Bump proxy-agent from 6.5.0 to 8.0.2

Bumps [proxy-agent](https://github.com/TooTallNate/proxy-agents/tree/HEAD/packages/proxy-agent) from 6.5.0 to 8.0.2.
- [Release notes](https://github.com/TooTallNate/proxy-agents/releases)
- [Changelog](https://github.com/TooTallNate/proxy-agents/blob/main/packages/proxy-agent/CHANGELOG.md)
- [Commits](https://github.com/TooTallNate/proxy-agents/commits/proxy-agent@8.0.2/packages/proxy-agent)

---
updated-dependencies:
- dependency-name: proxy-agent
  dependency-version: 8.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yaml

@@ -16,8 +16,6 @@ updates:
       interval: "monthly"
       time: "06:00"
       timezone: "America/Chicago"
-    commit-message:
-      prefix: "chore"
     labels: []
     ignore:
       # Ignore patch updates for all dependencies

.github/workflows/build.yaml

@@ -25,7 +25,7 @@ jobs:
       docs: ${{ steps.filter.outputs.docs }}
       helm: ${{ steps.filter.outputs.helm }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter
         with:
@@ -55,7 +55,7 @@ jobs:
     name: Run prettier check
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -72,7 +72,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.docs == 'true'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -89,7 +89,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.helm == 'true'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -103,7 +103,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -121,7 +121,7 @@ jobs:
     if: needs.changes.outputs.ci == 'true'
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - name: Check workflow files
         run: |
           bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.9
@@ -134,7 +134,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -144,7 +144,7 @@ jobs:
             test/package-lock.json
       - run: SKIP_SUBMODULE_DEPS=1 npm ci
       - run: npm run test:unit
-      - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
+      - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -163,12 +163,12 @@ jobs:
 
     steps:
       - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # latest
         with:
           packages: quilt
           version: 1.0
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           submodules: true
       - run: quilt push -a
@@ -219,7 +219,7 @@ jobs:
     if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -269,7 +269,7 @@ jobs:
           mkdir -p ~/.cache/caddy
           tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version

.github/workflows/installer.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Install code-server
         run: ./install.sh
@@ -44,7 +44,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Install curl
         run: apk add curl
@@ -67,7 +67,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Install code-server
         run: ./install.sh

.github/workflows/publish.yaml

@@ -33,7 +33,7 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: .node-version
@@ -64,7 +64,7 @@ jobs:
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
       - name: Checkout code-server-aur repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           repository: "cdrci/code-server-aur"
           token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
@@ -93,7 +93,7 @@ jobs:
         run: |
           git checkout -b update-version-${{ env.VERSION }}
           git add .
-          git commit -m "chore: updating version to ${{ env.VERSION }}"
+          git commit -m "Update to ${{ env.VERSION }}"
           git push -u origin $(git branch --show)
           gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
 
@@ -108,9 +108,9 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
@@ -149,7 +149,7 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - run: ./ci/build/update-repo.sh
 

.github/workflows/release.yaml

@@ -59,7 +59,7 @@ jobs:
 
     steps:
       - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # latest
         with:
           packages: quilt
           version: 1.0
@@ -76,7 +76,7 @@ jobs:
           version=4${version:1}
           echo "VERSION=$version" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           submodules: true
       - run: quilt push -a
@@ -110,7 +110,7 @@ jobs:
       - run: |
           sed "/^## Unreleased/,/^## / ! d" CHANGELOG.md | head -n -2 | tail -n +3 > .cache/release-notes
         if: ${{ matrix.vscode_arch == 'x64' }}
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+      - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         if: ${{ matrix.vscode_arch == 'x64' }}
         with:
           draft: true
@@ -123,7 +123,7 @@ jobs:
       # Platform-specific release.
       - run: KEEP_MODULES=1 npm run release
       - run: npm run package
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+      - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -170,7 +170,7 @@ jobs:
           version=4${version:1}
           echo "VERSION=$version" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           submodules: true
       - run: quilt push -a
@@ -189,7 +189,7 @@ jobs:
       - run: npm run test:native
 
       - run: npm run package
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+      - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           draft: true
           discussion_category_name: "📣 Announcements"

.github/workflows/scripts.yaml

@@ -41,7 +41,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Install test utilities
         run: apk add bats checkbashisms
@@ -58,7 +58,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Install lint utilities
         run: sudo apt install shellcheck

