Update Helm chart and changelog with 4.124.2

Update Code to 1.124.2 (#7846 )
2026-06-16 15:07:11 +02:00 · 2026-06-16 08:34:55 +00:00 · 2026-06-15 22:28:49 -08:00
8 changed files with 29 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,22 @@ Code v99.99.999

 ## Unreleased

+## [4.124.2](https://github.com/coder/code-server/releases/tag/v4.124.2) - 2026-06-16
+
+Code v1.124.2
+
+### Security
+
+- Strip code-server's session token from the cookie before proxying to a local
+  port. Previously, when you used built-in password authentication, the cookie
+  would be sent to the local proxied port, which meant if the service was
+  malicious and not already running as your code-server user it could use the
+  cookie to log into code-server and execute commands as your code-server user.
+
+### Changed
+
+- Update to Code 1.124.2
+
 ## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03

 Code v1.123.0
--- a/ci/helm-chart/Chart.yaml
+++ b/ci/helm-chart/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.38.0
+version: 3.39.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.123.0
+appVersion: 4.124.2
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@@ -6,7 +6,7 @@ replicaCount: 1

 image:
  repository: codercom/code-server
-  tag: '4.123.0'
+  tag: '4.124.2'
  pullPolicy: Always

 # Specifies one or more secrets to be used when pulling images from a
--- a/lib/vscode
+++ b/lib/vscode
--- a/package-lock.json
+++ b/package-lock.json
@@ -29,7 +29,7 @@
        "safe-compare": "^1.1.4",
        "semver": "^7.5.4",
        "ws": "^8.14.2",
-        "xdg-basedir": "^5.1.0"
+        "xdg-basedir": "^4.0.0"
      },
      "bin": {
        "code-server": "out/node/entry.js"
@@ -6667,15 +6667,12 @@
      }
    },
    "node_modules/xdg-basedir": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/xdg-basedir/-/xdg-basedir-5.1.0.tgz",
-      "integrity": "sha512-GCPAHLvrIH13+c0SuacwvRYj2SxJXQ4kaVTT5xgL3kPrz56XxkF21IGhjSE1+W0aw7gpBWRGXLCPnPby6lSpmQ==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/xdg-basedir/-/xdg-basedir-4.0.0.tgz",
+      "integrity": "sha512-PSNhEJDejZYV7h50BohL09Er9VaIefr2LMAf3OEmpCkjOi34eYyQYAXUTjEQtZJTKcF0E2UKTh+osDLsgNim9Q==",
      "license": "MIT",
      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "node": ">=8"
      }
    },
    "node_modules/yn": {
--- a/package.json
+++ b/package.json
@@ -86,7 +86,7 @@
    "safe-compare": "^1.1.4",
    "semver": "^7.5.4",
    "ws": "^8.14.2",
-    "xdg-basedir": "^5.1.0"
+    "xdg-basedir": "^4.0.0"
  },
  "resolutions": {
    "@types/node": "22.x"
--- a/patches/disable-builtin-ext-update.diff
+++ b/patches/disable-builtin-ext-update.diff
@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -344,6 +344,10 @@ export class Extension implements IExten
+@@ -345,6 +345,10 @@ export class Extension implements IExten
 			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
 				return false;
 			}
--- a/patches/webview.diff
+++ b/patches/webview.diff
@@ -70,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 	<meta charset="UTF-8">
 
 	<meta http-equiv="Content-Security-Policy"
-		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+		content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"
Author	SHA1	Message	Date
cdrci	9baa4f24aa	Update Helm chart and changelog with 4.124.2	2026-06-16 08:34:55 +00:00
cdrci	9fe7eb79d5	Update Code to 1.124.2 (#7846 )	2026-06-15 22:28:49 -08:00