How to use python with the Cursor IDE

How-to-Python-in-Cursor.md

How to use python with the Cursor AI IDE

Cursor.app has a critical vulnerability that should be taken seriously!

Please see my post below on this as sooon as possible! https://gist.github.com/joeblackwaslike/752b26ce92e3699084e1ecfc790f74b2?permalink_comment_id=5716065#gistcomment-5716065

Steps to patch latest cursor

These instructions should work with the latest versions of cursor which requires a much different strategy than the older versions where you could simply point cursor to the MS extension marketplace and call it a day.

Version details

Tested and verified w/ the following version

Version: 1.5.5
VSCode Version: 1.99.3
Commit: 823f58d4f60b795a6aefb9955933f3a2f0331d70
Date: 2025-08-25T17:40:25.290Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Darwin arm64 24.6.0

Instructions

1. Download latest from cursor-ai-downloads

2. # Make backup (optional)
   sudo mv /Applications/Cursor.app/ /Applications/Cursor_backup.app
   
   cd /tmp
   wget https://downloads.cursor.com/production/823f58d4f60b795a6aefb9955933f3a2f0331d7b/darwin/universal/Cursor-darwin-universal.dmg
   
   hdiutil mount Cursor-darwin-*.dmg
   sudo cp -R /Volumes/Cursor\ Installer/Cursor.app /Applications/
   hdiutil unmount /Volumes/Cursor\ Installer
   rm -f Cursor-darwin-*.dmg
   popd

3. force the code signature check to pass and get cached

   /Applications/Cursor.app/Contents/Resources/app/bin/cursor --version

4. Download the package.json patcher by @realdimas and execute it. For the security minded feel free to review the contents

   curl -sL "https://gist.githubusercontent.com/realdimas/e58723564cfada8efd93adab6efb747c/raw/d6c0ff85ce979637b4d6fb0033b0a736fbe332cf/fix-product-json.sh" | sudo bash

5. Create a new text file named cursor-exts.txt. The contents should be a list of all the extensionIds you use from the cursor marketplace. I've provided an example of mine to serve as an example. Any lines beginning with # are comments and will be ignored when parsing this file.

6. Create another new text file named vscode-exts.txt. The contents should be a list of all the extensionIds you use that exist only in the official Microsoft marketplace. I've provided an example of mine to serve as an example. Any lines beginning with # are comments and will be ignored when parsing this file.

   Note: do not add the the pylance extensionId (ms-python.vscode-pylance) or python extension (ms-python.python) Pylance will fail to install and needs to be specially patched which we will do later. The patched pylance will require a newer version of ms-python than the one installed through traditional means.

7. At this point close Cursor.app if it's still running.

8. Run the following commands in the same shell and path where you created both extension text files:

   # Clear existing extensions including the problematic `anysphere.cursorpyright`.  Do this after you've completed both extension lists above
   /bin/rm -rf ~/.cursor/extensions/*
   
   # Install all your cursor extensions
   curl -sL "https://gist.githubusercontent.com/joeblackwaslike/802b9ddc135ba85d31a14b21b341807a/raw/c698a2e3fa73296bdd61258b5faf1f2dc37e174f/get-cursor-exts.sh" | bash -s -- --input-file cursor-exts.txt
   
   # the following script has a required dependency for only MacOS users which lack gnu grep.
   if [[ "$(uname -s)" == "Darwin" ]]; then
       brew install grep
   fi
   
   # Install all your microsoft marketplace extensions
   curl -sL "https://gist.githubusercontent.com/joeblackwaslike/306d6c7548f0c01f6626891d3d125066/raw/1448e70705e2eca8bb1154d5972cc8b756153e10/get-ms-exts.sh" | bash -s -- --input-file vscode-exts.txt
   