.github/workflows/security.yaml

@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
 
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
 
@@ -62,7 +62,7 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
         with:
           sarif_file: "trivy-repo-results.sarif"
 
@@ -76,17 +76,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
         with:
           config-file: ./.github/codeql-config.yml
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4

.github/workflows/trivy-docker.yaml

@@ -46,7 +46,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Run Trivy vulnerability scanner in image mode
         uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # latest
@@ -58,6 +58,6 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
         with:
           sarif_file: "trivy-image-results.sarif"

.github/workflows/update.yaml

@@ -28,7 +28,7 @@ jobs:
         run: |
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           submodules: true
 
@@ -47,7 +47,7 @@ jobs:
             echo done=false >> $GITHUB_OUTPUT
           fi
 
-      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
+      - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # latest
         if: steps.check.outputs.done == 'false'
         with:
           packages: quilt

CHANGELOG.md

@@ -22,6 +22,22 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.124.2](https://github.com/coder/code-server/releases/tag/v4.124.2) - 2026-06-16
+
+Code v1.124.2
+
+### Security
+
+- Strip code-server's session token from the cookie before proxying to a local
+  port. Previously, when you used built-in password authentication, the cookie
+  would be sent to the local proxied port, which meant if the service was
+  malicious and not already running as your code-server user it could use the
+  cookie to log into code-server and execute commands as your code-server user.
+
+### Changed
+
+- Update to Code 1.124.2
+
 ## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03
 
 Code v1.123.0

ci/build/build-release.sh

@@ -128,7 +128,9 @@ bundle_vscode() {
 
   # Merge the package.json for the web/remote server so we can include
   # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * .[1]' \
+  # Also override the name to prevent vulnerability scanners from
+  # misidentifying this package as VS Code (see #7071).
+  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
     "$VSCODE_SRC_PATH/remote/package.json" \
     "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
   mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.38.0
+version: 3.39.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.123.0
+appVersion: 4.124.2

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.123.0'
+  tag: '4.124.2'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

docs/install.md

@@ -101,9 +101,8 @@ _exact_ same commands presented in the rest of this document.
 We recommend installing with `npm` when:
 
 1. You aren't using a machine with `amd64` or `arm64`.
-2. You are installing code-server on Windows.
+2. You're on Linux with `glibc` < v2.28 or `glibcxx` < v3.4.21.
-3. You're on Linux with `glibc` < v2.28 or `glibcxx` < v3.4.21.
+3. You're running Alpine Linux or are using a non-glibc libc. See
-4. You're running Alpine Linux or are using a non-glibc libc. See
    [#1430](https://github.com/coder/code-server/issues/1430#issuecomment-629883198)
    for more information.
 
@@ -296,8 +295,7 @@ You can install code-server using the [Helm package manager](https://coder.com/d
 ## Windows
 
 We currently [do not publish Windows
-releases](https://github.com/coder/code-server/issues/1397). We recommend
+releases](https://github.com/coder/code-server/issues/1397).
-installing code-server onto Windows with [`npm`](#npm).
 
 ## Raspberry Pi
 

package.json

@@ -59,7 +59,7 @@
     "eslint-import-resolver-typescript": "^4.4.4",
     "eslint-plugin-import": "^2.28.1",
     "eslint-plugin-prettier": "^5.0.0",
-    "globals": "^16.1.0",
+    "globals": "^17.6.0",
     "prettier": "3.8.3",
     "prettier-plugin-sh": "^0.18.0",
     "ts-node": "^10.9.1",
@@ -70,16 +70,17 @@
     "@coder/logger": "^3.0.1",
     "argon2": "^0.44.0",
     "compression": "^1.7.4",
+    "cookie": "^1.1.1",
     "cookie-parser": "^1.4.6",
     "env-paths": "^2.2.1",
     "express": "^5.0.1",
     "http-proxy": "^1.18.1",
     "httpolyglot": "^0.1.2",
-    "i18next": "^25.8.3",
+    "i18next": "^26.3.1",
     "js-yaml": "^4.1.0",
     "limiter": "^2.1.0",
     "pem": "^1.14.8",
-    "proxy-agent": "^6.3.1",
+    "proxy-agent": "^8.0.2",
     "qs": "^6.15.0",
     "rotating-file-stream": "^3.1.1",
     "safe-compare": "^1.1.4",

patches/disable-builtin-ext-update.diff

@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -344,6 +344,10 @@ export class Extension implements IExten
+@@ -345,6 +345,10 @@ export class Extension implements IExten
  			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
  				return false;
  			}

patches/webview.diff

@@ -70,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
  	<meta charset="UTF-8">
  
