Disabling Pyright causes ms-python not to work

Support Bug Reports
1

Describe the Bug

Microsoft python extensions don’t work when disabling Anysphere Cursor Pyright. This may or may not be due to Zscaler or other corporate security settings on this machine, but these issues don’t affect the same extensions in plain VSCode.

Steps to Reproduce

Disable the Anysphere Python extension while having Microsoft’s python extension installed, attempt any language server thing…

workbench.desktop.main.js:12343 [Extension Host] rejected promise not handled within 1 second: ConnectError: [internal] self signed certificate in certificate chain
Thf @ workbench.desktop.main.js:12343
$logExtensionHostMessage @ workbench.desktop.main.js:12343
_doInvokeHandler @ workbench.desktop.main.js:13027
_invokeHandler @ workbench.desktop.main.js:13027
_receiveRequest @ workbench.desktop.main.js:13027
_receiveOneMessage @ workbench.desktop.main.js:13027
(anonymous) @ workbench.desktop.main.js:13027
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:12360
(anonymous) @ workbench.desktop.main.js:15027
workbench.desktop.main.js:12343 [Extension Host] stack trace: ConnectError: [internal] self signed certificate in certificate chain
at o.from (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:835767)
at B (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:341125)
at ClientHttp2Session.a (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:350072)
at ClientHttp2Session.emit (node:events:519:28)
at emitClose (node:internal/http2/core:1164:10)
at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
Thf @ workbench.desktop.main.js:12343
$logExtensionHostMessage @ workbench.desktop.main.js:12343
_doInvokeHandler @ workbench.desktop.main.js:13027
_invokeHandler @ workbench.desktop.main.js:13027
_receiveRequest @ workbench.desktop.main.js:13027
_receiveOneMessage @ workbench.desktop.main.js:13027
(anonymous) @ workbench.desktop.main.js:13027
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:12360
(anonymous) @ workbench.desktop.main.js:15027
workbench.desktop.main.js:12357 [anysphere.cursor-always-local][internal] self signed certificate in certificate chain
$onExtensionRuntimeError @ workbench.desktop.main.js:12357
_doInvokeHandler @ workbench.desktop.main.js:13027
_invokeHandler @ workbench.desktop.main.js:13027
_receiveRequest @ workbench.desktop.main.js:13027
_receiveOneMessage @ workbench.desktop.main.js:13027
(anonymous) @ workbench.desktop.main.js:13027
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:12360
(anonymous) @ workbench.desktop.main.js:15027
workbench.desktop.main.js:12357 ConnectError: [internal] self signed certificate in certificate chain
at o.from (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:835767)
at B (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:341125)
at ClientHttp2Session.a (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:350072)
at ClientHttp2Session.emit (node:events:519:28)
at emitClose (node:internal/http2/core:1164:10)
at process.processTicksAndRejections (node:internal/process/task_queues:90:21)
$onExtensionRuntimeError @ workbench.desktop.main.js:12357
_doInvokeHandler @ workbench.desktop.main.js:13027
_invokeHandler @ workbench.desktop.main.js:13027
_receiveRequest @ workbench.desktop.main.js:13027
_receiveOneMessage @ workbench.desktop.main.js:13027
(anonymous) @ workbench.desktop.main.js:13027
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:12360
(anonymous) @ workbench.desktop.main.js:15027
workbench.desktop.main.js:55 ERR An unknown error occurred. Please consult the log for more details. {name: ‘ConnectError’, rawMessage: ‘self signed certificate in certificate chain’, code: 13, metadata: {…}, details: Array(0), …}
error @ workbench.desktop.main.js:55
error @ workbench.desktop.main.js:55
error @ workbench.desktop.main.js:14986
handleUnexpectedError @ workbench.desktop.main.js:14983
(anonymous) @ workbench.desktop.main.js:14983
onUnexpectedError @ workbench.desktop.main.js:27
al @ workbench.desktop.main.js:22
$onUnexpectedError @ workbench.desktop.main.js:12357
_doInvokeHandler @ workbench.desktop.main.js:13027
_invokeHandler @ workbench.desktop.main.js:13027
_receiveRequest @ workbench.desktop.main.js:13027
_receiveOneMessage @ workbench.desktop.main.js:13027
(anonymous) @ workbench.desktop.main.js:13027
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:12360
(anonymous) @ workbench.desktop.main.js:15027
workbench.desktop.main.js:15371 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

Expected Behavior

It should work.

