chore: bump form-data in /test

Bumps  and [form-data](https://github.com/form-data/form-data). These dependencies needed to be updated together.

Updates `form-data` from 4.0.4 to 4.0.6
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](https://github.com/form-data/form-data/compare/v4.0.4...v4.0.6)

Updates `form-data` from 3.0.4 to 3.0.5
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](https://github.com/form-data/form-data/compare/v4.0.4...v4.0.6)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
- dependency-name: form-data
  dependency-version: 3.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/release.yaml

@@ -39,9 +39,6 @@ jobs:
           - npm_arch: arm64
             vscode_arch: arm64
             package_arch: arm64
-          - npm_arch: arm
-            vscode_arch: armhf
-            package_arch: armv7l
 
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.node-version

@@ -1 +1 @@
-22.22.1
+24.15.0

CHANGELOG.md

@@ -22,6 +22,18 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03
+
+Code v1.123.0
+
+### Changed
+
+- Update to Code 1.123.0
+- Microsoft dropped support for armhf remotes so there will no longer be any
+  builds for armhf.
+
+## [4.122.1](https://github.com/coder/code-server/releases/tag/v4.122.1) - 2026-06-02
+
 Code v1.122.1
 
 ### Changed

ci/build/build-release.sh

@@ -128,7 +128,9 @@ bundle_vscode() {
 
   # Merge the package.json for the web/remote server so we can include
   # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * .[1]' \
+  # Also override the name to prevent vulnerability scanners from
+  # misidentifying this package as VS Code (see #7071).
+  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
     "$VSCODE_SRC_PATH/remote/package.json" \
     "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
   mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"

ci/build/update-repo.sh

@@ -2,16 +2,65 @@
 
 set -Eeuo pipefail
 
-function update_helm() {
-  local current
-  current=$(yq .version ci/helm-chart/Chart.yaml)
-  local next
-  next=$(semver "$current" -i minor)
-  echo "Bumping version from $current to $next..."
-  sed -i.bak "s/^version: $current\$/version: $next/" ci/helm-chart/Chart.yaml
+# Given versions $1 and $2 figure out the first component that is different
+# (major, minor, patch).
+function find_version_diff() {
+  # shellcheck disable=SC2206
+  local a=( ${1//./ } )
+  # shellcheck disable=SC2206
+  local b=( ${2//./ } )
 
-  echo "Setting app version and image to $version..."
+  if [[ ${a[0]} != "${b[0]}" ]] ; then
+    echo major
+  elif [[ ${a[1]} != "${b[1]}" ]] ; then
+    echo minor
+  else
+    echo patch
+  fi
+}
+
+# Bump $1 by the bump type (major, minor, patch) in $2.
+function bump_version() {
+  # shellcheck disable=SC2206
+  local a=( ${1//./ } )
+  case $2 in
+    major)
+      ((a[0]++))
+      a[1]=0
+      a[2]=0
+      ;;
+    minor)
+      ((a[1]++))
+      a[2]=0
+      ;;
+    *)
+      ((a[2]++))
+      ;;
+  esac
+  echo "${a[0]}.${a[1]}.${a[2]}"
+}
+
+function update_helm() {
+  local chart_version
+  chart_version=$(yq .version ci/helm-chart/Chart.yaml)
+  local app_version
+  app_version=$(yq .appVersion ci/helm-chart/Chart.yaml)
+  local image_version
+  image_version=$(yq .image.tag ci/helm-chart/values.yaml)
+
+  local bump_type
+  bump_type=$(find_version_diff "$app_version" "$version")
+  local chart_version_bump
+  chart_version_bump=$(bump_version "$chart_version" "$bump_type")
+
+  # Use sed to replace because yq will reformat.
+  echo "Bumping version from $chart_version to $chart_version_bump..."
+  sed -i.bak "s/^version: $chart_version\$/version: $chart_version_bump/" ci/helm-chart/Chart.yaml
+
+  echo "Bumping app version from $app_version to $version..."
   sed -i.bak "s/^appVersion: .\+\$/appVersion: $version/" ci/helm-chart/Chart.yaml
+
+  echo "Bumping image version from $image_version to $version..."
   sed -i.bak "s/^  tag: .\+\$/  tag: '$version'/" ci/helm-chart/values.yaml
 }
 

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.37.0
+version: 3.38.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.122.0
+appVersion: 4.123.0

