Oops indeed. (Downloading can be fine in many---but not all---cases, but the lack of authentication is not really justifiable!) The latest comment does hint that it will change in the near future, as the change is required for remote development anyway:

> Status update: We are still working on this! The major blocker is that extensions have not been setup to interact with setting. However, we also need to change this API to support our upcoming remote development feature. So we're going to roll both of these breaking changes into a larger extension update, coming this November or December :)

I don't see how this is different from having all these pre-bundled with a new version of Zed? Either way I'm going to download all of them again.

By bundling, Zed guarantees or at least claims that those bundled executables can be trusted. The same level of trust is possible with on-demand downloading only when some sort of authentication is used [1] but Zed currently doesn't actually authenticate any downloads to my knowledge.

[1] Either by embedding cryptographic hashes to the distribution, or by having some means to distribute publicly signed hashes (e.g. minisign via HTTPS).

>By bundling, Zed guarantees or at least claims that those bundled executables can be trusted

As if anyone at Zed cares and checks them all thoroughly? Even if they wanted they couldn't, given how expansive Node dependencies get.

At best, someone will report an issue/vulnerability for one of those to them. Usually months/years after it exists.

Well, in any case Zed would be morally responsible for that issue or vulnerability, in the way that they have to at least push a new version that fixes it or prevents the download of affected dependencies. (I don't expect any legal responsibility to be clear.) Bundling at least makes Zed more conscious about what to include, even though it is unreasonable to expect that they've checked every details.

What I might trust on my laptop is TOTALLY different from what my company might allow on a remote server.