Operating System

Linux

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.2.43 (Universal)
VSCode Version: 1.105.1
Commit: 32cfbe848b35d9eb320980195985450f244b3030
Date: 2025-12-19T06:06:44.644Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Darwin arm64 24.6.0

Does this stop you from using Cursor

Yes - Cursor is unusable

3

The “self signed certificate in certificate chain” error indicates your corporate proxy (Zscaler) is intercepting Cursor’s internal connections. Could you plesae try these steps:

  1. Disable HTTP/2: App Settings (CMD + ,) > search “HTTP/2” > enable “Disable HTTP/2”
  2. Trust corporate CA: Ensure your corporate root certificate is added to your macOS Keychain and marked as trusted for SSL

If those don’t help, could you share:

  • Does the issue persist if you keep Cursor Pyright enabled?
  • Output of: Cursor Settings > Network > Run Diagnostics
4

Here is the output of the network test from cursor settings. Note the intercept. I have verified the cert chain is in the OS’s keychain, and all of the settings you suggested are enabled. Relative to whether Pyright is part of the problem, when it’s enabled there are fewer logs in the console but otherwise the behavior is the same. Note that I had to jump through some hoops to be able to post the below (obfuscate some links etc) due to content restrictions on “new” users in this forum.

[2025-12-24T20:05:25.896Z] Host: api2.cursor.sh
[2025-12-24T20:05:25.896Z] Servers: 192.168.0.1
[2025-12-24T20:05:25.896Z] Resolved to 54.205.222.152 in 4ms
[2025-12-24T20:05:25.911Z] Resolved to 54.205.222.152 in 15ms
[2025-12-24T20:05:25.921Z] Resolved to 54.205.222.152 in 4ms
[2025-12-24T20:05:25.924Z] Resolved to 54.205.222.152 in 3ms
[2025-12-24T20:05:25.926Z] Host: api2.cursor.sh
[2025-12-24T20:05:25.926Z] Servers: system
[2025-12-24T20:05:25.926Z] Resolved to 54.205.222.152, 100.50.21.129, 13.216.203.243, 54.209.129.199, 52.3.184.127, 44.194.86.76, 100.52.24.219, 3.229.126.198 in 2ms
[2025-12-24T20:05:25.926Z] Resolved to 54.205.222.152, 100.50.21.129, 13.216.203.243, 54.209.129.199, 52.3.184.127, 44.194.86.76, 100.52.24.219, 3.229.126.198 in 0ms
[2025-12-24T20:05:25.926Z] Resolved to 54.205.222.152, 100.50.21.129, 13.216.203.243, 54.209.129.199, 52.3.184.127, 44.194.86.76, 100.52.24.219, 3.229.126.198 in 0ms
[2025-12-24T20:05:25.927Z] Resolved to 54.205.222.152, 100.50.21.129, 13.216.203.243, 54.209.129.199, 52.3.184.127, 44.194.86.76, 100.52.24.219, 3.229.126.198 in 0ms
[2025-12-24T20:05:25.927Z] Result: true

