Update Code to 1.124.2 (#7846 )

2026-06-16 15:07:11 +02:00 · 2026-06-15 22:28:49 -08:00
6 changed files with 41 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,20 @@ Code v99.99.999

 ## Unreleased

+Code v1.124.2
+
+### Security
+
+- Strip code-server's session token from the cookie before proxying to a local
+  port. Previously, when you used built-in password authentication, the cookie
+  would be sent to the local proxied port, which meant if the service was
+  malicious and not already running as your code-server user it could use the
+  cookie to log into code-server and execute commands as your code-server user.
+
+### Changed
+
+- Update to Code 1.124.2
+
 ## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03

 Code v1.123.0
--- a/lib/vscode
+++ b/lib/vscode
--- a/package-lock.json
+++ b/package-lock.json
@@ -19,7 +19,7 @@
        "express": "^5.0.1",
        "http-proxy": "^1.18.1",
        "httpolyglot": "^0.1.2",
-        "i18next": "^26.3.1",
+        "i18next": "^25.8.3",
        "js-yaml": "^4.1.0",
        "limiter": "^2.1.0",
        "pem": "^1.14.8",
@@ -69,6 +69,15 @@
        "node": "22"
      }
    },
+    "node_modules/@babel/runtime": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
+      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
    "node_modules/@coder/logger": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/@coder/logger/-/logger-3.0.1.tgz",
@@ -3546,26 +3555,29 @@
      }
    },
    "node_modules/i18next": {
-      "version": "26.3.1",
-      "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.3.1.tgz",
-      "integrity": "sha512-txQqd5EULsqEh9OJqRH15aCaOuy/nLJyhw5EHCSKLKJE1aBbb3Zve2+uQIxgWhPm1QqUQoWyQBm2kfmmIrzkcQ==",
+      "version": "25.8.13",
+      "resolved": "https://registry.npmjs.org/i18next/-/i18next-25.8.13.tgz",
+      "integrity": "sha512-E0vzjBY1yM+nsFrtgkjLhST2NBkirkvOVoQa0MSldhsuZ3jUge7ZNpuwG0Cfc74zwo5ZwRzg3uOgT+McBn32iA==",
      "funding": [
        {
          "type": "individual",
-          "url": "https://www.locize.com/i18next"
+          "url": "https://locize.com"
+        },
+        {
+          "type": "individual",
+          "url": "https://locize.com/i18next.html"
        },
        {
          "type": "individual",
          "url": "https://www.i18next.com/how-to/faq#i18next-is-awesome.-how-can-i-support-the-project"
-        },
-        {
-          "type": "individual",
-          "url": "https://www.locize.com"
        }
      ],
      "license": "MIT",
+      "dependencies": {
+        "@babel/runtime": "^7.28.4"
+      },
      "peerDependencies": {
-        "typescript": "^5 || ^6"
+        "typescript": "^5"
      },
      "peerDependenciesMeta": {
        "typescript": {
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
    "express": "^5.0.1",
    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",
-    "i18next": "^26.3.1",
+    "i18next": "^25.8.3",
    "js-yaml": "^4.1.0",
    "limiter": "^2.1.0",
    "pem": "^1.14.8",
--- a/patches/disable-builtin-ext-update.diff
+++ b/patches/disable-builtin-ext-update.diff
@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -344,6 +344,10 @@ export class Extension implements IExten
+@@ -345,6 +345,10 @@ export class Extension implements IExten
 			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
 				return false;
 			}
--- a/patches/webview.diff
+++ b/patches/webview.diff
@@ -70,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 	<meta charset="UTF-8">
 
 	<meta http-equiv="Content-Security-Policy"
-		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+		content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"