By bundling, Zed guarantees or at least claims that those bundled executables can be trusted. The same level of trust is possible with on-demand downloading only when some sort of authentication is used [1] but Zed currently doesn't actually authenticate any downloads to my knowledge.

[1] Either by embedding cryptographic hashes to the distribution, or by having some means to distribute publicly signed hashes (e.g. minisign via HTTPS).

>By bundling, Zed guarantees or at least claims that those bundled executables can be trusted

As if anyone at Zed cares and checks them all thoroughly? Even if they wanted they couldn't, given how expansive Node dependencies get.

At best, someone will report an issue/vulnerability for one of those to them. Usually months/years after it exists.

Well, in any case Zed would be morally responsible for that issue or vulnerability, in the way that they have to at least push a new version that fixes it or prevents the download of affected dependencies. (I don't expect any legal responsibility to be clear.) Bundling at least makes Zed more conscious about what to include, even though it is unreasonable to expect that they've checked every details.

What I might trust on my laptop is TOTALLY different from what my company might allow on a remote server.