  	<meta http-equiv="Content-Security-Policy"
--		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
++		content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
  
  	<!-- Disable pinch zooming -->
  	<meta name="viewport"

src/node/i18n/index.ts

@@ -54,7 +54,6 @@ init({
   lowerCaseLng: true,
   debug: process.env.NODE_ENV === "development",
   resources: defaultResources,
-  showSupportNotice: false,
 })
 
 export default i18next

src/node/proxy.ts

@@ -1,5 +1,7 @@
+import * as cookie from "cookie"
+import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { HttpCode } from "../common/http"
+import { getCookieSessionName, HttpCode } from "../common/http"
 
 export const proxy = proxyServer.createProxyServer({})
 
@@ -18,6 +20,19 @@ proxy.on("error", (error, _, res) => {
   }
 })
 
+// Strip the code-server cookie if it exists to avoid transmitting the cookie
+// to potentially malicious local ports.
+proxy.on("proxyReq", (preq, req) => {
+  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
+  preq.setHeader(
+    "Cookie",
+    cookie.stringifyCookie({
+      ...(req as Request).cookies,
+      [cookieSessionName]: undefined,
+    }),
+  )
+})
+
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {

test/e2e/codeServer.test.ts

@@ -32,7 +32,7 @@ describe("code-server", ["--disable-workspace-trust"], {}, () => {
 
   test("should show the Integrated Terminal", async ({ codeServerPage }) => {
     await codeServerPage.focusTerminal()
-    expect(await codeServerPage.page.isVisible("#terminal")).toBe(true)
+    await expect(codeServerPage.page.locator("#terminal")).toBeVisible()
   })
 
   test("should open a file", async ({ codeServerPage }) => {

test/e2e/downloads.test.ts

@@ -18,7 +18,7 @@ describe("Downloads (enabled)", ["--disable-workspace-trust"], {}, async () => {
     // Action
     await codeServerPage.openContextMenu("text=unique-file.txt")
 
-    expect(await codeServerPage.page.isVisible("text=Download...")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Download...")).toBeVisible()
   })
 
   test("should see the 'Show Local' button on Save As", async ({ codeServerPage }) => {
@@ -37,7 +37,7 @@ describe("Downloads (enabled)", ["--disable-workspace-trust"], {}, async () => {
     await codeServerPage.page.keyboard.type("Making some edits.")
     await codeServerPage.navigateMenus(["File", "Save As..."])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Show Local")).toBeVisible()
   })
 
   test("should see the 'Show Local' button on Save File", async ({ codeServerPage }) => {
@@ -46,14 +46,14 @@ describe("Downloads (enabled)", ["--disable-workspace-trust"], {}, async () => {
     await codeServerPage.waitForTab("Untitled-1")
     await codeServerPage.navigateMenus(["File", "Save"])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Show Local")).toBeVisible()
   })
 
   test("should see the 'Show Local' button on Save Workspace As", async ({ codeServerPage }) => {
     // Action
     await codeServerPage.navigateMenus(["File", "Save Workspace As..."])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Show Local")).toBeVisible()
   })
 })
 
@@ -72,7 +72,7 @@ describe("Downloads (disabled)", ["--disable-workspace-trust", "--disable-file-d
     // Action
     await codeServerPage.openContextMenu("text=unique-file.txt")
 
-    expect(await codeServerPage.page.isVisible("text=Download...")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Download...")).not.toBeVisible()
   })
 
   test("should not see the 'Show Local' button on Save as", async ({ codeServerPage }) => {
@@ -87,7 +87,7 @@ describe("Downloads (disabled)", ["--disable-workspace-trust", "--disable-file-d
     await codeServerPage.openFile(fileName)
     await codeServerPage.page.click(".tab")
     await codeServerPage.navigateMenus(["File", "Save As..."])
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Show Local")).not.toBeVisible()
   })
 
   test("should not see the 'Show Local' button on Save File", async ({ codeServerPage }) => {
@@ -96,13 +96,13 @@ describe("Downloads (disabled)", ["--disable-workspace-trust", "--disable-file-d
     await codeServerPage.waitForTab("Untitled-1")
     await codeServerPage.navigateMenus(["File", "Save"])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Show Local")).not.toBeVisible()
   })
 