[2025-12-24T20:05:25.889Z] Start
[2025-12-24T20:05:26.255Z] URL: h…ps://api2.cursor.sh/
[2025-12-24T20:05:26.255Z] Status: 200
[2025-12-24T20:05:26.255Z] IP: 54.205.222.152
[2025-12-24T20:05:26.255Z] Issuer: C=US; O=XXX; CN=ca.xxx.goskope.com
[2025-12-24T20:05:26.255Z] Name: api2.cursor.sh
[2025-12-24T20:05:26.255Z] AltName: DNS:api2.cursor.sh
[2025-12-24T20:05:26.255Z] DNS Time: 4ms
[2025-12-24T20:05:26.255Z] Connect Time: 3ms
[2025-12-24T20:05:26.255Z] TLS Time: 80ms
[2025-12-24T20:05:26.255Z] Result: Warning: Encrypted traffic is being intercepted by unrecognized certificate: C=US; O=XXX; CN=ca.xxx.goskope.com in 366ms

[2025-12-24T20:05:25.889Z] Start
[2025-12-24T20:05:26.284Z] Result: true

[2025-12-24T20:05:25.889Z] Sending ping 1
[2025-12-24T20:05:26.278Z] Response: ‘ping’ in 389ms
[2025-12-24T20:05:26.278Z] Sending ping 2
[2025-12-24T20:05:26.636Z] Response: ‘ping’ in 358ms
[2025-12-24T20:05:26.636Z] Sending ping 3
[2025-12-24T20:05:26.973Z] Response: ‘ping’ in 337ms
[2025-12-24T20:05:26.973Z] Sending ping 4
[2025-12-24T20:05:27.316Z] Response: ‘ping’ in 343ms
[2025-12-24T20:05:27.316Z] Sending ping 5
[2025-12-24T20:05:27.670Z] Response: ‘ping’ in 354ms
[2025-12-24T20:05:27.670Z] Result: true

[2025-12-24T20:05:25.890Z] Starting streamSSE
[2025-12-24T20:05:31.310Z] Response: ‘foo’ in 5420ms
[2025-12-24T20:05:31.310Z] Response: ‘foo’ in 0ms
[2025-12-24T20:05:31.310Z] Response: ‘foo’ in 0ms
[2025-12-24T20:05:31.310Z] Response: ‘foo’ in 0ms
[2025-12-24T20:05:31.311Z] Response: ‘foo’ in 1ms
[2025-12-24T20:05:31.311Z] Result: Error: Streaming responses are being buffered by a proxy in your network environment

[2025-12-24T20:05:25.890Z] Starting stream
[2025-12-24T20:05:25.890Z] Pushing first message
[2025-12-24T20:05:26.410Z] Response: ‘foo’ in 520ms
[2025-12-24T20:05:26.912Z] Pushing next message
[2025-12-24T20:05:27.467Z] Response: ‘foo’ in 1057ms
[2025-12-24T20:05:27.967Z] Pushing next message
[2025-12-24T20:05:28.428Z] Response: ‘foo’ in 961ms
[2025-12-24T20:05:28.930Z] Pushing next message
[2025-12-24T20:05:29.454Z] Response: ‘foo’ in 1026ms
[2025-12-24T20:05:29.955Z] Pushing next message
[2025-12-24T20:05:30.470Z] Response: ‘foo’ in 1016ms
[2025-12-24T20:05:30.470Z] Result: true

[2025-12-24T20:05:25.889Z] Host: m..arketplace.cursorapi.com
[2025-12-24T20:05:26.193Z] Response in 304ms
[2025-12-24T20:05:26.193Z] Response: 200 OK
[2025-12-24T20:05:26.193Z] Response Type: cors
[2025-12-24T20:05:26.193Z] Server: null
[2025-12-24T20:05:26.193Z] Result: OK in 304ms

====

workbench.desktop.main.js:12357 [anysphere.cursor-always-local][internal] self signed certificate in certificate chain

