chore: bump docker/login-action from 3.7.0 to 4.1.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](c94ce9fb46...4907a6ddec)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/build.yaml

@@ -26,7 +26,7 @@ jobs:
       helm: ${{ steps.filter.outputs.helm }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
         id: filter
         with:
           filters: |

.github/workflows/publish.yaml

@@ -38,7 +38,7 @@ jobs:
         with:
           node-version-file: .node-version
 
-      - uses: robinraju/release-downloader@28fc21f50d76778e7023361aa1f863e717d3d56f # v1.13
+      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: ${{ env.TAG }}
@@ -70,11 +70,6 @@ jobs:
           token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
           ref: "master"
 
-      - name: Configure git
-        run: |
-          git config --global user.name cdrci
-          git config --global user.email opensource@coder.com
-
       - name: Fetch and reset master
         run: |
           git remote add upstream https://github.com/coder/code-server-aur.git
@@ -82,6 +77,11 @@ jobs:
           git reset --hard upstream/master
           git push --force
 
+      - name: Configure git
+        run: |
+          git config --global user.name cdrci
+          git config --global user.email opensource@coder.com
+
       - name: Validate package
         uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
         with:
@@ -112,23 +112,23 @@ jobs:
       - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: robinraju/release-downloader@28fc21f50d76778e7023361aa1f863e717d3d56f # v1.13
+      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
           fileName: "*.deb"
           out-file-path: "release-packages"
-      - uses: robinraju/release-downloader@28fc21f50d76778e7023361aa1f863e717d3d56f # v1.13
+      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
@@ -136,32 +136,3 @@ jobs:
           out-file-path: "release-packages"
 
       - run: npm run publish:docker
-
-  repo:
-    runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
-      TAG: ${{ inputs.version || github.ref_name }}
-    needs: docker
-
-    steps:
-      - name: Set version to tag without leading v
-        run: |
-          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - run: ./ci/build/update-repo.sh
-
-      - name: Open PR
-        run: |
-          git config --global user.name cdrci
-          git config --global user.email opensource@coder.com
-          git checkout -b "helm/$VERSION"
-          git add .
-          git commit -m "Update Helm chart and changelog with $VERSION"
-          git push -u origin "$(git branch --show)"
-          gh pr create \
-            --repo coder/code-server \
-            --body-file .cache/checklist \
-            --title "Update to $VERSION"

.github/workflows/release.yaml

@@ -6,11 +6,6 @@ on:
       version:
         type: string
         required: true
-  pull_request_target:
-    types:
-      - closed
-    branches:
-      - main
 
 permissions:
   contents: write # For creating releases.
@@ -26,9 +21,6 @@ jobs:
   package-linux:
     name: ${{ format('linux-{0}', matrix.vscode_arch) }}
     runs-on: ubuntu-22.04
-    if: >-
-      (github.event_name == 'workflow_dispatch') ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true && startsWith(github.head_ref, 'update/'))
 
     strategy:
       matrix:
@@ -39,12 +31,15 @@ jobs:
           - npm_arch: arm64
             vscode_arch: arm64
             package_arch: arm64
+          - npm_arch: arm
+            vscode_arch: armhf
+            package_arch: armv7l
 
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       ELECTRON_SKIP_BINARY_DOWNLOAD: 1
       PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
-      TAG: ${{ inputs.version || github.event.pull_request.head.ref || github.ref_name }}
+      TAG: ${{ inputs.version || github.ref_name }}
       # Set release package name.
       ARCH: ${{ matrix.package_arch }}
       # Cross-compile target.
@@ -69,12 +64,9 @@ jobs:
           curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Strip update/ and v from tag and set major version
+      - name: Set version to tag without leading v
         run: |
-          version=${TAG#update/}
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-          version=${version#v}
-          version=4${version:1}
-          echo "VERSION=$version" >> $GITHUB_ENV
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -107,18 +99,12 @@ jobs:
         if: ${{ matrix.vscode_arch == 'x64' }}
       - run: tar -czf package.tar.gz release
         if: ${{ matrix.vscode_arch == 'x64' }}
-      - run: |
-          sed "/^## Unreleased/,/^## / ! d" CHANGELOG.md | head -n -2 | tail -n +3 > .cache/release-notes
-        if: ${{ matrix.vscode_arch == 'x64' }}
       - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         if: ${{ matrix.vscode_arch == 'x64' }}
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
           files: package.tar.gz
-          tag_name: v${{ env.VERSION }}
-          name: v${{ env.VERSION }}
-          body_path: .cache/release-notes
 