   test("should not see the 'Show Local' button on Save Workspace As", async ({ codeServerPage }) => {
     // Action
     await codeServerPage.navigateMenus(["File", "Save Workspace As..."])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Show Local")).not.toBeVisible()
   })
 })

test/e2e/extensions.test.ts

@@ -13,7 +13,7 @@ function runTestExtensionTests() {
 
     // Remove end slash in address.
     const normalizedAddress = address.replace(/\/+$/, "")
-    await codeServerPage.page.getByText(`Info: proxyUri: ${normalizedAddress}/proxy/{{port}}/`)
+    await expect(codeServerPage.page.getByText(`Info: proxyUri: ${normalizedAddress}/proxy/{{port}}/`)).toBeVisible()
   })
 }
 

test/e2e/github.test.ts

@@ -12,7 +12,7 @@ if (process.env.GITHUB_TOKEN) {
       await codeServerPage.page.click("text=Allow")
       // It should ask to select an account, one of which will be the one we
       // pre-injected.
-      expect(await codeServerPage.page.isVisible("text=Select an account")).toBe(false)
+      await expect(codeServerPage.page.locator("text=Select an account")).not.toBeVisible()
     })
   })
 
@@ -26,7 +26,7 @@ if (process.env.GITHUB_TOKEN) {
       await codeServerPage.page.click("text=Allow")
       // Since there is no account it will ask directly for the token (because
       // we are on localhost; otherwise it would initiate the oauth flow).
-      expect(await codeServerPage.page.isVisible("text=GitHub Personal Access Token")).toBe(false)
+      await expect(codeServerPage.page.locator("text=GitHub Personal Access Token")).not.toBeVisible()
     })
   })
 } else {

test/e2e/login.test.ts

@@ -24,8 +24,8 @@ describe("login", ["--disable-workspace-trust", "--auth", "password"], {}, () =>
     // Skip entering password
     // Click the submit button and login
     await codeServerPage.page.click(".submit")
-    await codeServerPage.page.waitForLoadState("networkidle")
+    // The required input blocks empty submits, so the server-side error can't render.
-    expect(await codeServerPage.page.isVisible("text=Missing password"))
+    await expect(codeServerPage.page.locator("input.password:invalid")).toBeVisible()
   })
 
   test("should see an error message for incorrect password", async ({ codeServerPage }) => {
@@ -34,28 +34,29 @@ describe("login", ["--disable-workspace-trust", "--auth", "password"], {}, () =>
     // Click the submit button and login
     await codeServerPage.page.click(".submit")
     await codeServerPage.page.waitForLoadState("networkidle")
-    expect(await codeServerPage.page.isVisible("text=Incorrect password"))
+    await expect(codeServerPage.page.locator("text=Incorrect password")).toBeVisible()
   })
 
   test("should hit the rate limiter for too many unsuccessful logins", async ({ codeServerPage }) => {
-    // Type in password
+    test.slow()
-    await codeServerPage.page.fill(".password", "password123")
     // Click the submit button and login
     // The current RateLimiter allows 2 logins per minute plus
     // 12 logins per hour for a total of 14
     // See: src/node/routes/login.ts
     for (let i = 1; i <= 14; i++) {
+      await codeServerPage.page.fill(".password", "password123")
       await codeServerPage.page.click(".submit")
       await codeServerPage.page.waitForLoadState("networkidle")
       // We double-check that the correct error message shows
       // which should be for incorrect password
-      expect(await codeServerPage.page.isVisible("text=Incorrect password"))
+      await expect(codeServerPage.page.locator("text=Incorrect password")).toBeVisible()
     }
 
     // The 15th should fail for a different reason:
     // login rate
+    await codeServerPage.page.fill(".password", "password123")
     await codeServerPage.page.click(".submit")
     await codeServerPage.page.waitForLoadState("networkidle")
-    expect(await codeServerPage.page.isVisible("text=Login rate limited!"))
+    await expect(codeServerPage.page.locator("text=Login rate limited!")).toBeVisible()
   })
 })

test/e2e/uploads.test.ts

@@ -18,14 +18,14 @@ describe("Uploads (enabled)", ["--disable-workspace-trust"], {}, () => {
     // Action
     await codeServerPage.openContextMenu('span:has-text("test-directory")')
 
