chore: bump i18next from 25.8.13 to 26.3.1

Bumps [i18next](https://github.com/i18next/i18next) from 25.8.13 to 26.3.1. - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/i18next/compare/v25.8.13...v26.3.1) --- updated-dependencies: - dependency-name: i18next dependency-version: 26.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Update brace-expansion, js-yaml, and ws
2026-06-16 00:43:19 +00:00 · 2026-06-15 16:42:17 -08:00 · 2026-06-15 16:42:17 -08:00 · 2026-06-10 11:59:45 -08:00 · 2026-06-04 10:50:04 -08:00
8 changed files with 119 additions and 103 deletions
@@ -22,6 +22,8 @@ Code v99.99.999

 ## Unreleased

+## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03
+
 Code v1.123.0

 ### Changed
@@ -128,7 +128,9 @@ bundle_vscode() {

  # Merge the package.json for the web/remote server so we can include
  # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * .[1]' \
+  # Also override the name to prevent vulnerability scanners from
+  # misidentifying this package as VS Code (see #7071).
+  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
    "$VSCODE_SRC_PATH/remote/package.json" \
    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.37.1
+version: 3.38.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.122.1
+appVersion: 4.123.0
@@ -6,7 +6,7 @@ replicaCount: 1

 image:
  repository: codercom/code-server
-  tag: '4.122.1'
+  tag: '4.123.0'
  pullPolicy: Always

 # Specifies one or more secrets to be used when pulling images from a
@@ -13,12 +13,13 @@
        "@coder/logger": "^3.0.1",
        "argon2": "^0.44.0",
        "compression": "^1.7.4",
+        "cookie": "^1.1.1",
        "cookie-parser": "^1.4.6",
        "env-paths": "^2.2.1",
        "express": "^5.0.1",
        "http-proxy": "^1.18.1",
        "httpolyglot": "^0.1.2",
-        "i18next": "^25.8.3",
+        "i18next": "^26.3.1",
        "js-yaml": "^4.1.0",
        "limiter": "^2.1.0",
        "pem": "^1.14.8",
@@ -68,15 +69,6 @@
        "node": "22"
      }
    },
-    "node_modules/@babel/runtime": {
-      "version": "7.28.6",
-      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
-      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
    "node_modules/@coder/logger": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/@coder/logger/-/logger-3.0.1.tgz",
@@ -968,9 +960,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -1936,12 +1928,16 @@
      }
    },
    "node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
+      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
      "license": "MIT",
      "engines": {
-        "node": ">= 0.6"
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/cookie-parser": {
@@ -1957,6 +1953,15 @@
        "node": ">= 0.8.0"
      }
    },
+    "node_modules/cookie-parser/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -2953,6 +2958,15 @@
        "url": "https://opencollective.com/express"
      }
    },
+    "node_modules/express/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/express/node_modules/cookie-signature": {
      "version": "1.2.2",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
@@ -3532,29 +3546,26 @@
      }
    },
    "node_modules/i18next": {
-      "version": "25.8.13",
-      "resolved": "https://registry.npmjs.org/i18next/-/i18next-25.8.13.tgz",
-      "integrity": "sha512-E0vzjBY1yM+nsFrtgkjLhST2NBkirkvOVoQa0MSldhsuZ3jUge7ZNpuwG0Cfc74zwo5ZwRzg3uOgT+McBn32iA==",
+      "version": "26.3.1",
+      "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.3.1.tgz",
+      "integrity": "sha512-txQqd5EULsqEh9OJqRH15aCaOuy/nLJyhw5EHCSKLKJE1aBbb3Zve2+uQIxgWhPm1QqUQoWyQBm2kfmmIrzkcQ==",
      "funding": [
        {
          "type": "individual",
-          "url": "https://locize.com"
-        },
-        {
-          "type": "individual",
-          "url": "https://locize.com/i18next.html"
+          "url": "https://www.locize.com/i18next"
        },
        {
          "type": "individual",
          "url": "https://www.i18next.com/how-to/faq#i18next-is-awesome.-how-can-i-support-the-project"
+        },
+        {
+          "type": "individual",
+          "url": "https://www.locize.com"
        }
      ],
      "license": "MIT",
-      "dependencies": {
-        "@babel/runtime": "^7.28.4"
-      },
      "peerDependencies": {
-        "typescript": "^5"
+        "typescript": "^5 || ^6"
      },
      "peerDependenciesMeta": {
        "typescript": {
@@ -4130,9 +4141,19 @@
      "license": "ISC"
    },
    "node_modules/js-yaml": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/nodeca"
+        }
+      ],
      "license": "MIT",
      "dependencies": {
        "argparse": "^2.0.1"
@@ -6613,9 +6634,9 @@
      "license": "ISC"
    },
    "node_modules/ws": {
-      "version": "8.20.1",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
-      "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
@@ -70,12 +70,13 @@
    "@coder/logger": "^3.0.1",
    "argon2": "^0.44.0",
    "compression": "^1.7.4",
+    "cookie": "^1.1.1",
    "cookie-parser": "^1.4.6",
    "env-paths": "^2.2.1",
    "express": "^5.0.1",
    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",
-    "i18next": "^25.8.3",
+    "i18next": "^26.3.1",
    "js-yaml": "^4.1.0",
    "limiter": "^2.1.0",
    "pem": "^1.14.8",
@@ -1,5 +1,7 @@
+import * as cookie from "cookie"
+import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { HttpCode } from "../common/http"
+import { getCookieSessionName, HttpCode } from "../common/http"