$onExtensionRuntimeError @ workbench.desktop.main.js:12357
_doInvokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_invokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveRequest @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveOneMessage @ workbench.desktop.main.js:13027
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:13027
undefined -— -— -—
_deliver @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:12360
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:15027
undefined -— -— -—

workbench.desktop.main.js:12357 ConnectError: [internal] self signed certificate in certificate chain
at o.from (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:835767)
at B (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:341125)
at ClientHttp2Session.a (/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js:2:350072)
at ClientHttp2Session.emit (node:events:519:28)
at emitClose (node:internal/http2/core:1164:10)
at process.processTicksAndRejections (node:internal/process/task_queues:90:21)

$onExtensionRuntimeError @ workbench.desktop.main.js:12357
_doInvokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_invokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveRequest @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveOneMessage @ workbench.desktop.main.js:13027
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:13027
undefined -— -— -—
_deliver @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:12360
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:15027
undefined -— -— -—

workbench.desktop.main.js:55 ERR An unknown error occurred. Please consult the log for more details.

  1. {name: ‘ConnectError’, rawMessage: ‘self signed certificate in certificate chain’, code: 13, metadata: {…}, details: Array(0), …}
error @ workbench.desktop.main.js:55
error @ workbench.desktop.main.js:55
undefined -— -— -—
error @ workbench.desktop.main.js:14986
undefined -— -— -—
handleUnexpectedError @ workbench.desktop.main.js:14983
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:14983
undefined -— -— -—
onUnexpectedError @ workbench.desktop.main.js:27
undefined -— -— -—
al @ workbench.desktop.main.js:22
undefined -— -— -—
$onUnexpectedError @ workbench.desktop.main.js:12357
undefined -— -— -—
_doInvokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_invokeHandler @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveRequest @ workbench.desktop.main.js:13027
undefined -— -— -—
_receiveOneMessage @ workbench.desktop.main.js:13027
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:13027
undefined -— -— -—
_deliver @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:49
undefined -— -— -—
fire @ workbench.desktop.main.js:12360
undefined -— -— -—
(anonymous) @ workbench.desktop.main.js:15027
undefined -— -— -—
6

Also, please note that this is a problem because Pyright as configured by Cursor does not offer all locations where a variable is used when using command-click on a symbol, for example. Therefore, I was trying to compare its behavior relative to the ms-python plugin.

I could have sworn I got this to work correctly once, but since then I cannot get ms-python to work correctly – the time it worked, I was able to post a separate bug report about the behavior difference (here: Cursor's Pyright/BasedPyright doesn't find all variable references )

Since that one time, I’m unable to get the ms-python extension to work correctly again. Maybe it auto-updated in the meantime?!

Some additional errors which may or may not be relevant:

This one, when disable then re-enable of ms-python:

_pickle.UnpicklingError: invalid load key, ’ '.: Error: _pickle.UnpicklingError: invalid load key, ’ '.
at ae (/Users/athana/.cursor/extensions/ms-python.python-2025.6.1-darwin-arm64/out/client/extension.js:2:1962784)
at oe (/Users/athana/.cursor/extensions/ms-python.python-2025.6.1-darwin-arm64/out/client/extension.js:2:1960744)
at Immediate. (/Users/athana/.cursor/extensions/ms-python.python-2025.6.1-darwin-arm64/out/client/extension.js:2:1957038)
at process.processImmediate (node:internal/timers:485:21) Error: _pickle.UnpicklingError: invalid load key, ’ '.