   # we have to manually download and install the ms-python vsix file because pylance requires a newer version than would be installed through cursor and even my scripts.  This is very important to ensure pylance works correctly in the latest cursor builds.
   curl https://ms-python.gallery.vsassets.io/_apis/public/gallery/publisher/ms-python/extension/python/2025.13.2025080801/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage -o ms-python.python_2025.13.2025080801.vsix
   
   cursor --install-extension ms-python.python_*.vsix
   
   uv run --script https://gist.githubusercontent.com/realdimas/c025cdba50cc05e0f644eb71bf7efbb9/raw/pylance_patcher.py
   
   cursor --install-extension ms-python.vscode-pylance-*-patched.vsix

9. Add some required settings like disabling autoupdate and setting pylance as the python language server:

   jq '.["update.enableWindowsBackgroundUpdates"] = false' ~/Library/Application\ Support/Cursor/User/settings.json > temp.json && mv temp.json ~/Library/Application\ Support/Cursor/User/settings.json
   
   jq '.["update.mode"] = "none"' ~/Library/Application\ Support/Cursor/User/settings.json > temp.json && mv temp.json ~/Library/Application\ Support/Cursor/User/settings.json
   
   jq '.["python.languageServer"] = "Pylance"' ~/Library/Application\ Support/Cursor/User/settings.json > temp.json && mv temp.json ~/Library/Application\ Support/Cursor/User/settings.json

10. Open Cursor.app and then close

    # We need to manually delete the anysphere.cursorpyright extension using rm or it will keep reenabling and reinstalling itself.  We need to run the command again too because it doesn't always work the first time.
    /bin/rm -rf ~/.cursor/extensions/anysphere.cursorpyright-* || /bin/rm -rf ~/.cursor/extensions/anysphere.cursorpyright-*
    
    

Minor annoyances

Permissions are asked every time cursor is launched

Anyone more familiar with MacOS application development that can determine why this setting isn't saved/persisted between application sessions, your advice would be greatly valued!

cursor disables pylance in local settings and workspac files

If you have a local workspace or project then you'll notice sometimes cursor will disable pylance. Check your local settings.json or the settings key of your local *.code-workspace file for the following:

{
	"python.languageServer": "None"
}

You have a few options, either remove the local setting which defaults to the value for your user setting or change the value locally from None to Pylance

Older versions can be more easily patched, here is the version details that worked for me

Version: 0.49.6
VSCode Version: 1.96.2
Commit: 0781e811de386a0c5bcb07ceb259df8ff8246a50
Date: 2025-04-25T05:07:16.071Z (3 mos ago)

We are going to edit cursors settings to point to the microsoft extensions marketplace.

1. Remove all extensions and exit Cursor.
2. Locate your Cursor project.json file depending on your platform and open it.
   • On MacOS: /Applications/Cursor.app/Contents/Resources/app/product.json
   • On Windows: C:\Users\<user_name>\AppData\Local\Programs\cursor\resources\app\product.json
   • On Linux: /usr/lib/code/product.json
3. Locate the object value for key extensionsGallery in the json document.

Contents of extensionsGallery key in product.json for Cursor

{
    "galleryId": "cursor",
    "serviceUrl": "https://marketplace.cursorapi.com/_apis/public/gallery",
    "itemUrl": "https://marketplace.cursorapi.com/items",
    "resourceUrlTemplate": "https://marketplace.cursorapi.com/{publisher}/{name}/{version}/{path}",
    "controlUrl": "",
    "recommendationsUrl": "",
    "nlsBaseUrl": "",
    "publisherUrl": ""
}

4. Edit it to look like this:

{
    "galleryId": "cursor",
    "serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
    "itemUrl": "https://marketplace.visualstudio.com/items",
    "resourceUrlTemplate": "https://{publisher}.vscode-unpkg.net/{publisher}/{name}/{version}/{path}",
    "controlUrl": "",
    "recommendationsUrl": "",
    "nlsBaseUrl": "",
    "publisherUrl": ""
}

5. Reopen Cursor.app and install the following extensions:
   • ms-python.python
   • ms-python.vscode-pylance
   • ms-python.debugpy
6. Make sure in your settings that python.languageServer is set to "Pylance"
7. Re-sign Cursor.app (for MacOS)

codesign --force --deep --sign - /Applications/Cursor.app

Enjoy!

PS: you may need to goto your settings.json to remove any theme settings, because having a broken theme looks exactly like this same problem. In my case cursor had copied over my settings from vscode and they pointed to a theme that wasn't yet installed in cursor, removing and then setting the theme manually worked when I though for sure I had broken it again.

@PhenomenaPh, @Nivg – product.json is part of Cursor package. You are hacking the internals of the app. Each update override it – this is expected and no known workaround exist. Understand that you generally want & need the updated product.json. Its just that some keys in this file needs to be modified post-update to revive python extensions.