 export const proxy = proxyServer.createProxyServer({})

@@ -18,6 +20,19 @@ proxy.on("error", (error, _, res) => {
  }
 })

+// Strip the code-server cookie if it exists to avoid transmitting the cookie
+// to potentially malicious local ports.
+proxy.on("proxyReq", (preq, req) => {
+  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
+  preq.setHeader(
+    "Cookie",
+    cookie.stringifyCookie({
+      ...(req as Request).cookies,
+      [cookieSessionName]: undefined,
+    }),
+  )
+})
+
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {
@@ -1,15 +1,12 @@
 import * as express from "express"
-import * as http from "http"
-import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
-import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { getAvailablePort, mockLogger } from "../../utils/helpers"
+import { mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"

 describe("proxy", () => {
-  const nhooyrDevServer = new httpserver.HttpServer()
+  const proxyTarget = new httpserver.HttpServer()
  const wsApp = express.default()
  const wsRouter = WsRouter()
  let codeServer: httpserver.HttpServer | undefined
@@ -19,21 +16,22 @@ describe("proxy", () => {

  beforeAll(async () => {
    wsApp.use("/", wsRouter.router)
-    await nhooyrDevServer.listen((req, res) => {
+    await proxyTarget.listen((req, res) => {
      e(req, res)
    })
-    nhooyrDevServer.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
+    proxyTarget.listenUpgrade(wsApp)
+    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
    absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
  })

  afterAll(async () => {
-    await nhooyrDevServer.dispose()
+    await proxyTarget.dispose()
  })

  beforeEach(() => {
    e = express.default()
    mockLogger()
+    delete process.env.PASSWORD
  })

  afterEach(async () => {
@@ -283,65 +281,42 @@ describe("proxy", () => {
    const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
    expect(resp.status).toBe(200)
  })
-})

-// NOTE@jsjoeio
-// Both this test suite and the one above it are very similar
-// The main difference is this one uses http and node-fetch
-// and specifically tests the proxy in isolation vs. using
-// the httpserver abstraction we've built.
-//
-// Leaving this as a separate test suite for now because
-// we may consider refactoring the httpserver abstraction
-// in the future.
-//
-// If you're writing a test specifically for code in
-// src/node/proxy.ts, you should probably add it to
-// this test suite.
-describe("proxy (standalone)", () => {
-  let URL = ""
-  let PROXY_URL = ""
-  let testServer: http.Server
-  let proxyTarget: http.Server
+  it("should return a 500 when no target is running ", async () => {
+    const target = new httpserver.HttpServer()
+    await target.listen(() => {})
+    const port = target.port()
+    target.dispose()
+    codeServer = await integration.setup(["--auth=none"], "")
+    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
+    expect(resp.status).toBe(HttpCode.ServerError)
+    expect(resp.statusText).toBe("Internal Server Error")
+  })

