chore: bump docker/setup-qemu-action from 4.0.0 to 4.1.0

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](ce360397dd...06116385d9) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-28 04:47:38 +02:00 · 2026-06-02 08:02:12 +00:00
18 changed files with 101 additions and 199 deletions
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -109,7 +109,7 @@ jobs:
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -39,6 +39,9 @@ jobs:
          - npm_arch: arm64
            vscode_arch: arm64
            package_arch: arm64
          - npm_arch: arm
            vscode_arch: armhf
            package_arch: armv7l
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.node-version
+++ b/.node-version
@@ -1 +1 @@
-24.15.0
+22.22.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,32 +22,6 @@ Code v99.99.999
 ## Unreleased
 Code v1.124.2
 ### Security
 - Strip code-server's session token from the cookie before proxying to a local
  port. Previously, when you used built-in password authentication, the cookie
  would be sent to the local proxied port, which meant if the service was
  malicious and not already running as your code-server user it could use the
  cookie to log into code-server and execute commands as your code-server user.
 ### Changed
 - Update to Code 1.124.2
 ## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03
 Code v1.123.0
 ### Changed
 - Update to Code 1.123.0
 - Microsoft dropped support for armhf remotes so there will no longer be any
  builds for armhf.
 ## [4.122.1](https://github.com/coder/code-server/releases/tag/v4.122.1) - 2026-06-02
 Code v1.122.1
 ### Changed
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -128,9 +128,7 @@ bundle_vscode() {
  # Merge the package.json for the web/remote server so we can include
  # dependencies, since we want to ship this via NPM.
-  # Also override the name to prevent vulnerability scanners from
+  jq --slurp '.[0] * .[1]' \
  # misidentifying this package as VS Code (see #7071).
  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
    "$VSCODE_SRC_PATH/remote/package.json" \
    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
--- a/ci/build/update-repo.sh
+++ b/ci/build/update-repo.sh
@@ -2,65 +2,16 @@
 set -Eeuo pipefail
 # Given versions $1 and $2 figure out the first component that is different
 # (major, minor, patch).
 function find_version_diff() {
  # shellcheck disable=SC2206
  local a=( ${1//./ } )
  # shellcheck disable=SC2206
  local b=( ${2//./ } )
  if [[ ${a[0]} != "${b[0]}" ]] ; then
    echo major
  elif [[ ${a[1]} != "${b[1]}" ]] ; then
    echo minor
  else
    echo patch
  fi
 }
 # Bump $1 by the bump type (major, minor, patch) in $2.
 function bump_version() {
  # shellcheck disable=SC2206
  local a=( ${1//./ } )
  case $2 in
    major)
      ((a[0]++))
      a[1]=0
      a[2]=0
      ;;
    minor)
      ((a[1]++))
      a[2]=0
      ;;
    *)
      ((a[2]++))
      ;;
  esac
  echo "${a[0]}.${a[1]}.${a[2]}"
 }
 function update_helm() {
-  local chart_version
+  local current
-  chart_version=$(yq .version ci/helm-chart/Chart.yaml)
+  current=$(yq .version ci/helm-chart/Chart.yaml)
-  local app_version
+  local next
-  app_version=$(yq .appVersion ci/helm-chart/Chart.yaml)
+  next=$(semver "$current" -i minor)
-  local image_version
+  echo "Bumping version from $current to $next..."
-  image_version=$(yq .image.tag ci/helm-chart/values.yaml)
+  sed -i.bak "s/^version: $current\$/version: $next/" ci/helm-chart/Chart.yaml
-  local bump_type
+  echo "Setting app version and image to $version..."
  bump_type=$(find_version_diff "$app_version" "$version")
  local chart_version_bump
  chart_version_bump=$(bump_version "$chart_version" "$bump_type")
  # Use sed to replace because yq will reformat.
  echo "Bumping version from $chart_version to $chart_version_bump..."
  sed -i.bak "s/^version: $chart_version\$/version: $chart_version_bump/" ci/helm-chart/Chart.yaml
  echo "Bumping app version from $app_version to $version..."
  sed -i.bak "s/^appVersion: .\+\$/appVersion: $version/" ci/helm-chart/Chart.yaml
  echo "Bumping image version from $image_version to $version..."