My approach: streamline the update of product.json file (see macOS script linked above that I use) and do upgrades manually (disable automatic upgrades) so that you can take care of "maintenance" tasks on your own time without disruption.

It seems that in a devcontainer, where I set my extensions (and pylance is one of them), it's ignoring it and installing the cursoer pyright one all the time, do you have any idea about this issue?

Thanks!

@Nivg locally, we fix this issue by patching product.json to shift away from the Cursor extension gallery and instead point to the Microsoft extension gallery.
We also bump the extension versions to the latest.
This allows us to install current and unmodified ms-python.python (and other) extensions via locally downloaded .VSIX files that don't depend on anysphere.pyright.

None of these local fixes have any effect on remote environments.

In remote environments, Cursor (VS Code) has its own product.json file and a modified version of the ms-python.python extension which declares a dependency on Cursor's Pyright (ID: anysphere.pyright) extension.

I didn't bother automating the rewrite of the remote product.json file, nor investigating how the patched ms-python.python extension gets there.

Instead, I use this workaround once per remote environment:

1. Download Python extensions from Microsoft extension gallery as .VSIX files (matching the remote operating system and architecture).
2. Drag-and-drop the .VSIX files into the Extensions tab's remote section.
3. Reload window.
4. Uninstall the Cursor Pyright extension.

I like to keep "Auto Update" checkbox unchecked to upgrade manually via .VSIX files instead.

---

Below are the direct download links to the current versions of Python extensions for linux-x64 and linux-arm64 architectures:

• ms-python.python

  • (linux-x64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2025.5.2025040401/vspackage?targetPlatform=linux-x64
  • (linux-arm64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2025.5.2025040401/vspackage?targetPlatform=linux-arm64

• ms-python.debugpy

  • (linux-x64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/debugpy/2025.6.0/vspackage?targetPlatform=linux-x64
  • (linux-arm64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/debugpy/2025.6.0/vspackage?targetPlatform=linux-arm64

• ms-python.vscode-pylance

  • (universal) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/vscode-pylance/2025.4.1/vspackage

@Nivg locally, we fix this issue by patching product.json to shift away from the Cursor extension gallery and instead point to the Microsoft extension gallery. We also bump the extension versions to the latest. This allows us to install current and unmodified ms-python.python (and other) extensions via locally downloaded .VSIX files that don't depend on anysphere.pyright.

None of these local fixes have any effect on remote environments.

In remote environments, Cursor (VS Code) has its own product.json file and a modified version of the ms-python.python extension which declares a dependency on Cursor's Pyright (ID: anysphere.pyright) extension.

I didn't bother automating the rewrite of the remote product.json file, nor investigating how the patched ms-python.python extension gets there.

Instead, I use this workaround once per remote environment:

1. Download Python extensions from Microsoft extension gallery as .VSIX files (matching the remote operating system and architecture).
2. Drag-and-drop the .VSIX files into the Extensions tab's remote section.
3. Reload window.
4. Uninstall the Cursor Pyright extension.

I like to keep "Auto Update" checkbox unchecked to upgrade manually via .VSIX files instead.

Below are the direct download links to the current versions of Python extensions for linux-x64 and linux-arm64 architectures:

• ms-python.python

  • (linux-x64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2025.5.2025040401/vspackage?targetPlatform=linux-x64
  • (linux-arm64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/python/2025.5.2025040401/vspackage?targetPlatform=linux-arm64

• ms-python.debugpy

  • (linux-x64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/debugpy/2025.6.0/vspackage?targetPlatform=linux-x64
  • (linux-arm64) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/debugpy/2025.6.0/vspackage?targetPlatform=linux-arm64

• ms-python.vscode-pylance

  • (universal) https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/vscode-pylance/2025.4.1/vspackage

Wow, many thanks for the very detailed explanation!

I wonder if with the new Microsoft enforcement rollout for using their extensions only in the official vscode, those workarounds won’t work anymore as well…

does this method banned by $MSFT ?