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.122.0'
+  tag: '4.123.0'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

package-lock.json

@@ -13,6 +13,7 @@
         "@coder/logger": "^3.0.1",
         "argon2": "^0.44.0",
         "compression": "^1.7.4",
+        "cookie": "^1.1.1",
         "cookie-parser": "^1.4.6",
         "env-paths": "^2.2.1",
         "express": "^5.0.1",
@@ -1936,12 +1937,16 @@
       }
     },
     "node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
+      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
       "license": "MIT",
       "engines": {
-        "node": ">= 0.6"
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/cookie-parser": {
@@ -1957,6 +1962,15 @@
         "node": ">= 0.8.0"
       }
     },
+    "node_modules/cookie-parser/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -2953,6 +2967,15 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/express/node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/express/node_modules/cookie-signature": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",

package.json

@@ -70,6 +70,7 @@
     "@coder/logger": "^3.0.1",
     "argon2": "^0.44.0",
     "compression": "^1.7.4",
+    "cookie": "^1.1.1",
     "cookie-parser": "^1.4.6",
     "env-paths": "^2.2.1",
     "express": "^5.0.1",

patches/base-path.diff

@@ -263,7 +263,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  	}
  
  	private startListening(): void {
-@@ -584,17 +585,6 @@ class WorkspaceProvider implements IWork
+@@ -590,17 +591,6 @@ class WorkspaceProvider implements IWork
  	}
  }
  
@@ -281,7 +281,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  (function () {
  
  	// Find config by checking for DOM
-@@ -604,8 +594,8 @@ function readCookie(name: string): strin
+@@ -610,8 +600,8 @@ function readCookie(name: string): strin
  	if (!configElement || !configElementAttribute) {
  		throw new Error('Missing web configuration element');
  	}

patches/disable-builtin-ext-update.diff

@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -342,6 +342,10 @@ export class Extension implements IExten
+@@ -344,6 +344,10 @@ export class Extension implements IExten
  			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
  				return false;
  			}

patches/proxy-uri.diff

@@ -104,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  import type { IURLCallbackProvider } from '../../../workbench/services/url/browser/urlService.js';
  import { create } from '../../../workbench/workbench.web.main.internal.js';
  
-@@ -606,6 +607,39 @@ class WorkspaceProvider implements IWork
+@@ -612,6 +613,39 @@ class WorkspaceProvider implements IWork
  		settingsSyncOptions: config.settingsSyncOptions ? { enabled: config.settingsSyncOptions.enabled, } : undefined,
  		workspaceProvider: WorkspaceProvider.create(config),
  		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),

patches/sourcemaps.diff

@@ -6,7 +6,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.ts
 +++ code-server/lib/vscode/build/gulpfile.reh.ts
-@@ -255,10 +255,15 @@ function packageTask(type: string, platf
+@@ -296,10 +296,15 @@ function packageTask(type: string, platf
  	const destination = path.join(BUILD_ROOT, destinationFolderName);
  
  	return () => {

src/node/proxy.ts

@@ -1,5 +1,7 @@
+import * as cookie from "cookie"
+import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { HttpCode } from "../common/http"
+import { getCookieSessionName, HttpCode } from "../common/http"
 
 export const proxy = proxyServer.createProxyServer({})
 
@@ -18,6 +20,16 @@ proxy.on("error", (error, _, res) => {
   }
 })
 
+// Strip the code-server cookie if it exists to avoid transmitting the cookie
+// to potentially malicious local ports.
+proxy.on("proxyReq", (preq, req) => {
+  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
+  preq.setHeader("Cookie", cookie.stringifyCookie({
+    ...(req as Request).cookies,
+    [cookieSessionName]: undefined,
+  }))
+})
+
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {

test/package-lock.json

@@ -2336,17 +2336,17 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
+      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.12"
+        "hasown": "^2.0.4",
+        "mime-types": "^2.1.35"
       },
       "engines": {
         "node": ">= 6"
@@ -2561,9 +2561,9 @@
       }
     },
     "node_modules/hasown": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
-      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
+      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3602,16 +3602,16 @@
       }
     },
     "node_modules/jsdom/node_modules/form-data": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz",
-      "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==",
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.5.tgz",
+      "integrity": "sha512-j23EibVLnp4zNXGW7LjryXYa2X6U/M96yoOX+ybZxwkYajdxRNEqYY3zhh7y0i6kfISKS2jr+EJq1YTUDEv5+w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
+        "hasown": "^2.0.4",
         "mime-types": "^2.1.35"
       },
       "engines": {