-    expect(await codeServerPage.page.isVisible("text=Upload...")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Upload...")).toBeVisible()
   })
 
   test("should see the 'Show Local' button on Open File", async ({ codeServerPage }) => {
     // Action
     await codeServerPage.navigateMenus(["File", "Open File..."])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(true)
+    await expect(codeServerPage.page.locator("text=Show Local")).toBeVisible()
   })
 })
 
@@ -44,13 +44,13 @@ describe("Uploads (disabled)", ["--disable-workspace-trust", "--disable-file-upl
     // Action
     await codeServerPage.openContextMenu('span:has-text("test-directory")')
 
-    expect(await codeServerPage.page.isVisible("text=Upload...")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Upload...")).not.toBeVisible()
   })
 
   test("should not see the 'Show Local' button on Open File", async ({ codeServerPage }) => {
     // Action
     await codeServerPage.navigateMenus(["File", "Open File..."])
     await codeServerPage.page.waitForSelector(".quick-input-widget")
-    expect(await codeServerPage.page.isVisible("text=Show Local")).toBe(false)
+    await expect(codeServerPage.page.locator("text=Show Local")).not.toBeVisible()
   })
 })

test/package-lock.json

@@ -7,7 +7,7 @@
       "license": "MIT",
       "devDependencies": {
         "@jest-mock/express": "^1.4.5",
-        "@playwright/test": "^1.56.1",
+        "@playwright/test": "^1.61.0",
         "@types/jest": "^27.0.2",
         "@types/jsdom": "^16.2.13",
         "@types/node-fetch": "^2.5.8",
@@ -18,7 +18,7 @@
         "jest-fetch-mock": "^3.0.3",
         "jsdom": "^16.4.0",
         "node-fetch": "^2.6.7",
-        "playwright": "^1.59.1",
+        "playwright": "^1.61.0",
         "ts-jest": "^27.0.7",
         "wtfnode": "^0.9.1"
       }
@@ -998,13 +998,13 @@
       }
     },
     "node_modules/@playwright/test": {
-      "version": "1.56.1",
+      "version": "1.61.0",
-      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.56.1.tgz",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.61.0.tgz",
-      "integrity": "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg==",
+      "integrity": "sha512-cKA5B6lpFEMyMGjxF54QihfYpB4FkEGH+qZhtArDEG+wezQAJY8Pq6C7T1SjWz+FFzt3TbyoXBQYk/0292TdJA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright": "1.56.1"
+        "playwright": "1.61.0"
       },
       "bin": {
         "playwright": "cli.js"
@@ -1013,53 +1013,6 @@
         "node": ">=18"
       }
     },
-    "node_modules/@playwright/test/node_modules/fsevents": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
-      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
-      "dev": true,
-      "hasInstallScript": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-      }
-    },
-    "node_modules/@playwright/test/node_modules/playwright": {
-      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz",
-      "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "playwright-core": "1.56.1"
-      },
-      "bin": {
-        "playwright": "cli.js"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "optionalDependencies": {
-        "fsevents": "2.3.2"
-      }
-    },
-    "node_modules/@playwright/test/node_modules/playwright-core": {
-      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
-      "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "bin": {
-        "playwright-core": "cli.js"
-      },
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/@sinonjs/commons": {
       "version": "1.8.6",
       "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.6.tgz",
@@ -2336,17 +2289,17 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.4",
+      "version": "4.0.6",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
+        "hasown": "^2.0.4",
-        "mime-types": "^2.1.12"
+        "mime-types": "^2.1.35"
       },
       "engines": {
         "node": ">= 6"
@@ -2561,9 +2514,9 @@
       }
     },
     "node_modules/hasown": {
-      "version": "2.0.2",
+      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
-      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3602,16 +3555,16 @@
       }
     },
     "node_modules/jsdom/node_modules/form-data": {
-      "version": "3.0.4",
+      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.5.tgz",
-      "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==",
+      "integrity": "sha512-j23EibVLnp4zNXGW7LjryXYa2X6U/M96yoOX+ybZxwkYajdxRNEqYY3zhh7y0i6kfISKS2jr+EJq1YTUDEv5+w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
+        "hasown": "^2.0.4",
         "mime-types": "^2.1.35"
       },
       "engines": {
@@ -4114,13 +4067,13 @@
       }
     },
     "node_modules/playwright": {
-      "version": "1.59.1",
+      "version": "1.61.0",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.59.1.tgz",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.61.0.tgz",
-      "integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
+      "integrity": "sha512-Z+7BeeqQPRRzklHsVFP4KTGIyMxKUmfeRA4WisM6G3/XW6nwGeX6fX9qYaDa+CiUqpOkb2f6X3nar05R3kSuJQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright-core": "1.59.1"
+        "playwright-core": "1.61.0"
       },
       "bin": {
         "playwright": "cli.js"
@@ -4133,9 +4086,9 @@
       }
     },
     "node_modules/playwright-core": {
-      "version": "1.59.1",
+      "version": "1.61.0",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.59.1.tgz",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.61.0.tgz",
-      "integrity": "sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==",
+      "integrity": "sha512-caX7TrY3Ml6egyDX0WUcTHDxodl/b51y5wJOdCEA36QviK/s2g081hvmGs8eaE3DWb6NYZQ6BjO/QkNRPenoPA==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {

test/package.json

@@ -3,7 +3,7 @@
   "#": "We must put jest in a sub-directory otherwise VS Code somehow picks up the types and generates conflicts with mocha.",
   "devDependencies": {
     "@jest-mock/express": "^1.4.5",
-    "@playwright/test": "^1.56.1",
+    "@playwright/test": "^1.61.0",
     "@types/jest": "^27.0.2",
     "@types/jsdom": "^16.2.13",
     "@types/node-fetch": "^2.5.8",
@@ -14,7 +14,7 @@
     "jest-fetch-mock": "^3.0.3",
     "jsdom": "^16.4.0",
     "node-fetch": "^2.6.7",
-    "playwright": "^1.59.1",
+    "playwright": "^1.61.0",
     "ts-jest": "^27.0.7",
     "wtfnode": "^0.9.1"
   },

test/unit/node/heart.test.ts

@@ -1,10 +1,9 @@
 import { logger } from "@coder/logger"
 import { readFile, writeFile, stat, utimes } from "fs/promises"
+import { setImmediate } from "timers"
 import { Heart } from "../../../src/node/heart"
 import { clean, mockLogger, tmpdir } from "../../utils/helpers"
 
-const mockIsActive = (resolveTo: boolean) => jest.fn().mockResolvedValue(resolveTo)
-
 describe("Heart", () => {
   const testName = "heartTests"
   let testDir = ""
@@ -15,12 +14,15 @@ describe("Heart", () => {
     await clean(testName)
     testDir = await tmpdir(testName)
   })
-  beforeEach(() => {
+
-    heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive(true))
-  })
   afterAll(() => {
     jest.restoreAllMocks()
   })
+
+  beforeEach(() => {
+    heart = new Heart(`${testDir}/shutdown.txt`, jest.fn().mockResolvedValue(true))
+  })
+
   afterEach(() => {
     jest.resetAllMocks()
     jest.useRealTimers()
@@ -28,6 +30,7 @@ describe("Heart", () => {
       heart.dispose()
     }
   })
+
   it("should write to a file when given a valid file path", async () => {
     // Set up heartbeat file with contents
     const text = "test"
@@ -42,7 +45,7 @@ describe("Heart", () => {
 
     expect(fileContents).toBe(text)
 
-    heart = new Heart(pathToFile, mockIsActive(true))
+    heart = new Heart(pathToFile, jest.fn().mockResolvedValue(true))
     await heart.beat()
     // Check that the heart wrote to the heartbeatFilePath and overwrote our text
     const fileContentsAfterBeat = await readFile(pathToFile, { encoding: "utf8" })
@@ -51,31 +54,30 @@ describe("Heart", () => {
     const fileStatusAfterEdit = await stat(pathToFile)
     expect(fileStatusAfterEdit.mtimeMs).toBeGreaterThan(0)
   })
+
   it("should log a warning when given an invalid file path", async () => {
-    heart = new Heart(`fakeDir/fake.txt`, mockIsActive(false))
+    heart = new Heart(`fakeDir/fake.txt`, jest.fn().mockResolvedValue(false))
     await heart.beat()
     expect(logger.warn).toHaveBeenCalled()
   })
+
   it("should be active after calling beat", async () => {
     await heart.beat()
 
     const isAlive = heart.alive()
     expect(isAlive).toBe(true)
   })
+
   it("should not be active after dispose is called", () => {
     heart.dispose()
 