[error] [Window] connect ECONNREFUSED 198.41.30.195:443: Error: connect ECONNREFUSED 198.41.30.195:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1611:16)

  "extensionsGallery": {
    "serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
    "cacheUrl": "https://vscode.blob.core.windows.net/gallery/index",
    "itemUrl": "https://marketplace.visualstudio.com/items",
    "controlUrl": "",
    "recommendationsUrl": ""
  }

@gemnioo 198.41.30.195 is eclipse.dev – doesn't seems relevant to the issues discussed in this gist:

$ host 198.41.30.195
195.30.41.198.in-addr.arpa domain name pointer eclipse.dev.

@gemnioo 198.41.30.195 is eclipse.dev – doesn't seems relevant to the issues discussed in this gist:

$ host 198.41.30.195
195.30.41.198.in-addr.arpa domain name pointer eclipse.dev.

double checked Gemini not hallucinations

This error repeats multiple times throughout the logs.

    ECONNREFUSED: This is a standard network error code meaning the connection was actively refused by the server at the specified address and port. The server received the connection attempt but declined it.

    198.41.30.195: This is an IP address associated with Microsoft services, specifically related to the Visual Studio Marketplace (where VS Code/code-server fetches extensions from).

    443: This is the standard port for HTTPS (secure web traffic).

2025.4.100 is the most recent Pylance extension that is compatible with the current Cursor (tested with 0.50 versions).
The extension can be installed by dragging and dropping the .vsix file into the Extensions tab in Cursor.

Direct download link to the .vsix extension package:
https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/vscode-pylance/2025.4.100/vspackage

Thank you!

I was able to install Pylance before, but somehow I broke my Cursor, so I had to do a clean installation, and none of the solutions are now working. I keep seeing the (Client) You may install and use any number of copies of the software only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code log on the Python Language Server output.

Has anyone found a new solution for this?

I didn't see this warning but solutions mentioned above didn't work until I downgraded the cursor to 1.0

Cursor just released v1.2.0 – a big upgrade to the upstream VSCode version used under the hood (v1.96.2 -> v1.99.3).
This is a welcome and long-awaited upgrade that improves support for newer extensions.

On the other hand, it breaks out-of-the-box support with Pylance 2025.4.1 (and 2025.4.100) builds.
These versions now (rightfully) detect that this isn't vanilla VSCode and bark with "You may install and use any number of copies of the software only with Microsoft Visual Studio...".

One way to address this issue is to simply downgrade to the most recent Cursor build that is still using VSCode v1.96.2, that is Cursor v1.1.7.
See unofficial links to the older Cursor builds at https://github.com/oslook/cursor-ai-downloads?tab=readme-ov-file#all-versions-download-table

Another way is to dial up the effort and start patching obfuscated Pylance code to coerce it into running on Cursor.

Earlier this year @caenrigen had shared a patch to Pylance v2025.4.1 that makes it work with VSCode forks (Cursor, Windsurf, etc.): VSCodium/vscodium#1641 (comment)

To recap:

1. Download Pylance v2025.4.1 .vsix file.
2. Unpack into a temporary folder
3. Edit extension/dist/extension.bundle.js
4. Remove the following string from the file:

   return(0x0,_0x302dc7[_0x1e5d1c(0x69a)])(_0x17bc9b[_0x1e5d1c(0x120)]),{'client':_0x5d8ccf,'start':()=>{const _0x751a33=_0x1e5d1c;return _0x2bfc9a['sendTelemetryEvent'](_0x1d90e3['EventName'][_0x751a33(0x48e)]),Promise[_0x751a33(0x60e)]();},'stop':()=>Promise[_0x1e5d1c(0x60e)](),'disposables':_0x22650a};
   

5. Zip it back into a .vsix
6. Install some other version of Pylance .vsix by drag-and-dropping it into the Extensions tab to "bust the cache" (skipping this might prevent the IDE from noticing patched content of the same-versioned extension)

Handy shell script (tested on macOS):

# Download Pylance v2025.4.1 (platform-independent)
wget https://marketplace.visualstudio.com/_apis/public/gallery/publishers/ms-python/vsextensions/vscode-pylance/2025.4.1/vspackage -O ms-python.vscode-pylance-2025.4.1.vsix

# Ungzip (not sure why it's gzipped on top of a zip, but that's what the server is returning regardless of the Accept-Encoding header value)
gunzip -c ms-python.vscode-pylance-2025.4.1.vsix > ms-python.vscode-pylance-2025.4.1.zip