       # Platform-specific release.
       - run: KEEP_MODULES=1 npm run release
@@ -128,15 +114,10 @@ jobs:
           draft: true
           discussion_category_name: "📣 Announcements"
           files: ./release-packages/*
-          tag_name: v${{ env.VERSION }}
-          name: v${{ env.VERSION }}
 
   package-macos:
     name: ${{ matrix.vscode_target }}
     runs-on: ${{ matrix.os }}
-    if: >-
-      (github.event_name == 'workflow_dispatch') ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true && startsWith(github.head_ref, 'update/'))
     strategy:
       matrix:
         include:
@@ -147,7 +128,7 @@ jobs:
     env:
       VSCODE_TARGET: ${{ matrix.vscode_target }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      TAG: ${{ inputs.version || github.event.pull_request.head.ref || github.ref_name }}
+      TAG: ${{ inputs.version || github.ref_name }}
       # Ensure native modules are built from source to avoid prebuilds.
       npm_config_build_from_source: true
 
@@ -163,12 +144,9 @@ jobs:
           curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Strip update/ and v from tag and set major version
+      - name: Set version to tag without leading v
         run: |
-          version=${TAG#update/}
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-          version=${version#v}
-          version=4${version:1}
-          echo "VERSION=$version" >> $GITHUB_ENV
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -194,5 +172,3 @@ jobs:
           draft: true
           discussion_category_name: "📣 Announcements"
           files: ./release-packages/*
-          tag_name: v${{ env.VERSION }}
-          name: v${{ env.VERSION }}

.github/workflows/security.yaml

@@ -51,7 +51,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # latest
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           scan-type: "fs"
           scan-ref: "."

.github/workflows/trivy-docker.yaml

@@ -18,6 +18,8 @@ on:
       - .github/workflows/trivy-docker.yaml
 
   schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
     - cron: "15 10 * * *"
 
   workflow_dispatch:
@@ -49,7 +51,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # latest
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true

.github/workflows/update.yaml

@@ -1,72 +0,0 @@
-name: Update code-server
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        type: string
-        required: true
-  schedule:
-    - cron: "0 16,21 * * *"
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    env:
-      TAG: ${{ inputs.version }}
-      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
-
-    steps:
-      - name: Fetch latest tag
-        if: env.TAG == ''
-        run: |
-          tag=$(curl -fsSLI -o /dev/null -w "%{url_effective}" https://github.com/microsoft/vscode/releases/latest)
-          tag="${tag#https://github.com/microsoft/vscode/releases/tag/}"
-          echo "TAG=$tag" >> $GITHUB_ENV
-
-      - name: Remove leading v from tag
-        run: |
-          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: true
-
-      - name: Check current version
-        id: check
-        run: |
-          commit="$(git -C lib/vscode rev-parse HEAD)"
-          if [[ $(git -C lib/vscode ls-remote --tags | grep "$commit") == */"$VERSION" ]] ; then
-            echo "$VERSION update has already been merged into $(git rev-parse --abbrev-ref HEAD)"
-            echo done=true >> $GITHUB_OUTPUT
-          elif git ls-remote --exit-code --heads origin "update/$VERSION" ; then
-            echo "There is already a PR for updating to $VERSION"
-            echo done=true >> $GITHUB_OUTPUT
-          else
-            echo "$VERSION update has not started yet"
-            echo done=false >> $GITHUB_OUTPUT
-          fi
-
-      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
-        if: steps.check.outputs.done == 'false'
-        with:
-          packages: quilt
-          version: 1.0
-
-      - run: ./ci/build/update-vscode.sh
-        if: steps.check.outputs.done == 'false'
-
-      - name: Open PR
-        if: steps.check.outputs.done == 'false'
-        run: |
-          git config --global user.name cdrci
-          git config --global user.email opensource@coder.com
-          git checkout -b "update/$VERSION"
-          git add .
-          git commit -m "Update Code to $VERSION"
-          git push -u origin "$(git branch --show)"
-          gh pr create \
-            --repo coder/code-server \
-            --title "Update Code to $VERSION" \
-            --body-file .cache/checklist \
-            --draft