error @ workbench.desktop.main.js:55
error @ workbench.desktop.main.js:55
undefined ---- ---- ----
error @ workbench.desktop.main.js:14986
undefined ---- ---- ----
handleUnexpectedError @ workbench.desktop.main.js:14983
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:14983
undefined ---- ---- ----
onUnexpectedExternalError @ workbench.desktop.main.js:27
undefined ---- ---- ----
B0 @ workbench.desktop.main.js:22
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:534
undefined ---- ---- ----
await in (anonymous)
xPr @ workbench.desktop.main.js:534
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:534
undefined ---- ---- ----
ky @ workbench.desktop.main.js:50
undefined ---- ---- ----
_requestRange @ workbench.desktop.main.js:534
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:534
undefined ---- ---- ----
_tokenizeViewportNow @ workbench.desktop.main.js:534
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:534
undefined ---- ---- ----
doRun @ workbench.desktop.main.js:50
undefined ---- ---- ----
onTimeout @ workbench.desktop.main.js:50
undefined ---- ---- ----
setTimeout
e.setTimeout @ workbench.desktop.main.js:12478
undefined ---- ---- ----
schedule @ workbench.desktop.main.js:50
undefined ---- ---- ----
a @ workbench.desktop.main.js:534
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:534
undefined ---- ---- ----
_deliver @ workbench.desktop.main.js:49
undefined ---- ---- ----
_deliverQueue @ workbench.desktop.main.js:49
undefined ---- ---- ----
fire @ workbench.desktop.main.js:49
undefined ---- ---- ----
register @ workbench.desktop.main.js:12358
undefined ---- ---- ----
$registerDocumentRangeSemanticTokensProvider @ workbench.desktop.main.js:12358
undefined ---- ---- ----
_doInvokeHandler @ workbench.desktop.main.js:13027
undefined ---- ---- ----
_invokeHandler @ workbench.desktop.main.js:13027
undefined ---- ---- ----
_receiveRequest @ workbench.desktop.main.js:13027
undefined ---- ---- ----
_receiveOneMessage @ workbench.desktop.main.js:13027
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:13027
undefined ---- ---- ----
_deliver @ workbench.desktop.main.js:49
undefined ---- ---- ----
fire @ workbench.desktop.main.js:49
undefined ---- ---- ----
fire @ workbench.desktop.main.js:12360
undefined ---- ---- ----
(anonymous) @ workbench.desktop.main.js:15027
undefined ---- ---- ----

This one shows up at times:

An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
mountTo @ workbench.desktop.main.js:15371
_show @ workbench.desktop.main.js:15371
claim @ workbench.desktop.main.js:15371
openMarkdown @ workbench.desktop.main.js:14044
await in openMarkdown
openDetails @ workbench.desktop.main.js:14102
await in openDetails
open @ workbench.desktop.main.js:14044
onNavbarChange @ workbench.desktop.main.js:14044
renderNavbar @ workbench.desktop.main.js:14044
render @ workbench.desktop.main.js:14044
await in render
setInput @ workbench.desktop.main.js:14044
await in setInput
doSetInput @ workbench.desktop.main.js:884
doOpenEditor @ workbench.desktop.main.js:884
openEditor @ workbench.desktop.main.js:884
(anonymous) @ workbench.desktop.main.js:7769
doShowEditor @ workbench.desktop.main.js:7769
doOpenEditor @ workbench.desktop.main.js:7769
openEditor @ workbench.desktop.main.js:7769
openEditor @ workbench.desktop.main.js:12411
open @ workbench.desktop.main.js:14116
openExtension @ workbench.desktop.main.js:13902
(anonymous) @ workbench.desktop.main.js:13902
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
(anonymous) @ workbench.desktop.main.js:47
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
(anonymous) @ workbench.desktop.main.js:47
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
_open @ workbench.desktop.main.js:459
onPointer @ workbench.desktop.main.js:459
(anonymous) @ workbench.desktop.main.js:459
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
(anonymous) @ workbench.desktop.main.js:47
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
onViewPointer @ workbench.desktop.main.js:296
(anonymous) @ workbench.desktop.main.js:47
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
(anonymous) @ workbench.desktop.main.js:47
_deliver @ workbench.desktop.main.js:49
fire @ workbench.desktop.main.js:49
n @ workbench.desktop.main.js:136

8

Thanks for the details, I’ve raised it with the team

10

If you are on a remote connection, could you make sure the SSL certificate is trusted both locally and on the remote host?

11

Not on a remote connection. These issues are for Cursor and its sessions running on one laptop. Happy to set up a time to live debug with you.