Update Code to 1.124.0

2026-06-27 20:37:39 +02:00 · 2026-06-10 17:16:15 +00:00
6 changed files with 102 additions and 116 deletions
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -128,9 +128,7 @@ bundle_vscode() {

  # Merge the package.json for the web/remote server so we can include
  # dependencies, since we want to ship this via NPM.
-  # Also override the name to prevent vulnerability scanners from
-  # misidentifying this package as VS Code (see #7071).
-  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
+  jq --slurp '.[0] * .[1]' \
    "$VSCODE_SRC_PATH/remote/package.json" \
    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
--- a/lib/vscode
+++ b/lib/vscode
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,13 +13,12 @@
        "@coder/logger": "^3.0.1",
        "argon2": "^0.44.0",
        "compression": "^1.7.4",
-        "cookie": "^1.1.1",
        "cookie-parser": "^1.4.6",
        "env-paths": "^2.2.1",
        "express": "^5.0.1",
        "http-proxy": "^1.18.1",
        "httpolyglot": "^0.1.2",
-        "i18next": "^26.3.1",
+        "i18next": "^25.8.3",
        "js-yaml": "^4.1.0",
        "limiter": "^2.1.0",
        "pem": "^1.14.8",
@@ -69,6 +68,15 @@
        "node": "22"
      }
    },
+    "node_modules/@babel/runtime": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
+      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
    "node_modules/@coder/logger": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/@coder/logger/-/logger-3.0.1.tgz",
@@ -960,9 +968,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -1928,16 +1936,12 @@
      }
    },
    "node_modules/cookie": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
-      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "license": "MIT",
      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
+        "node": ">= 0.6"
      }
    },
    "node_modules/cookie-parser": {
@@ -1953,15 +1957,6 @@
        "node": ">= 0.8.0"
      }
    },
-    "node_modules/cookie-parser/node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -2958,15 +2953,6 @@
        "url": "https://opencollective.com/express"
      }
    },
-    "node_modules/express/node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/express/node_modules/cookie-signature": {
      "version": "1.2.2",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
@@ -3546,26 +3532,29 @@
      }
    },
    "node_modules/i18next": {
-      "version": "26.3.1",
-      "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.3.1.tgz",
-      "integrity": "sha512-txQqd5EULsqEh9OJqRH15aCaOuy/nLJyhw5EHCSKLKJE1aBbb3Zve2+uQIxgWhPm1QqUQoWyQBm2kfmmIrzkcQ==",
+      "version": "25.8.13",
+      "resolved": "https://registry.npmjs.org/i18next/-/i18next-25.8.13.tgz",
+      "integrity": "sha512-E0vzjBY1yM+nsFrtgkjLhST2NBkirkvOVoQa0MSldhsuZ3jUge7ZNpuwG0Cfc74zwo5ZwRzg3uOgT+McBn32iA==",
      "funding": [
        {
          "type": "individual",
-          "url": "https://www.locize.com/i18next"
+          "url": "https://locize.com"
+        },
+        {
+          "type": "individual",
+          "url": "https://locize.com/i18next.html"
        },
        {
          "type": "individual",
          "url": "https://www.i18next.com/how-to/faq#i18next-is-awesome.-how-can-i-support-the-project"
-        },
-        {
-          "type": "individual",
-          "url": "https://www.locize.com"
        }
      ],
      "license": "MIT",
+      "dependencies": {
+        "@babel/runtime": "^7.28.4"
+      },
      "peerDependencies": {
-        "typescript": "^5 || ^6"
+        "typescript": "^5"
      },
      "peerDependenciesMeta": {
        "typescript": {
@@ -4141,19 +4130,9 @@
      "license": "ISC"
    },
    "node_modules/js-yaml": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
-      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/puzrin"
-        },
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/nodeca"
-        }
-      ],
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
      "license": "MIT",
      "dependencies": {
        "argparse": "^2.0.1"
@@ -6634,9 +6613,9 @@
      "license": "ISC"
    },
    "node_modules/ws": {
-      "version": "8.21.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
-      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
+      "version": "8.20.1",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+      "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
--- a/package.json
+++ b/package.json
@@ -70,13 +70,12 @@
    "@coder/logger": "^3.0.1",
    "argon2": "^0.44.0",
    "compression": "^1.7.4",
-    "cookie": "^1.1.1",
    "cookie-parser": "^1.4.6",
    "env-paths": "^2.2.1",
    "express": "^5.0.1",
    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",
-    "i18next": "^26.3.1",
+    "i18next": "^25.8.3",
    "js-yaml": "^4.1.0",
    "limiter": "^2.1.0",
    "pem": "^1.14.8",
--- a/src/node/proxy.ts
+++ b/src/node/proxy.ts
@@ -1,7 +1,5 @@
-import * as cookie from "cookie"
-import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { getCookieSessionName, HttpCode } from "../common/http"
+import { HttpCode } from "../common/http"

 export const proxy = proxyServer.createProxyServer({})