.gitignore

@@ -11,7 +11,6 @@ node_modules
 .home
 coverage
 **/.DS_Store
-*.bak
 
 # Code packages itself here.
 /lib/vscode-reh-web-*

.node-version

@@ -1 +1 @@
-24.15.0
+22.22.1

CHANGELOG.md

@@ -22,64 +22,6 @@ Code v99.99.999
 
 ## Unreleased
 
-Code v1.124.2
-
-### Security
-
-- Strip code-server's session token from the cookie before proxying to a local
-  port. Previously, when you used built-in password authentication, the cookie
-  would be sent to the local proxied port, which meant if the service was
-  malicious and not already running as your code-server user it could use the
-  cookie to log into code-server and execute commands as your code-server user.
-
-### Changed
-
-- Update to Code 1.124.2
-
-## [4.123.0](https://github.com/coder/code-server/releases/tag/v4.123.0) - 2026-06-03
-
-Code v1.123.0
-
-### Changed
-
-- Update to Code 1.123.0
-- Microsoft dropped support for armhf remotes so there will no longer be any
-  builds for armhf.
-
-## [4.122.1](https://github.com/coder/code-server/releases/tag/v4.122.1) - 2026-06-02
-
-Code v1.122.1
-
-### Changed
-
-- Update to Code 1.122.1
-
-## [4.122.0](https://github.com/coder/code-server/releases/tag/v4.122.0) - 2026-05-29
-
-Code v1.122.0
-
-### Changed
-
-- Update to Code 1.122.0
-
-### Fixed
-
-- `--app-name` will now affect window titles within the editor (it is now used
-  as the value for `${appName}` in the title template) as well as some other
-  places like the help > about dialog.
-
-### Added
-
-- App name can now be set with the `CODE_SERVER_APP_NAME` environment variable.
-
-## [4.121.0](https://github.com/coder/code-server/releases/tag/v4.121.0) - 2026-05-20
-
-Code v1.121.0
-
-### Changed
-
-- Update to Code 1.121.0
-
 ## [4.118.0](https://github.com/coder/code-server/releases/tag/v4.118.0) - 2026-05-06
 
 Code v1.118.0

ci/build/build-release.sh

@@ -128,9 +128,7 @@ bundle_vscode() {
 
   # Merge the package.json for the web/remote server so we can include
   # dependencies, since we want to ship this via NPM.
-  # Also override the name to prevent vulnerability scanners from
+  jq --slurp '.[0] * .[1]' \
-  # misidentifying this package as VS Code (see #7071).
-  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
     "$VSCODE_SRC_PATH/remote/package.json" \
     "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
   mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"

ci/build/update-repo.sh

@@ -1,96 +0,0 @@
-#!/usr/bin/env bash
-
-set -Eeuo pipefail
-
-# Given versions $1 and $2 figure out the first component that is different
-# (major, minor, patch).
-function find_version_diff() {
-  # shellcheck disable=SC2206
-  local a=( ${1//./ } )
-  # shellcheck disable=SC2206
-  local b=( ${2//./ } )
-
-  if [[ ${a[0]} != "${b[0]}" ]] ; then
-    echo major
-  elif [[ ${a[1]} != "${b[1]}" ]] ; then
-    echo minor
-  else
-    echo patch
-  fi
-}
-
-# Bump $1 by the bump type (major, minor, patch) in $2.
-function bump_version() {
-  # shellcheck disable=SC2206
-  local a=( ${1//./ } )
-  case $2 in
-    major)
-      ((a[0]++))
-      a[1]=0
-      a[2]=0
-      ;;
-    minor)
-      ((a[1]++))
-      a[2]=0
-      ;;
-    *)
-      ((a[2]++))
-      ;;
-  esac
-  echo "${a[0]}.${a[1]}.${a[2]}"
-}
-
-function update_helm() {
-  local chart_version
-  chart_version=$(yq .version ci/helm-chart/Chart.yaml)
-  local app_version
-  app_version=$(yq .appVersion ci/helm-chart/Chart.yaml)
-  local image_version
-  image_version=$(yq .image.tag ci/helm-chart/values.yaml)
-
-  local bump_type
-  bump_type=$(find_version_diff "$app_version" "$version")
-  local chart_version_bump
-  chart_version_bump=$(bump_version "$chart_version" "$bump_type")
-
-  # Use sed to replace because yq will reformat.
-  echo "Bumping version from $chart_version to $chart_version_bump..."
-  sed -i.bak "s/^version: $chart_version\$/version: $chart_version_bump/" ci/helm-chart/Chart.yaml
-
-  echo "Bumping app version from $app_version to $version..."
-  sed -i.bak "s/^appVersion: .\+\$/appVersion: $version/" ci/helm-chart/Chart.yaml
-
-  echo "Bumping image version from $image_version to $version..."
-  sed -i.bak "s/^  tag: .\+\$/  tag: '$version'/" ci/helm-chart/values.yaml
-}
-
-function update_changelog() {
-  local date
-  date=$(printf '%(%Y-%m-%d)T\n' -1)
-  local link="https://github.com/coder/code-server/releases/tag/v$version"
-  sed -i.bak "s|## Unreleased|## Unreleased\n\n## [$version]($link) - $date|" CHANGELOG.md
-}
-
-function main() {
-  cd "$(dirname "${0}")/../.."
-
-  source ./ci/lib.sh
-
-  local version=${VERSION:-$(git describe --tags)}
-  version="${version#v}"
-
-  declare -a steps
-
-  steps+=(
-    "Update Helm chart" "update_helm"
-    "Update changelog" "update_changelog"
-  )
-
-  # Even if a step failed, still output the last checkmark.
-  run-steps "${steps[@]}" || true
-
-  # This step is always manual.
-  echo "- [ ] https://github.com/coder/code-server-aur/pulls" >> .cache/checklist
-}
-
-main "$@"