  sed -i.bak "s/^  tag: .\+\$/  tag: '$version'/" ci/helm-chart/values.yaml
 }
--- a/ci/helm-chart/Chart.yaml
+++ b/ci/helm-chart/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.38.0
+version: 3.37.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.123.0
+appVersion: 4.122.0
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@@ -6,7 +6,7 @@ replicaCount: 1
 image:
  repository: codercom/code-server
-  tag: '4.123.0'
+  tag: '4.122.0'
  pullPolicy: Always
 # Specifies one or more secrets to be used when pulling images from a
--- a/lib/vscode
+++ b/lib/vscode
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,7 +13,6 @@
        "@coder/logger": "^3.0.1",
        "argon2": "^0.44.0",
        "compression": "^1.7.4",
        "cookie": "^1.1.1",
        "cookie-parser": "^1.4.6",
        "env-paths": "^2.2.1",
        "express": "^5.0.1",
@@ -969,9 +968,9 @@
      }
    },
    "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.6",
+      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -1937,16 +1936,12 @@
      }
    },
    "node_modules/cookie": {
-      "version": "1.1.1",
+      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "license": "MIT",
      "engines": {
-        "node": ">=18"
+        "node": ">= 0.6"
      },
      "funding": {
        "type": "opencollective",
        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/cookie-parser": {
@@ -1962,15 +1957,6 @@
        "node": ">= 0.8.0"
      }
    },
    "node_modules/cookie-parser/node_modules/cookie": {
      "version": "0.7.2",
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -2967,15 +2953,6 @@
        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/express/node_modules/cookie": {
      "version": "0.7.2",
      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/express/node_modules/cookie-signature": {
      "version": "1.2.2",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
@@ -4153,19 +4130,9 @@
      "license": "ISC"
    },
    "node_modules/js-yaml": {
-      "version": "4.2.0",
+      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/puzrin"
        },
        {
          "type": "github",
          "url": "https://github.com/sponsors/nodeca"
        }
      ],
      "license": "MIT",
      "dependencies": {
        "argparse": "^2.0.1"
@@ -6646,9 +6613,9 @@
      "license": "ISC"
    },
    "node_modules/ws": {
-      "version": "8.21.0",
+      "version": "8.20.1",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
-      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
+      "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
--- a/package.json
+++ b/package.json
@@ -70,7 +70,6 @@
    "@coder/logger": "^3.0.1",
    "argon2": "^0.44.0",
    "compression": "^1.7.4",
    "cookie": "^1.1.1",
    "cookie-parser": "^1.4.6",
    "env-paths": "^2.2.1",
    "express": "^5.0.1",
--- a/patches/base-path.diff
+++ b/patches/base-path.diff
@@ -263,7 +263,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 	}
 	private startListening(): void {
-@@ -590,17 +591,6 @@ class WorkspaceProvider implements IWork
+@@ -584,17 +585,6 @@ class WorkspaceProvider implements IWork
 	}
 }
@@ -281,7 +281,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 (function () {
 	// Find config by checking for DOM
-@@ -610,8 +600,8 @@ function readCookie(name: string): strin
+@@ -604,8 +594,8 @@ function readCookie(name: string): strin
 	if (!configElement || !configElementAttribute) {
 		throw new Error('Missing web configuration element');
 	}
--- a/patches/disable-builtin-ext-update.diff
+++ b/patches/disable-builtin-ext-update.diff
@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -345,6 +345,10 @@ export class Extension implements IExten
+@@ -342,6 +342,10 @@ export class Extension implements IExten
 			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
 				return false;
 			}
--- a/patches/proxy-uri.diff
+++ b/patches/proxy-uri.diff
@@ -104,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 import type { IURLCallbackProvider } from '../../../workbench/services/url/browser/urlService.js';
 import { create } from '../../../workbench/workbench.web.main.internal.js';
-@@ -612,6 +613,39 @@ class WorkspaceProvider implements IWork
+@@ -606,6 +607,39 @@ class WorkspaceProvider implements IWork
 		settingsSyncOptions: config.settingsSyncOptions ? { enabled: config.settingsSyncOptions.enabled, } : undefined,
 		workspaceProvider: WorkspaceProvider.create(config),
 		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),
--- a/patches/sourcemaps.diff
+++ b/patches/sourcemaps.diff
@@ -6,7 +6,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.ts
 +++ code-server/lib/vscode/build/gulpfile.reh.ts
-@@ -296,10 +296,15 @@ function packageTask(type: string, platf
+@@ -255,10 +255,15 @@ function packageTask(type: string, platf
 	const destination = path.join(BUILD_ROOT, destinationFolderName);
 	return () => {
--- a/patches/webview.diff
+++ b/patches/webview.diff
@@ -70,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 	<meta charset="UTF-8">
 	<meta http-equiv="Content-Security-Policy"
-		content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"
--- a/src/node/proxy.ts
+++ b/src/node/proxy.ts
@@ -1,7 +1,5 @@
 import * as cookie from "cookie"
 import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { getCookieSessionName, HttpCode } from "../common/http"
+import { HttpCode } from "../common/http"
 export const proxy = proxyServer.createProxyServer({})
@@ -20,19 +18,6 @@ proxy.on("error", (error, _, res) => {
  }
 })
 // Strip the code-server cookie if it exists to avoid transmitting the cookie
 // to potentially malicious local ports.