@@ -20,19 +18,6 @@ proxy.on("error", (error, _, res) => {
  }
 })

-// Strip the code-server cookie if it exists to avoid transmitting the cookie
-// to potentially malicious local ports.
-proxy.on("proxyReq", (preq, req) => {
-  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
-  preq.setHeader(
-    "Cookie",
-    cookie.stringifyCookie({
-      ...(req as Request).cookies,
-      [cookieSessionName]: undefined,
-    }),
-  )
-})
-
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {
--- a/test/unit/node/proxy.test.ts
+++ b/test/unit/node/proxy.test.ts
@@ -1,12 +1,15 @@
 import * as express from "express"
+import * as http from "http"
+import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
+import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { mockLogger } from "../../utils/helpers"
+import { getAvailablePort, mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"

 describe("proxy", () => {
-  const proxyTarget = new httpserver.HttpServer()
+  const nhooyrDevServer = new httpserver.HttpServer()
  const wsApp = express.default()
  const wsRouter = WsRouter()
  let codeServer: httpserver.HttpServer | undefined
@@ -16,22 +19,21 @@ describe("proxy", () => {

  beforeAll(async () => {
    wsApp.use("/", wsRouter.router)
-    await proxyTarget.listen((req, res) => {
+    await nhooyrDevServer.listen((req, res) => {
      e(req, res)
    })
-    proxyTarget.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
+    nhooyrDevServer.listenUpgrade(wsApp)
+    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
    absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
  })

  afterAll(async () => {
-    await proxyTarget.dispose()
+    await nhooyrDevServer.dispose()
  })

  beforeEach(() => {
    e = express.default()
    mockLogger()
-    delete process.env.PASSWORD
  })

  afterEach(async () => {
@@ -281,42 +283,65 @@ describe("proxy", () => {
    const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
    expect(resp.status).toBe(200)
  })
+})

-  it("should return a 500 when no target is running ", async () => {
-    const target = new httpserver.HttpServer()
-    await target.listen(() => {})
-    const port = target.port()
-    target.dispose()
-    codeServer = await integration.setup(["--auth=none"], "")
-    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
-    expect(resp.status).toBe(HttpCode.ServerError)
-    expect(resp.statusText).toBe("Internal Server Error")
+// NOTE@jsjoeio
+// Both this test suite and the one above it are very similar
+// The main difference is this one uses http and node-fetch
+// and specifically tests the proxy in isolation vs. using
+// the httpserver abstraction we've built.
+//
+// Leaving this as a separate test suite for now because
+// we may consider refactoring the httpserver abstraction
+// in the future.
+//
+// If you're writing a test specifically for code in
+// src/node/proxy.ts, you should probably add it to
+// this test suite.
+describe("proxy (standalone)", () => {
+  let URL = ""
+  let PROXY_URL = ""
+  let testServer: http.Server
+  let proxyTarget: http.Server
+
+  beforeEach(async () => {
+    const PORT = await getAvailablePort()
+    const PROXY_PORT = await getAvailablePort()
+    URL = `http://localhost:${PORT}`
+    PROXY_URL = `http://localhost:${PROXY_PORT}`
+    // Define server and a proxy server
+    testServer = http.createServer((req, res) => {
+      proxy.web(req, res, {
+        target: PROXY_URL,
+      })
+    })
+
+    proxyTarget = http.createServer((req, res) => {
+      res.writeHead(200, { "Content-Type": "text/plain" })
+      res.end()
+    })
+
+    // Start both servers
+    proxyTarget.listen(PROXY_PORT)
+    testServer.listen(PORT)
  })

-  it("should strip token cookie", async () => {
-    const token = "my-super-secure-token"
-    process.env.HASHED_PASSWORD = token
-    codeServer = await integration.setup(["--auth=password"])
+  afterEach(async () => {
+    testServer.close()
+    proxyTarget.close()
+  })

-    // Set up a listener that just prints the cookies it got.
-    e.get("/wsup/cookies", (req, res) => {
-      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
-      res.end(req.headers.cookie)
-    })
+  it("should return a 500 when proxy target errors ", async () => {
+    // Close the proxy target so that proxy errors
+    proxyTarget.close()
+    const errorResp = await nodeFetch(`${URL}/error`)
+    expect(errorResp.status).toBe(HttpCode.ServerError)
+    expect(errorResp.statusText).toBe("Internal Server Error")
+  })

-    // Send the token along with other cookies which should be preserved.
-    // Encode one to make sure they are being re-encoded properly.
-    const value = "hello=there"
-    const encodedValue = encodeURIComponent(value)
-    const resp = await codeServer.fetch(proxyPath + "/cookies", {
-      headers: {
-        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
-      },
-    })
-
-    // The proxied listener should not have printed the code-server token.
+  it("should proxy correctly", async () => {
+    const resp = await nodeFetch(`${URL}/route`)
    expect(resp.status).toBe(200)
-    const text = await resp.text()
-    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
+    expect(resp.statusText).toBe("OK")
  })
 })