ci/build/update-vscode.sh

@@ -2,13 +2,13 @@
 
 set -Eeuo pipefail
 
-function unapply_patches() {
+function remove_patches() {
   local -i exit_code=0
-  quiet quilt pop -af || exit_code=$?
+  quilt pop -af || exit_code=$?
   case $exit_code in
-    # Sucessfully unapplied.
+    # Sucessfully removed.
     0) ;;
-    # No more patches to unapply.
+    # No more patches to remove.
     2) ;;
     # Some error.
     *) return $exit_code ;;
@@ -17,19 +17,19 @@ function unapply_patches() {
 
 function update_vscode() {
   pushd lib/vscode
-  if ! git checkout 2>&1 "$target_vscode_version" ; then
+  if ! git checkout "$VERSION" ; then
-    echo "$target_vscode_version does not exist locally, fetching..."
+    echo "$VERSION does not exist locally, fetching..."
-    git fetch --all --prune --tags
+    git fetch --all --prune
-    echo "Checking out $target_vscode_version again..."
+    git checkout "$VERSION"
-    git checkout "$target_vscode_version"
   fi
   popd
 }
 
 function refresh_patches() {
   local -i exit_code=0
-  while quiet quilt push ; ! (( exit_code=$? )) ; do
+  while quilt push ; ! (( exit_code=$? )) ; do
     quilt refresh
+    echo # Extra new line for separation.
   done
   case $exit_code in
     # No more patches to apply.
@@ -42,8 +42,8 @@ function refresh_patches() {
 function update_node() {
   local node_version
   node_version=$(cat .node-version)
-  if [[ $node_version == "$target_node_version" ]] ; then
+  if [[ $node_version == $target_node_version ]] ; then
-    echo "Already set to $target_node_version"
+    echo "$node_version already matches $target_node_version"
   else
     echo "Updating from $node_version to $target_node_version..."
     echo "$target_node_version" > .node-version
@@ -52,37 +52,26 @@ function update_node() {
 
 function get-webview-script-hash() {
   local html
-  html=$(<"$1")
+  html=$(<$1)
   local start_tag='<script async type="module">'
   local end_tag="</script>"
-  html=${html##*"$start_tag"}
+  html=${html##*$start_tag}
-  html=${html%%"$end_tag"*}
+  html=${html%%$end_tag*}
   echo -n "$html" | openssl sha256 -binary | openssl base64
 }
 
 function update_csp() {
-  local current
+  local -i exit_code=0
-  current=$(quilt top 2>/dev/null || echo "")
+  # Move back to the webview patch so it can be refreshed.
-  local patch_action=""
+  quilt pop webview || exit_code=$?
-  echo "Currently at ${current:-base}"
+  case $exit_code in
-  if [[ $current != */webview.diff ]] ; then
+    # Successfully moved.
-    echo "Moving to patches/webview.diff..."
+    0) ;;
-    local -i exit_code=0
+    # Already at the patch.
-    if quilt applied 2>/dev/null | grep --quiet webview.diff ; then
+    2) ;;
-      quiet quilt pop webview || exit_code=$?
+    # Some error.
-      patch_action=pop
+    *) return $exit_code ;;
-    else
+  esac
-      quiet quilt push webview || exit_code=$?
-      patch_action=push
-    fi
-    case $exit_code in
-      # Successfully moved.
-      0) ;;
-      # Some error.
-      *) return $exit_code ;;
-    esac
-  fi
-
   local file=lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
   local hash
   hash=$(get-webview-script-hash "$file")
@@ -90,24 +79,43 @@ function update_csp() {
   # Use octothorpe as a delimiter since the hash may contain a slash.
   sed -i.bak "s#script-src 'sha256-[^']\+'#script-src 'sha256-$hash'#" "$file"
   quilt refresh
+  # Get patched back up.
+  quilt push -a
+}
 
