Microsoft VS Code Tagged Your Commits as Copilot Co-Author – Even With AI Off

📖 5 min read

Microsoft shipped a change in Visual Studio Code 1.118 that silently stamped “Co-Authored-by: Copilot” into developers’ Git commit messages – even when AI features were explicitly turned off. The change, merged on April 16, 2026, triggered a firestorm: 1,472 upvotes and 820 comments on Hacker News, a locked GitHub thread, and a public apology from the Microsoft engineer who pushed it through.

This is not a minor settings glitch. It touches on corporate trust, legal liability, and one of the most sensitive debates in software right now – who actually “wrote” the code.

What Happened, Exactly

VS Code 1.118 introduced a new default behavior: any commit made through VS Code’s built-in Git interface would automatically append a Co-Authored-by: Copilot <copilot@github.com> trailer to the commit message. The kicker – this happened regardless of whether Copilot was used for that code, and regardless of whether the user had explicitly disabled AI features using the disableAIFeatures setting.

The change was authored by a Microsoft product manager, reviewed by a principal engineer without a description, and merged the same day. No public discussion, no opt-in prompt, no changelog warning. Users only discovered it by inspecting their commit logs or catching it in pull request metadata.

Microsoft developer Dmitriy Vasyura (the engineer behind the PR) posted directly on Hacker News to acknowledge and apologize:

“I am the person who approved this PR and would like to acknowledge and apologize for the mistake of turning this feature on by default without sufficient upfront validation. There was no ill intent by evil corporation, but rather a desire to support functionality that some customers expect of VS Code w.r.t. AI-generated code. Obviously, it should not be on when disableAIFeatures is on and it should not be reporting changes that were not done by AI. I’ll work on fixing those and meanwhile revert default to off in 1.119 update.”

The fix – reverting the default to off – is slated for VS Code 1.119. Until that ships, every developer running 1.118 has been silently crediting Copilot in their commit history.

Why This Matters Beyond the Code Editor

VS Code is the world’s most popular code editor – used by 73% of professional developers according to the 2024 Stack Overflow Developer Survey, with over 17 million active monthly users. A behavior change at this scale doesn’t stay contained to hobby projects.

Here are the real consequences:

Impact Area	Risk Level	Who’s Affected
Corporate AI policies	High	Enterprises with “no AI code” policies – commits now falsely flag as AI-generated
Open-source licensing	Medium	Projects that prohibit AI contributions face audit problems from phantom Copilot tags
Copyright questions	Medium	AI-attributed code may face different IP treatment in jurisdictions with evolving AI copyright law
Developer reputation	Low-Medium	Contractors billing for “handwritten” code could face awkward questions
Copilot usage metrics	High (trust)	Community suspects Microsoft was inflating Copilot adoption statistics

The usage-inflation theory is the one that stings most. GitHub Copilot is a $10/month individual / $19/month business / $39/month enterprise subscription. Microsoft has a direct financial interest in showing high Copilot usage – to justify the product to enterprise buyers and to its board. Crediting Copilot in commits it didn’t touch is, at minimum, a way to make the product appear more embedded than it is.

Microsoft denies this was intentional. The Hacker News discussion is more skeptical. Top-voted replies point out that “no ill intent” doesn’t explain why the PR had no description, why a principal engineer approved it without scrutiny, and why the setting wasn’t opt-in from the start – especially for something as permanent and public as commit metadata.

The Process Failure Is the Real Story

Beyond the attribution controversy, this incident reveals a deeper problem: how a change this consequential shipped at all.

One highly upvoted comment on Hacker News summarized it bluntly: “Teams need to push out the most number of features, and nobody stops even for a second to think about how a feature might affect other flows or other users not in the feature request.”

VS Code is open source (MIT license) but developed primarily by Microsoft. The pull request in question – #310226 – was merged the same day it was submitted, with no external review period. For a behavioral change that touches every developer’s public commit history, that’s a significant process gap.

GitHub’s own community discussion on the issue was later locked as spam after it drew thousands of comments. That decision added fuel to the frustration – users read it as Microsoft shutting down criticism.

What Developers Should Do Right Now

If you’re running VS Code 1.118, here’s the situation and your options:

1. Check your version: Go to Help > About in VS Code. If you’re on 1.118.x, you’re affected.
2. Audit recent commits: Run git log --format="%H %s %b" | grep -i copilot to check for phantom co-author lines in your history.
3. Clean affected commits: Use git rebase -i to amend commit messages if you need clean history. For public repos, coordinate with your team before rewriting history.
4. Disable the setting now: In VS Code settings, search for git.coAuthor or disableAIFeatures and toggle accordingly.
5. Wait for 1.119: Microsoft says the default will be reverted. Update as soon as it ships.

Enterprise teams with AI-policy compliance requirements should treat any 1.118 commits as potentially tainted and may want to run a full audit before the next compliance review.

GitHub Copilot Pricing (For Reference)

Plan	Price	Who It’s For
Individual	$10/month ($100/year)	Solo developers
Business	$19/user/month	Teams with admin controls
Enterprise	$39/user/month	Large orgs, policy controls, audit logs

Note: Enterprise customers specifically pay a premium for audit controls and AI policy enforcement. VS Code 1.118’s behavior directly undermines what they’re paying for.

BetOnAI Verdict

Microsoft’s explanation – “no ill intent, just a bad default” – is plausible. Engineers ship bad defaults all the time under feature-shipping pressure. The apology was direct and came fast. The fix is coming.

But the broader pattern deserves skepticism. Copilot is a growth-stage product competing against Claude Code, Cursor, and a dozen other AI coding tools. Attribution in commit history is a measurable signal of adoption. Enabling that attribution by default – even when AI wasn’t used – inflates every metric that matters to enterprise sales. Whether that was accidental or convenient is a question Microsoft hasn’t fully answered.

The lasting damage here isn’t technical. It’s trust. VS Code won its position as the dominant editor precisely because developers trusted it to be a neutral tool that didn’t secretly work against them. That trust took years to build and took one undescribed PR to crack.

If you manage a team, update your AI policy documentation to address this incident explicitly. If you’re a solo developer, check your commit history and move on. And if you’re evaluating Copilot for enterprise use – ask Microsoft directly how this passed their review process. The answer tells you something about how seriously they take the “enterprise controls” pitch.

---

Sources:

• GitHub PR #310226 – VS Code Copilot co-author change
• Hacker News discussion (1,472 points, 820 comments)
• The Decoder – Microsoft caught sneaking Copilot co-author tags
• WinBuzzer – VS Code Now Stamps GitHub Copilot as Git Commit Co-Author
• GitHub Community Discussion – Copilot silently inserts co-author attribution