# Unzip it into a folder
unzip -d ms-python.vscode-pylance-2025.4.1-patched ms-python.vscode-pylance-2025.4.1.zip

# Define the literal value to remove using a here-document
literal=$(cat <<'EOF'
return(0x0,_0x302dc7[_0x1e5d1c(0x69a)])(_0x17bc9b[_0x1e5d1c(0x120)]),{'client':_0x5d8ccf,'start':()=>{const _0x751a33=_0x1e5d1c;return _0x2bfc9a['sendTelemetryEvent'](_0x1d90e3['EventName'][_0x751a33(0x48e)]),Promise[_0x751a33(0x60e)]();},'stop':()=>Promise[_0x1e5d1c(0x60e)](),'disposables':_0x22650a};
EOF
)

# Calculate the length of the literal
length=${#literal}

# Create a replacement string of the same length (spaces)
replacement=$(printf '%*s' $length '')

# Replace the literal with spaces to preserve length with perl
perl -i -pe "s/\Q$literal\E/$replacement/g" ms-python.vscode-pylance-2025.4.1-patched/extension/dist/extension.bundle.js

# Package it back into a .vsix
(cd ms-python.vscode-pylance-2025.4.1-patched && zip -r ../ms-python.vscode-pylance-2025.4.1-patched.vsix .)

As of 2025/7/2, after upgrading Cursor to v1.2.0, the marketplace patch is not working anymore. Now I cannot search any extensions after patch the product.json.

I guess we can change now a marketplace via vscode settings

Custom extension gallery URLs can be set as of Cursor 1.1.3 (much like Windsurf).

https://forum.cursor.com/t/dbt-extension-not-visible-in-marketplace/107089/9

{
    // <...>
    "extensions.gallery.itemUrl": "https://marketplace.visualstudio.com/items",
    "extensions.gallery.serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
    // <...>
}

Unfortunately, this hasn't been working in 1.2.0 (or 1.2.1):

For some strange reason, the extensions.gallery.itemUrl key is dimmed in the User Settings JSON, i.e., it seems to be unused (unlike in versions 1.1.3+ before the 1.2.0 release).

Setting both keys (and restarting Cursor) results in:

• Extension gallery searches spin forever and return no results

Updating gallery keys in product.json results in:

• Extension gallery searches return no results

It seems that the ability to point to a custom extension gallery has been broken since version 1.2.0.

Amazing @realdimas, your extension repackaging worked for me, no need to roll cursor back
Thanks!

@realdimas's reply here worked great for me!

Screw MS for killing Pyright to make a non-open version, and then locking out other editors from using it. Talk about hardcore BS.

@coredumperror check out the linked thread for details on how to patch a more recent Pylance version:
VSCodium/vscodium#1641 (comment)

I also made a script to automate this process:
https://gist.github.com/realdimas/c025cdba50cc05e0f644eb71bf7efbb9

@coredumperror check out the linked thread for details on how to patch a more recent Pylance version: VSCodium/vscodium#1641 (comment)

I also made a script to automate this process: https://gist.github.com/realdimas/c025cdba50cc05e0f644eb71bf7efbb9

This is very helpful, thank you.

Fabulous! Thanks once again, @realdimas

Hm, when I open Cursor after editing the file i get: “Cursor.app” is damaged and can’t be opened. You should move it to the Bin. Tried reinstalling cursor before editing the product.json file but same result. Ideas?

This sounds like the app is protected with some kind of code signing, can you provide more context around your platform?

I know now you're using a newer version of cursor and have finally seen this problem myself in 1.2.4.

@realdimas I'm having a hard time getting the latest version of cursor to do this (1.2.4). I really want to include step by step directions crediting you to the original gist so its more visible. I documented my steps in the original gist under newer versions, what might I be doing wrong?

I know now you're using a newer version of cursor and have finally seen this problem myself in 1.2.4.

That isn't a Cursor version issue, but a workflow (timing) one.

In my experience, once I've launched Cursor.app successfully without modifications, I've been able to patch files within the app bundle and continue launching it without encountering signature validation errors.

I did comment before on how to manually re-sign (https://gist.github.com/joeblackwaslike/752b26ce92e3699084e1ecfc790f74b2?permalink_comment_id=5514372#gistcomment-5514372), but that led to repeated prompts for Keychain access and potentially other permission-related issues.