-  if [[ $patch_action != "" ]] ; then
+function run() {
-    echo "Moving back to ${current:-base}..."
+  local -i failed=0
-    case $patch_action in
+  rm -f .cache/checklist
-      pop) quiet quilt push "$current" ;;
+  while (( $# )) ; do
-      push) quiet quilt pop "${current:--a}" ;;
+    local name=$1 ; shift
-    esac
+    local fn=$1 ; shift
+    # Only run if an earlier step has not failed.
+    if [[ $failed == 0 ]] ; then
+      echo "[+] $name..."
+      if $fn ; then
+        echo "- [X] $name" >> .cache/checklist
+      else
+        ((failed++))
+      fi
+    fi
+    # For all failed steps, write out an empty checkbox.
+    if [[ $failed != 0 ]] ; then
+      echo "- [ ] $name" >> .cache/checklist
+    fi
+  done
+  if [[ $failed != 0 ]] ; then
+    return 1
   fi
 }
 
 function add_changelog() {
   local file=CHANGELOG.md
-  if grep --quiet "Code $target_vscode_version" "$file" ; then
+  if grep "Code $VERSION" "$file" ; then
-    echo "Changelog for $target_vscode_version already exists"
+    echo "Changelog for $VERSION already exists"
   else
     # TODO: This is not exactly robust.  In particular, it needs to handle if
     # there is already a "changed" section.
-    sed -i.bak "s/## Unreleased/## Unreleased\n\nCode v$target_vscode_version\n\n### Changed\n\n- Update to Code $target_vscode_version/" "$file"
+    sed -i.bak "s/## Unreleased/## Unreleased\n\nCode v$VERSION\n\n### Changed\n\n- Update to Code $VERSION/" "$file"
   fi
 }
 
@@ -120,34 +128,21 @@ function main() {
   target_node_version=$(grep target lib/vscode/remote/.npmrc | awk -F= '{print $2}' | tr -d '"')
 
   declare -a steps
-
+  # Removing patches only needs to be done locally; in CI we start from a fresh
-  # If version is not set, assume we are already at the target version and the
+  # clone each time.
-  # user is just trying to resolve conflics.
+  if [[ ! ${CI-} ]] ; then
-  local target_vscode_version
+    steps+=("Remove patches" "remove_patches")
-  if [[ ${VERSION-} ]] ; then
-    # Removing patches only needs to be done locally; in CI we start from a
-    # fresh clone each time.
-    if [[ ! ${CI-} ]] ; then
-      steps+=("Unapplying patches" "unapply_patches")
-    fi
-    target_vscode_version="${VERSION#v}"
-    steps+=(
-      "Update Code to $target_vscode_version" "update_vscode"
-      "Refresh Code patches" "refresh_patches"
-    )
-  else
-    target_vscode_version="$(git -C lib/vscode describe --tags --exact-match)"
-    echo "Detected Code version $target_vscode_version"
   fi
 
   steps+=(
+    "Update VS Code to $VERSION" "update_vscode"
+    "Refresh VS Code patches" "refresh_patches"
     "Set Node version to $target_node_version" "update_node"
     "Update CSP webview hash" "update_csp"
     "Add changelog note" "add_changelog"
   )
 
-  # Even if a step failed, still output the last checkmark.
+  run "${steps[@]}"
-  run-steps "${steps[@]}" || true
 
   # This step is always manual.
   echo "- [ ] Verify changelog" >> .cache/checklist

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.38.0
+version: 3.35.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.123.0
+appVersion: 4.116.0

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.123.0'
+  tag: '4.116.0'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

ci/lib.sh

@@ -78,43 +78,6 @@ nodeArch() {
   echo "$cpu"
 }
 
-run-steps() {
-  local -i failed=0
-  mkdir -p .cache
-  rm -f .cache/checklist
-  while (( $# )) ; do
-    local name=$1 ; shift
-    local fn=$1 ; shift
-    # Only run if an earlier step has not failed.
-    if [[ $failed == 0 ]] ; then
-      echo "$name..."
-      if $fn | indent ; then
-        echo "- [X] $name" >> .cache/checklist
-      else
-        ((failed++))
-      fi
-    fi
-    # For all failed steps, write out an empty checkbox.
-    if [[ $failed != 0 ]] ; then
-      echo "- [ ] $name" >> .cache/checklist
-    fi
-  done
-  if [[ $failed != 0 ]] ; then
-    return 1
-  fi
-}
-
-quiet() {
-  "$@" >/dev/null
-}
-
-indent() {
-  local count=2
-  local space
-  space=$(printf "%${count}s")
-  sed "s/^/$space| /g"
-}
-
 # See gulpfile.reh.ts for available targets.
 if [[ ! ${VSCODE_TARGET-} ]]; then
   VSCODE_TARGET="$(nodeOS)-$(nodeArch)"

docs/CONTRIBUTING.md

@@ -93,20 +93,17 @@ commits first if you are doing this).
 