 proxy.on("proxyReq", (preq, req) => {
  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
  preq.setHeader(
    "Cookie",
    cookie.stringifyCookie({
      ...(req as Request).cookies,
      [cookieSessionName]: undefined,
    }),
  )
 })
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {
--- a/test/unit/node/proxy.test.ts
+++ b/test/unit/node/proxy.test.ts
@@ -1,12 +1,15 @@
 import * as express from "express"
 import * as http from "http"
 import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
 import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { mockLogger } from "../../utils/helpers"
+import { getAvailablePort, mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"
 describe("proxy", () => {
-  const proxyTarget = new httpserver.HttpServer()
+  const nhooyrDevServer = new httpserver.HttpServer()
  const wsApp = express.default()
  const wsRouter = WsRouter()
  let codeServer: httpserver.HttpServer | undefined
@@ -16,22 +19,21 @@ describe("proxy", () => {
  beforeAll(async () => {
    wsApp.use("/", wsRouter.router)
-    await proxyTarget.listen((req, res) => {
+    await nhooyrDevServer.listen((req, res) => {
      e(req, res)
    })
-    proxyTarget.listenUpgrade(wsApp)
+    nhooyrDevServer.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
+    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
    absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
  })
  afterAll(async () => {
-    await proxyTarget.dispose()
+    await nhooyrDevServer.dispose()
  })
  beforeEach(() => {
    e = express.default()
    mockLogger()
    delete process.env.PASSWORD
  })
  afterEach(async () => {
@@ -281,42 +283,65 @@ describe("proxy", () => {
    const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
    expect(resp.status).toBe(200)
  })
 })
-  it("should return a 500 when no target is running ", async () => {
+// NOTE@jsjoeio
-    const target = new httpserver.HttpServer()
+// Both this test suite and the one above it are very similar
-    await target.listen(() => {})
+// The main difference is this one uses http and node-fetch
-    const port = target.port()
+// and specifically tests the proxy in isolation vs. using
-    target.dispose()
+// the httpserver abstraction we've built.
-    codeServer = await integration.setup(["--auth=none"], "")
+//
-    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
+// Leaving this as a separate test suite for now because
-    expect(resp.status).toBe(HttpCode.ServerError)
+// we may consider refactoring the httpserver abstraction
-    expect(resp.statusText).toBe("Internal Server Error")
+// in the future.
 //
 // If you're writing a test specifically for code in
 // src/node/proxy.ts, you should probably add it to
 // this test suite.
 describe("proxy (standalone)", () => {
  let URL = ""
  let PROXY_URL = ""
  let testServer: http.Server
  let proxyTarget: http.Server
  beforeEach(async () => {
    const PORT = await getAvailablePort()
    const PROXY_PORT = await getAvailablePort()
    URL = `http://localhost:${PORT}`
    PROXY_URL = `http://localhost:${PROXY_PORT}`
    // Define server and a proxy server
    testServer = http.createServer((req, res) => {
      proxy.web(req, res, {
        target: PROXY_URL,
      })
    })
    proxyTarget = http.createServer((req, res) => {
      res.writeHead(200, { "Content-Type": "text/plain" })
      res.end()
    })
    // Start both servers
    proxyTarget.listen(PROXY_PORT)
    testServer.listen(PORT)
  })
-  it("should strip token cookie", async () => {
+  afterEach(async () => {
-    const token = "my-super-secure-token"
+    testServer.close()
-    process.env.HASHED_PASSWORD = token
+    proxyTarget.close()
-    codeServer = await integration.setup(["--auth=password"])
+  })
-    // Set up a listener that just prints the cookies it got.
+  it("should return a 500 when proxy target errors ", async () => {
-    e.get("/wsup/cookies", (req, res) => {
+    // Close the proxy target so that proxy errors
-      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
+    proxyTarget.close()
-      res.end(req.headers.cookie)
+    const errorResp = await nodeFetch(`${URL}/error`)
-    })
+    expect(errorResp.status).toBe(HttpCode.ServerError)
    expect(errorResp.statusText).toBe("Internal Server Error")
  })
-    // Send the token along with other cookies which should be preserved.
+  it("should proxy correctly", async () => {
-    // Encode one to make sure they are being re-encoded properly.
+    const resp = await nodeFetch(`${URL}/route`)
    const value = "hello=there"
    const encodedValue = encodeURIComponent(value)
    const resp = await codeServer.fetch(proxyPath + "/cookies", {
      headers: {
        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
      },
    })
    // The proxied listener should not have printed the code-server token.
    expect(resp.status).toBe(200)
-    const text = await resp.text()
+    expect(resp.statusText).toBe("OK")
    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
  })
 })