test/unit/node/proxy.test.ts

@@ -1,15 +1,12 @@
 import * as express from "express"
-import * as http from "http"
-import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
-import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { getAvailablePort, mockLogger } from "../../utils/helpers"
+import { mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"
 
 describe("proxy", () => {
-  const nhooyrDevServer = new httpserver.HttpServer()
+  const proxyTarget = new httpserver.HttpServer()
   const wsApp = express.default()
   const wsRouter = WsRouter()
   let codeServer: httpserver.HttpServer | undefined
@@ -19,21 +16,22 @@ describe("proxy", () => {
 
   beforeAll(async () => {
     wsApp.use("/", wsRouter.router)
-    await nhooyrDevServer.listen((req, res) => {
+    await proxyTarget.listen((req, res) => {
       e(req, res)
     })
-    nhooyrDevServer.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
+    proxyTarget.listenUpgrade(wsApp)
+    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
     absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
   })
 
   afterAll(async () => {
-    await nhooyrDevServer.dispose()
+    await proxyTarget.dispose()
   })
 
   beforeEach(() => {
     e = express.default()
     mockLogger()
+    delete process.env.PASSWORD
   })
 
   afterEach(async () => {
@@ -283,65 +281,42 @@ describe("proxy", () => {
     const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
     expect(resp.status).toBe(200)
   })
-})
 
-// NOTE@jsjoeio
-// Both this test suite and the one above it are very similar
-// The main difference is this one uses http and node-fetch
-// and specifically tests the proxy in isolation vs. using
-// the httpserver abstraction we've built.
-//
-// Leaving this as a separate test suite for now because
-// we may consider refactoring the httpserver abstraction
-// in the future.
-//
-// If you're writing a test specifically for code in
-// src/node/proxy.ts, you should probably add it to
-// this test suite.
-describe("proxy (standalone)", () => {
-  let URL = ""
-  let PROXY_URL = ""
-  let testServer: http.Server
-  let proxyTarget: http.Server
+  it("should return a 500 when no target is running ", async () => {
+    const target = new httpserver.HttpServer()
+    await target.listen(() => {})
+    const port = target.port()
+    target.dispose()
+    codeServer = await integration.setup(["--auth=none"], "")
+    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
+    expect(resp.status).toBe(HttpCode.ServerError)
+    expect(resp.statusText).toBe("Internal Server Error")
+  })
 
-  beforeEach(async () => {
-    const PORT = await getAvailablePort()
-    const PROXY_PORT = await getAvailablePort()
-    URL = `http://localhost:${PORT}`
-    PROXY_URL = `http://localhost:${PROXY_PORT}`
-    // Define server and a proxy server
-    testServer = http.createServer((req, res) => {
-      proxy.web(req, res, {
-        target: PROXY_URL,
-      })
+  it("should strip token cookie", async () => {
+    const token = "my-super-secure-token"
+    process.env.HASHED_PASSWORD = token
+    codeServer = await integration.setup(["--auth=password"])
+
+    // Set up a listener that just prints the cookies it got.
+    e.get("/wsup/cookies", (req, res) => {
+      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
+      res.end(req.headers.cookie)
     })
 
-    proxyTarget = http.createServer((req, res) => {
-      res.writeHead(200, { "Content-Type": "text/plain" })
-      res.end()
+    // Send the token along with other cookies which should be preserved.
+    // Encode one to make sure they are being re-encoded properly.
+    const value = "hello=there"
+    const encodedValue = encodeURIComponent(value)
+    const resp = await codeServer.fetch(proxyPath + "/cookies", {
+      headers: {
+        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
+      },
     })
 
-    // Start both servers
-    proxyTarget.listen(PROXY_PORT)
-    testServer.listen(PORT)
-  })
-
-  afterEach(async () => {
-    testServer.close()
-    proxyTarget.close()
-  })
-
-  it("should return a 500 when proxy target errors ", async () => {
-    // Close the proxy target so that proxy errors
-    proxyTarget.close()
-    const errorResp = await nodeFetch(`${URL}/error`)
-    expect(errorResp.status).toBe(HttpCode.ServerError)
-    expect(errorResp.statusText).toBe("Internal Server Error")
-  })
-
-  it("should proxy correctly", async () => {
-    const resp = await nodeFetch(`${URL}/route`)
+    // The proxied listener should not have printed the code-server token.
     expect(resp.status).toBe(200)
-    expect(resp.statusText).toBe("OK")
+    const text = await resp.text()
+    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
   })
 })