 ### Version updates to Code
 
-PRs will be automatically created with updates to VS Code. If a patch cannot be
+1. Remove any patches with `quilt pop -a`.
-automatically resolved, it will be necessary to clone the branch, resolve the
+2. Update the `lib/vscode` submodule to the desired upstream version branch.
-conflicts manually, and finish the update. To do this:
+   1. `cd lib/vscode && git checkout release/1.66 && cd ../..`
-
+   2. `git add lib && git commit -m "chore: update to Code <version>"`
-1. Apply as many patches as possible `quilt push -a`.
+3. Apply the patches one at a time (`quilt push`). If the application succeeds
-2. Once you hit a conflict, force apply with `quilt push -f`, manually add back
+   but the lines changed, update the patch with `quilt refresh`. If there are
-   the rejected code, then run `quilt refresh`.
+   conflicts, then force apply with `quilt push -f`, manually add back the
-3. Once all patches have been resolved, run `./ci/build/update.sh` to finish the
+   rejected code, then run `quilt refresh`.
-   update process.
+4. From the code-server **project root**, run `npm install`.
-4. Commit all changes, push them up to the branch, and update the checklist in
+5. Check the Node.js version that's used by Electron (which is shipped with VS
-   the PR description.
+   Code. If necessary, update our version of Node.js to match.
-
-Once the PR is ready, manually verify that the unreleased changelog section
-contains all the changes going into this version before merging.
 
 ### Patching Code
 

package-lock.json

@@ -13,7 +13,6 @@
         "@coder/logger": "^3.0.1",
         "argon2": "^0.44.0",
         "compression": "^1.7.4",
-        "cookie": "^1.1.1",
         "cookie-parser": "^1.4.6",
         "env-paths": "^2.2.1",
         "express": "^5.0.1",
@@ -59,7 +58,7 @@
         "eslint-plugin-import": "^2.28.1",
         "eslint-plugin-prettier": "^5.0.0",
         "globals": "^16.1.0",
-        "prettier": "3.8.3",
+        "prettier": "3.6.2",
         "prettier-plugin-sh": "^0.18.0",
         "ts-node": "^10.9.1",
         "typescript": "^5.6.2",
@@ -969,9 +968,9 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.6",
+      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1640,9 +1639,9 @@
       "license": "MIT"
     },
     "node_modules/basic-ftp": {
-      "version": "5.3.1",
+      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz",
+      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
-      "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==",
+      "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
@@ -1937,16 +1936,12 @@
       }
     },
     "node_modules/cookie": {
-      "version": "1.1.1",
+      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
       "license": "MIT",
       "engines": {
-        "node": ">=18"
+        "node": ">= 0.6"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
       }
     },
     "node_modules/cookie-parser": {
@@ -1962,15 +1957,6 @@
         "node": ">= 0.8.0"
       }
     },
-    "node_modules/cookie-parser/node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -2967,15 +2953,6 @@
         "url": "https://opencollective.com/express"
       }
     },
-    "node_modules/express/node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/express/node_modules/cookie-signature": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
@@ -3660,9 +3637,9 @@
       }
     },
     "node_modules/ip-address": {
-      "version": "10.2.0",
+      "version": "10.1.0",
-      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
-      "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
+      "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
       "license": "MIT",
       "engines": {
         "node": ">= 12"
@@ -4153,19 +4130,9 @@
       "license": "ISC"
     },
     "node_modules/js-yaml": {
-      "version": "4.2.0",
+      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/puzrin"
-        },
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/nodeca"
-        }
-      ],
       "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"
@@ -5133,9 +5100,9 @@
       }
     },
     "node_modules/prettier": {
-      "version": "3.8.3",
+      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.3.tgz",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.6.2.tgz",
-      "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
+      "integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -5230,9 +5197,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.15.2",
+      "version": "6.15.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz",
-      "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
+      "integrity": "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"
@@ -6646,9 +6613,9 @@
       "license": "ISC"
     },
     "node_modules/ws": {
-      "version": "8.21.0",
+      "version": "8.19.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
+      "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"

package.json

@@ -60,7 +60,7 @@
     "eslint-plugin-import": "^2.28.1",
     "eslint-plugin-prettier": "^5.0.0",
     "globals": "^16.1.0",
-    "prettier": "3.8.3",
+    "prettier": "3.6.2",
     "prettier-plugin-sh": "^0.18.0",
     "ts-node": "^10.9.1",
     "typescript": "^5.6.2",
@@ -70,7 +70,6 @@
     "@coder/logger": "^3.0.1",
     "argon2": "^0.44.0",
     "compression": "^1.7.4",
-    "cookie": "^1.1.1",
     "cookie-parser": "^1.4.6",
     "env-paths": "^2.2.1",
     "express": "^5.0.1",

