions/copilot/node_modules/@github/copilot/sdk/index.js, de-minified:

function bHt() {
  let count = parseInt(process.env.GIT_CONFIG_COUNT || "0", 10);
  // ... returns early if already present ...
  process.env.GIT_CONFIG_COUNT = String(count + 1);
  process.env[`GIT_CONFIG_KEY_${count}`] = "safe.bareRepository";
  process.env[`GIT_CONFIG_VALUE_${count}`] = "explicit";
}

This writes to the global process.env of the shared extension host, not to the env of Copilot's own child processes.

Evidence of cross-extension contamination

The Flutter daemon spawned by the (unrelated) Dart extension inherits the injection:

$ ps eww <flutter-daemon-pid> | tr ' ' '\n' | grep GIT_
GIT_CONFIG_VALUE_0=explicit
GIT_CONFIG_KEY_0=safe.bareRepository
GIT_CONFIG_COUNT=1

The VS Code main process and the extension host show no such variables at spawn time — confirming the mutation happens at runtime, after Copilot activates. It's also racy: a Flutter daemon spawned before Copilot activates is clean, so the failure is intermittent across windows/sessions.

Why it breaks SwiftPM / Flutter iOS builds

SwiftPM stores repository caches as bare repos (~/Library/Caches/org.swift.swiftpm/repositories/). With safe.bareRepository=explicit injected via env, every git call xcodebuild/SwiftPM makes against those caches dies:

fatal: cannot use bare repository '.../org.swift.swiftpm/repositories/firebase-ios-sdk-...' (safe.bareRepository is 'explicit')
xcodebuild: error: Could not resolve package dependencies
→ "xcodebuild encountered an error (74)"

A user-level git config --global safe.bareRepository all cannot fix this — env-injected config outranks global config. Users have no clean way to defend themselves.

Steps to Reproduce

1. Open a Flutter project with SwiftPM-based iOS deps (e.g. Firebase) in VS Code with the built-in Copilot Chat active.
2. Hit Run / F5 targeting a physical iOS device (or run the minimal repro below).
3. Build fails with xcodebuild encountered an error (74). Terminal flutter run and Xcode succeed.

Minimal repro of the poisoned git call (no Flutter needed):

cd ~/Library/Caches/org.swift.swiftpm/repositories/<any>/
GIT_CONFIG_COUNT=1 GIT_CONFIG_KEY_0=safe.bareRepository GIT_CONFIG_VALUE_0=explicit git fetch
# → fatal: cannot use bare repository ...
git fetch
# → works fine

Expected behavior

Copilot's git hardening should be scoped to the env passed to its own child processes (spawn(cmd, { env: { ...process.env, GIT_CONFIG_* } })), never written into the shared extension host's global process.env. The host is shared by all extensions; mutating its env contaminates unrelated products.

Workarounds (for others hitting this)

• Dart/Flutter: add "dart.env": { "GIT_CONFIG_COUNT": "0" } to settings, then Reload Window; or
• "chat.disableAIFeatures": true to disable the built-in Copilot entirely.

[vs-code-engineering]

Thanks for creating this issue! It looks like you may be using an old version of VS Code; the latest stable release is 1.124.0. Please try upgrading to the latest version and checking whether this issue remains.

Happy Coding!

[NaxxHua]

Downstream impact: flutter/flutter#187828, Dart-Code/Dart-Code#6083

[NaxxHua]

Thanks for creating this issue! It looks like you may be using an old version of VS Code; the latest stable release is 1.124.0. Please try upgrading to the latest version and checking whether this issue remains.

Happy Coding!

Upgraded to 1.124.0 (the version you asked for) and re-checked the shipped bundle. The bug is unchanged:

• VS Code: 1.124.0
• GitHub Copilot Chat: 0.52.0 (was 0.50.1)
• bundled @github/copilot SDK: 1.0.57 (was 1.0.49)

The exact process.env mutation is still present in extensions/copilot/node_modules/@github/copilot/sdk/index.js:

let t = parseInt(process.env.GIT_CONFIG_COUNT || "0", 10), e = ...;
for (let n = 0; n < r; n++)
  if (process.env[`GIT_CONFIG_KEY_${n}`] === "safe.bareRepository" &&
      process.env[`GIT_CONFIG_VALUE_${n}`] === "explicit") return;
process.env.GIT_CONFIG_COUNT = String(e + 1);
process.env[`GIT_CONFIG_KEY_${e}`]   = "safe.bareRepository";
process.env[`GIT_CONFIG_VALUE_${e}`] = "explicit";

It still writes to the shared extension host's global process.env rather than scoping GIT_CONFIG_* to Copilot's own child processes, so every other extension's spawned tooling still inherits it. The version bump didn't touch this code path. Could this be routed to whoever owns the bundled Copilot SDK? Happy to help verify a fix.

[DanTup]

Looks like the source of this might be a closed-source GitHub CLI project that is published to npm as @github/copilot that is used by the extension. The issue was previously noted and raised in their repo here:

github/copilot-cli#3602

[DonJayamanne]

Thank you for filing this issue and sorry you are running into this.
We're currently working on a fix for this, in the Copilot CLI SDK.