VS Code added Copilot as co-author

Code editors are supposed to stay out of your Git history unless you ask. That’s the basic social contract. VS Code broke it for a minute — not by deleting code or leaking data, but by quietly changing authorship metadata in commits. Microsoft has now backed the change out after developers noticed Git commits picking up a `Co-authored-by: Copilot` trailer they didn’t expect, and sometimes clearly didn’t earn. (github.com) ### What actually changed in VS Code? This started with a setting called `git.addAICoAuthor`. VS Code added it earlier with the default set to `off`, meaning no AI attribution unless a user chose it. Then in VS Code 1.117 — whose public rollout started on April 22, 2026 — Microsoft changed the default to `all`, which told the editor to add Copilot as a co-author when a commit included any AI-generated code. (github.com) ### Why did people get so mad? Because this wasn’t just a taste issue. Git commit trailers are part of the record. They can affect blame, policy compliance, internal reviews, and plain old reputation. Developers reported seeing `Co-authored-by: Copilot <copilot@github.com>` appear even when they didn’t use Copilot for that work, and one open bug report came from a user who said they didn’t use Copilot at all. (github.com) ### Was it only happening when Copilot wrote code? No — and that’s the whole problem. In Microsoft’s own postmortem-style update, a VS Code maintainer said there was a bug that attributed non-Copilot code completions to Copilot. Even worse, the bug could surface when the `disableAIfeatures` setting was turned on. That turns a debatable product decision into a trust breach, (github.com)bjecting to false attribution. (github.com) ### Did Microsoft already try to soften it? Yes. After the default changed to `all` in 1.117, Microsoft says it switched the setting to `chatAndAgent` in VS Code 1.118, whose public rollout started on April 29, 2026. That narrower mode was supposed to limit attribution to code generated through chat and agent features instead of any AI-assisted code path. But the backlash k(github.com)e look unreliable. (github.com) ### So what is the rollback? The rollback is basically a return to explicit choice. Reporting around the 1.119 fix says Microsoft changed course so AI attribution now requires the user to opt in, instead of getting stamped onto commits by default. That lines up with the maintainer discussion in the VS Code repo, where the team acknowledged the bug and the broader concern around how the feature shipped. (msn.com) ### Why does this matter beyond one annoying trailer? Because AI tooling in coding is moving from “help me write this function” to “help me manage the whole workflow.” The more these tools touch commits, reviews, and security gates, the more developers need them to be precise about provenance. If a tool can’t relia(msn.com)ace to be. (github.com) ### Why is the timing so awkward for GitHub? Because GitHub spent May 5 shipping the opposite message: more useful AI guardrails. Secret scanning through the GitHub MCP server is now generally available, which lets MCP-compatible agents and IDEs scan for exposed secrets before a commit or pull request. The same day, GitHub also pushed its Microsoft Defender for Cloud integr(github.com)ioritize issues based on what’s actually deployed and exposed. (github.blog) ### What’s the bottom line? The feature itself was not crazy. Plenty of teams do want AI contribution labels. But authorship is one of those areas where “default on” is the wrong instinct. Security features can be opinionated. Attribution features need consent. VS Code learned that the hard way this week. (github.com)