-  beforeEach(async () => {
-    const PORT = await getAvailablePort()
-    const PROXY_PORT = await getAvailablePort()
-    URL = `http://localhost:${PORT}`
-    PROXY_URL = `http://localhost:${PROXY_PORT}`
-    // Define server and a proxy server
-    testServer = http.createServer((req, res) => {
-      proxy.web(req, res, {
-        target: PROXY_URL,
-      })
+  it("should strip token cookie", async () => {
+    const token = "my-super-secure-token"
+    process.env.HASHED_PASSWORD = token
+    codeServer = await integration.setup(["--auth=password"])
+
+    // Set up a listener that just prints the cookies it got.
+    e.get("/wsup/cookies", (req, res) => {
+      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
+      res.end(req.headers.cookie)
    })

-    proxyTarget = http.createServer((req, res) => {
-      res.writeHead(200, { "Content-Type": "text/plain" })
-      res.end()
+    // Send the token along with other cookies which should be preserved.
+    // Encode one to make sure they are being re-encoded properly.
+    const value = "hello=there"
+    const encodedValue = encodeURIComponent(value)
+    const resp = await codeServer.fetch(proxyPath + "/cookies", {
+      headers: {
+        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
+      },
    })

-    // Start both servers
-    proxyTarget.listen(PROXY_PORT)
-    testServer.listen(PORT)
-  })
-
-  afterEach(async () => {
-    testServer.close()
-    proxyTarget.close()
-  })
-
-  it("should return a 500 when proxy target errors ", async () => {
-    // Close the proxy target so that proxy errors
-    proxyTarget.close()
-    const errorResp = await nodeFetch(`${URL}/error`)
-    expect(errorResp.status).toBe(HttpCode.ServerError)
-    expect(errorResp.statusText).toBe("Internal Server Error")
-  })
-
-  it("should proxy correctly", async () => {
-    const resp = await nodeFetch(`${URL}/route`)
+    // The proxied listener should not have printed the code-server token.
    expect(resp.status).toBe(200)
-    expect(resp.statusText).toBe("OK")
+    const text = await resp.text()
+    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
  })
 })
Author	SHA1	Message	Date
dependabot[bot]	3cc8c5128e	chore: bump i18next from 25.8.13 to 26.3.1 Bumps [i18next](https://github.com/i18next/i18next) from 25.8.13 to 26.3.1. - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/i18next/compare/v25.8.13...v26.3.1) --- updated-dependencies: - dependency-name: i18next dependency-version: 26.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-16 00:43:19 +00:00
Asher	1ccd4f04d2	Update brace-expansion, js-yaml, and ws	2026-06-15 16:42:17 -08:00
Asher	364cf99338	Strip token from cookies before proxying Since this functionality requires information placed onto the request by code-server (req.args) and Express (req.cookies), move the standalone tests into the integration tests as the proxy can no longer run correctly on its own without that context. We could strip the header elsewhere or refactor in some way (pass in a callback function for the stripping or something) but this seems like the simplest and safest place at the moment to ensure we catch all uses of the proxy. In any case, I think it does lend more confidence to know we are testing the proxy the way it will be used in practice. The downside is some additional complexity when setting up tests, but at the moment I do not think that exchange is overly burdensome.	2026-06-15 16:42:17 -08:00
ka-ishimoto	92a7dce46f	Fix false positive CVE alerts by setting package name to code-oss-dev (#7839 ) The VS Code build process sets the bundled lib/vscode/package.json name to "code-server" (from product.json nameShort), causing vulnerability scanners to misidentify it and flag non-applicable CVEs. Override the name to "code-oss-dev" in build-release.sh after merging package.json. Fixes #7071 Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>	2026-06-10 11:59:45 -08:00
cdrci	d0d53d924e	Update Helm chart and changelog with 4.123.0 (#7838 )	2026-06-04 10:50:04 -08:00