patches/app-name.diff

@@ -1,46 +0,0 @@
-Apply --app-name to VS Code web page titles
-
-VS Code's `${appName}` title variable comes from `productService.nameLong` in the
-web client. code-server already injects per-request product configuration into
-VS Code's web bootstrap, so set `nameShort`/`nameLong` from the existing
-`--app-name` CLI arg there.
-
-This keeps the patch minimal and makes browser tab titles honor `--app-name`
-without changing unrelated product metadata.
-
-Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-+++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-@@ -24,6 +24,7 @@ export const serverOptions: OptionDescri
- 	'disable-getting-started-override': { type: 'boolean' },
- 	'locale': { type: 'string' },
- 	'link-protection-trusted-domains': { type: 'string[]' },
-+	'app-name': { type: 'string' },
- 
- 	/* ----- server setup ----- */
- 
-@@ -124,6 +125,7 @@ export interface ServerParsedArgs {
- 	'disable-getting-started-override'?: boolean,
- 	'locale'?: string
- 	'link-protection-trusted-domains'?: string[],
-+	'app-name'?: string,
- 
- 	/* ----- server setup ----- */
- 
-Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
-+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -366,8 +366,11 @@ export class WebClientServer {
- 			linkProtectionTrustedDomains.push(...this._productService.linkProtectionTrustedDomains);
- 		}
- 
-+		const appName = this._environmentService.args['app-name'];
- 		const productConfiguration: Partial<Mutable<IProductConfiguration>> = {
- 			codeServerVersion: this._productService.codeServerVersion,
-+			nameShort: appName,
-+			nameLong: appName,
- 			rootEndpoint: rootBase,
- 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? rootBase + '/update/check' : undefined,
- 			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? rootBase + '/logout' : undefined,

patches/base-path.diff

@@ -263,7 +263,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  	}
  
  	private startListening(): void {
-@@ -590,17 +591,6 @@ class WorkspaceProvider implements IWork
+@@ -584,17 +585,6 @@ class WorkspaceProvider implements IWork
  	}
  }
  
@@ -281,7 +281,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  (function () {
  
  	// Find config by checking for DOM
-@@ -610,8 +600,8 @@ function readCookie(name: string): strin
+@@ -604,8 +594,8 @@ function readCookie(name: string): strin
  	if (!configElement || !configElementAttribute) {
  		throw new Error('Missing web configuration element');
  	}

patches/clipboard.diff

@@ -78,7 +78,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
-@@ -146,6 +146,7 @@ export interface NativeParsedArgs {
+@@ -149,6 +149,7 @@ export interface NativeParsedArgs {
  	'disable-chromium-sandbox'?: boolean;
  	sandbox?: boolean;
  	'enable-coi'?: boolean;

patches/copilot.diff

@@ -2,8 +2,8 @@ Index: code-server/lib/vscode/build/gulpfile.extensions.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.extensions.ts
 +++ code-server/lib/vscode/build/gulpfile.extensions.ts
-@@ -291,6 +291,29 @@ export const compileCopilotExtensionBuil
+@@ -294,6 +294,29 @@ export const compileCopilotExtensionBuil
- task.task(compileCopilotExtensionBuildTask);
+ gulp.task(compileCopilotExtensionBuildTask);
  
  /**
 + * Compiles the built-in copilot extension with proper `.vscodeignore` filtering
@@ -26,7 +26,7 @@ Index: code-server/lib/vscode/build/gulpfile.extensions.ts
 +		return Promise.resolve();
 +	})
 +));
-+task.task(compileCopilotExtensionFullBuildTask);
++gulp.task(compileCopilotExtensionFullBuildTask);
 +
 +/**
   * Compiles the extensions for the build.
@@ -36,15 +36,15 @@ Index: code-server/lib/vscode/build/lib/extensions.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/lib/extensions.ts
 +++ code-server/lib/vscode/build/lib/extensions.ts
-@@ -21,6 +21,7 @@ import { getProductionDependencies } fro
+@@ -24,6 +24,7 @@ import { getProductionDependencies } fro
  import { type IExtensionDefinition, getExtensionStream } from './builtInExtensions.ts';
  import { fetchUrls, fetchGithub } from './fetch.ts';
  import { createTsgoStream, spawnTsgo } from './tsgo.ts';
 +import { prepareBuiltInCopilotRipgrepShim } from './copilot.ts';
- import watcher from './watch/index.ts';
+ import vzip from 'gulp-vinyl-zip';
  
  import { createRequire } from 'module';
-@@ -483,6 +484,116 @@ export function packageCopilotExtensionS
+@@ -487,6 +488,116 @@ export function packageCopilotExtensionS
  	).pipe(util2.setExecutableBit(['**/*.sh']));
  }
  

patches/disable-builtin-ext-update.diff

@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -345,6 +345,10 @@ export class Extension implements IExten
+@@ -342,6 +342,10 @@ export class Extension implements IExten
  			if (this.type === ExtensionType.System && this.productService.quality === 'stable' && !this.productService.builtInExtensionsEnabledWithAutoUpdates?.some(id => id.toLowerCase() === this.identifier.id.toLowerCase())) {
  				return false;
  			}

patches/display-language.diff

@@ -18,7 +18,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
  import { ProtocolConstants } from '../../base/parts/ipc/common/ipc.net.js';
  import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
  import { ConfigurationService } from '../../platform/configuration/common/configurationService.js';
-@@ -359,6 +359,9 @@ export async function setupServerService
+@@ -301,6 +301,9 @@ export async function setupServerService
  
  		socketServer.registerChannel('mcpManagement', new McpManagementChannel(mcpManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority)));
  