What I actually do is invoke /Applications/Cursor.app/Contents/Resources/app/bin/cursor --version as the first thing after installing a new Cursor version to force the code signature check to pass and get cached.
Only then I patch product.json and other files.

I use --version rather than running Cursor.app normally since a regular invocation of Cursor with "vanilla" product.json would reconcile extension versions after startup (i.e., downgrade to match their maxVersion values), but running just cursor --version doesn't do that.

I'm having a hard time getting the latest version of cursor to do this (1.2.4).

@joeblackwaslike what works/what fails? When you select the Pylance extension on the Extensions tab, what do you see?

It should show:

Installation
Identifier: ms-python.vscode-pylance
Version: 2025.6.2+patched
Last Updated: 2025-07-26, 21:19:31
Source: VSIX
Size: 81.20MB

Since 2025.6.2 is greater than 2024.8.1, patching the maxVersion value in product.json is needed (a workaround would be to override the extension's version, but that would create even more confusion and complications).

P.S. Appreciate the effort to update the guide!

---

New method is not working with 1.3.7 version. It asks to restart extension and does not enable pylance

Nevermind, its working now. Cursor somehow created local .vscode and corresponding settings.json where lsp was deactivated

Cursor somehow created local .vscode and corresponding settings.json where lsp was deactivated

That's Cursor's attempt to be helpful.
They throw a dialog prompting you to use their Pyright extension, and when you decline, they stamp python.languageServer setting to None, but not in the user's (global) settings, but in the workspace if I remember correctly.

Warning

I just received an email about a serious security vulnerability in cursor that allows attackers RCE via prompt injection!

Critical info

• Severity: High! (8.6/10)
• CVE ID: CVE-2025-54135
• Affected versions: <= 1.2.1
• Patched versions: 1.3.9+

The good news is it's been patched since version 1.3.9+. Check your cursor version now to see whether you're affected!

Accessing cursor version

• MacOs: just use the menubar the menubar Cursor > About Cursor.
• Windows: I have no idea, but chime in if you know and can provide this. 💁
• Linux: I assume you already know three ways to accomplish. My surface-linux thingy does not have cursor installed. 😂

Advice

First, this is way above my paygrade but I can give you a few suggestions.

• If you are affected you should close cursor immediately and start assessing the extent, if any, that you were compromised.
• Check ~/.cursor/mcp.json and any mcp servers you use.
• Check your logs/dmesg for anything fucky, inspect your running processes, and look for recent changes to critical system files and/or those of your repositories.

How to fix

Simple answer is to just replace your existing cursor with the latest release.... But tbh the official python support is not great. That's why this place exists. This may take some time because there is a lot to document for this process, and I have only recently figured out the most straightforward and optimal way to patch the latest versions of cursor, specifically version 1.4.4, which will be the focus from here on out.

TLDR; It's non trivial but I have used some excellent scripts from @realdimas which help automate a lot of the complexity, especially across various versions of cursor which require very different approaches. I have also developed some of my own scripts that automate the grunt work of downloading and installing extensions from both the MS marketplace as well as cursors marketplace, etc. I need some time to gather all of these things together, refine them, document them, and make one cohesive set of instructions that can be easily followed by everyone. If you want to help contribute to this effort, reach out, and stay tuned to this space over the next few days.

Sources for more info

• https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
• GHSA-4cxx-hrm3-49rm

I've just updated the main gist with instructions on how to get python (essentially ms-python and pylance extensions) working in the latest versions of cursor. I've tested both versions 1.4.4 and 1.5.5 and they're working.

Note: I had some trouble initially with cursor replacing the manually downloaded and installed version of ms-python extension with some much older version from 2023. I removed the max versions from from ms-python and pylance extension in the product.json file and then reinstalled the manually downloaded vsix for ms-python with the network disabled. This worked but not sure if both steps are necessary.

I've also noticed that anysphere.cursorpyright keeps getting reinstalled periodically like when an extension you install depends on ms-python.python. Trying to disable or uninstall it only seems to work temporarily. You need to actually run

/bin/rm -rf ~/.cursor/extensions/anysphere.cursorpyright-*

when cursor isn't open to fully uninstall.

@joeblackwaslike You mention package.json several times in the text, but the file is actually called product.json.