     const isAlive = heart.alive()
     expect(isAlive).toBe(false)
   })
+
   it("should beat twice without warnings", async () => {
-    // Use fake timers so we can speed up setTimeout
+    heart = new Heart(`${testDir}/hello.txt`, jest.fn().mockResolvedValue(true))
-    jest.useFakeTimers()
-    heart = new Heart(`${testDir}/hello.txt`, mockIsActive(true))
     await heart.beat()
-    // we need to speed up clocks, timeouts
-    // call heartbeat again (and it won't be alive I think)
-    // then assert no warnings were called
     jest.runAllTimers()
     expect(logger.warn).not.toHaveBeenCalled()
   })
@@ -84,40 +86,48 @@ describe("Heart", () => {
 describe("heartbeatTimer", () => {
   const testName = "heartbeatTimer"
   let testDir = ""
+
   beforeAll(async () => {
     await clean(testName)
     testDir = await tmpdir(testName)
     mockLogger()
   })
+
   afterAll(() => {
     jest.restoreAllMocks()
   })
+
   beforeEach(() => {
     jest.useFakeTimers()
   })
+
   afterEach(() => {
     jest.resetAllMocks()
     jest.clearAllTimers()
     jest.useRealTimers()
   })
+
   it("should call isActive when timeout expires", async () => {
-    const isActive = true
+    const mockIsActive = jest.fn().mockResolvedValue(true)
-    const mockIsActive = jest.fn().mockResolvedValue(isActive)
     const heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive)
     await heart.beat()
     jest.advanceTimersByTime(60 * 1000)
     expect(mockIsActive).toHaveBeenCalled()
   })
+
   it("should log a warning when isActive rejects", async () => {
-    const errorMsg = "oh no"
+    const error = new Error("oh no")
-    const error = new Error(errorMsg)
     const mockIsActive = jest.fn().mockRejectedValue(error)
     const heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive)
     await heart.beat()
     jest.advanceTimersByTime(60 * 1000)
-
     expect(mockIsActive).toHaveBeenCalled()
-    expect(logger.warn).toHaveBeenCalledWith(errorMsg)
+
+    // The timer callback waits on mockIsActive, so we need to yield to let the
+    // callback finish.
+    await new Promise((resolve) => setImmediate(resolve))
+
+    expect(logger.warn).toHaveBeenCalledWith(error.message)
   })
 })
 
@@ -125,38 +135,54 @@ describe("stateChange", () => {
   const testName = "stateChange"
   let testDir = ""
   let heart: Heart
+
   beforeAll(async () => {
     await clean(testName)
     testDir = await tmpdir(testName)
     mockLogger()
   })
+
   afterAll(() => {
     jest.restoreAllMocks()
   })
+
+  beforeEach(() => {
+    jest.useFakeTimers()
+  })
+
   afterEach(() => {
     jest.resetAllMocks()
+    jest.useRealTimers()
     if (heart) {
       heart.dispose()
     }
   })
+
   it("should change to alive after a beat", async () => {
-    heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive(true))
+    const mockIsActive = jest.fn().mockResolvedValue(true)
+    heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive)
     const mockOnChange = jest.fn()
     heart.onChange(mockOnChange)
+
     await heart.beat()
 
     expect(mockOnChange.mock.calls[0][0]).toBe("alive")
   })
-  it.only("should change to expired when not active", async () => {
+
-    jest.useFakeTimers()
+  it("should change to expired when not active", async () => {
-    heart = new Heart(`${testDir}/shutdown.txt`, () => new Promise((resolve) => resolve(false)))
+    const mockIsActive = jest.fn().mockResolvedValue(false)
+    heart = new Heart(`${testDir}/shutdown.txt`, mockIsActive)
     const mockOnChange = jest.fn()
     heart.onChange(mockOnChange)
-    await heart.beat()
 
-    await jest.advanceTimersByTime(60 * 1000)
+    await heart.beat()
+    jest.advanceTimersByTime(60 * 1000)
+    expect(mockIsActive).toHaveBeenCalled()
+
+    // The timer callback waits on the isActive promise, so we need to yield to
+    // let the callback finish.
+    await new Promise((resolve) => setImmediate(resolve))
+
     expect(mockOnChange.mock.calls[1][0]).toBe("expired")
-    jest.clearAllTimers()
-    jest.useRealTimers()
   })
 })

test/unit/node/proxy.test.ts

@@ -1,15 +1,12 @@
 import * as express from "express"
-import * as http from "http"
-import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
-import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { getAvailablePort, mockLogger } from "../../utils/helpers"
+import { mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"
 
 describe("proxy", () => {
-  const nhooyrDevServer = new httpserver.HttpServer()
+  const proxyTarget = new httpserver.HttpServer()
   const wsApp = express.default()
   const wsRouter = WsRouter()
   let codeServer: httpserver.HttpServer | undefined
@@ -19,21 +16,22 @@ describe("proxy", () => {
 
   beforeAll(async () => {
     wsApp.use("/", wsRouter.router)
-    await nhooyrDevServer.listen((req, res) => {
+    await proxyTarget.listen((req, res) => {
       e(req, res)
     })
-    nhooyrDevServer.listenUpgrade(wsApp)
+    proxyTarget.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
+    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
     absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
   })
 
   afterAll(async () => {
-    await nhooyrDevServer.dispose()
+    await proxyTarget.dispose()
   })
 
   beforeEach(() => {
     e = express.default()
     mockLogger()
+    delete process.env.PASSWORD
   })
 
   afterEach(async () => {
@@ -283,65 +281,42 @@ describe("proxy", () => {
     const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
     expect(resp.status).toBe(200)
   })
-})
 
-// NOTE@jsjoeio
+  it("should return a 500 when no target is running ", async () => {
-// Both this test suite and the one above it are very similar
+    const target = new httpserver.HttpServer()
-// The main difference is this one uses http and node-fetch
+    await target.listen(() => {})
-// and specifically tests the proxy in isolation vs. using
+    const port = target.port()
-// the httpserver abstraction we've built.
+    target.dispose()
-//
+    codeServer = await integration.setup(["--auth=none"], "")
-// Leaving this as a separate test suite for now because
+    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
-// we may consider refactoring the httpserver abstraction
+    expect(resp.status).toBe(HttpCode.ServerError)
-// in the future.
+    expect(resp.statusText).toBe("Internal Server Error")
-//
+  })
-// If you're writing a test specifically for code in
-// src/node/proxy.ts, you should probably add it to
-// this test suite.
-describe("proxy (standalone)", () => {
-  let URL = ""
-  let PROXY_URL = ""
-  let testServer: http.Server
-  let proxyTarget: http.Server
 
-  beforeEach(async () => {
+  it("should strip token cookie", async () => {
-    const PORT = await getAvailablePort()
+    const token = "my-super-secure-token"
-    const PROXY_PORT = await getAvailablePort()
+    process.env.HASHED_PASSWORD = token
-    URL = `http://localhost:${PORT}`
+    codeServer = await integration.setup(["--auth=password"])
-    PROXY_URL = `http://localhost:${PROXY_PORT}`
+
-    // Define server and a proxy server
+    // Set up a listener that just prints the cookies it got.
-    testServer = http.createServer((req, res) => {
+    e.get("/wsup/cookies", (req, res) => {
-      proxy.web(req, res, {
+      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
-        target: PROXY_URL,
+      res.end(req.headers.cookie)
-      })
     })
 
-    proxyTarget = http.createServer((req, res) => {
+    // Send the token along with other cookies which should be preserved.
-      res.writeHead(200, { "Content-Type": "text/plain" })
+    // Encode one to make sure they are being re-encoded properly.
-      res.end()
+    const value = "hello=there"
+    const encodedValue = encodeURIComponent(value)
+    const resp = await codeServer.fetch(proxyPath + "/cookies", {
+      headers: {
+        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
+      },
     })
 
-    // Start both servers
+    // The proxied listener should not have printed the code-server token.
-    proxyTarget.listen(PROXY_PORT)
-    testServer.listen(PORT)
-  })
-
-  afterEach(async () => {
-    testServer.close()
-    proxyTarget.close()
-  })
-
-  it("should return a 500 when proxy target errors ", async () => {
-    // Close the proxy target so that proxy errors
-    proxyTarget.close()
-    const errorResp = await nodeFetch(`${URL}/error`)
-    expect(errorResp.status).toBe(HttpCode.ServerError)
-    expect(errorResp.statusText).toBe("Internal Server Error")
-  })
-
-  it("should proxy correctly", async () => {
-    const resp = await nodeFetch(`${URL}/route`)
     expect(resp.status).toBe(200)
-    expect(resp.statusText).toBe("OK")
+    const text = await resp.text()
+    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
   })
 })