@@ -32,7 +32,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/common/environmentServ
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/environmentService.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/environmentService.ts
-@@ -98,7 +98,7 @@ export abstract class AbstractNativeEnvi
+@@ -112,7 +112,7 @@ export abstract class AbstractNativeEnvi
  			return URI.file(join(vscodePortable, 'argv.json'));
  		}
  
@@ -198,7 +198,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -120,6 +121,7 @@ export interface ServerParsedArgs {
+@@ -116,6 +117,7 @@ export interface ServerParsedArgs {
  	'disable-file-downloads'?: boolean;
  	'disable-file-uploads'?: boolean;
  	'disable-getting-started-override'?: boolean,

patches/external-file-actions.diff

@@ -99,7 +99,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -114,6 +116,8 @@ export interface ServerParsedArgs {
+@@ -110,6 +112,8 @@ export interface ServerParsedArgs {
  	/* ----- code-server ----- */
  	'disable-update-check'?: boolean;
  	'auth'?: string;
@@ -207,7 +207,7 @@ Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
-@@ -40,6 +40,9 @@ export const EmbedderIdentifierContext =
+@@ -41,6 +41,9 @@ export const EmbedderIdentifierContext =
  
  export const InAutomationContext = new RawContextKey<boolean>('inAutomation', false, localize('inAutomation', "Whether VS Code is running under automation/smoke test"));
  

patches/getting-started.diff

@@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
  import { IEditorOpenContext, IEditorSerializer } from '../../../common/editor.js';
  import { IWebviewElement, IWebviewService } from '../../webview/browser/webview.js';
  import './gettingStartedColors.js';
-@@ -928,6 +928,72 @@ export class GettingStartedPage extends
+@@ -925,6 +925,72 @@ export class GettingStartedPage extends
  			$('p.subtitle.description', {}, localize({ key: 'gettingStarted.editingEvolved', comment: ['Shown as subtitle on the Welcome page.'] }, "Editing evolved"))
  		);
  
@@ -101,7 +101,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
  		const leftColumn = $('.categories-column.categories-column-left', {},);
  		const rightColumn = $('.categories-column.categories-column-right', {},);
  
-@@ -977,6 +1043,9 @@ export class GettingStartedPage extends
+@@ -974,6 +1040,9 @@ export class GettingStartedPage extends
  				recentList.setLimit(5);
  				reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
  			}
@@ -189,7 +189,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -118,6 +119,7 @@ export interface ServerParsedArgs {
+@@ -114,6 +115,7 @@ export interface ServerParsedArgs {
  	'auth'?: string;
  	'disable-file-downloads'?: boolean;
  	'disable-file-uploads'?: boolean;
@@ -234,7 +234,7 @@ Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
-@@ -42,6 +42,7 @@ export const InAutomationContext = new R
+@@ -43,6 +43,7 @@ export const InAutomationContext = new R
  
  export const IsEnabledFileDownloads = new RawContextKey<boolean>('isEnabledFileDownloads', true, true);
  export const IsEnabledFileUploads = new RawContextKey<boolean>('isEnabledFileUploads', true, true);

patches/logout.diff

@@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -112,6 +113,7 @@ export const serverOptions: OptionDescri
+@@ -108,6 +109,7 @@ export const serverOptions: OptionDescri
  export interface ServerParsedArgs {
  	/* ----- code-server ----- */
  	'disable-update-check'?: boolean;

patches/proxy-uri.diff

@@ -104,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  import type { IURLCallbackProvider } from '../../../workbench/services/url/browser/urlService.js';
  import { create } from '../../../workbench/workbench.web.main.internal.js';
  
-@@ -612,6 +613,39 @@ class WorkspaceProvider implements IWork
+@@ -606,6 +607,39 @@ class WorkspaceProvider implements IWork
  		settingsSyncOptions: config.settingsSyncOptions ? { enabled: config.settingsSyncOptions.enabled, } : undefined,
  		workspaceProvider: WorkspaceProvider.create(config),
  		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),

patches/series

@@ -23,4 +23,3 @@ display-language.diff
 trusted-domains.diff
 signature-verification.diff
 copilot.diff
-app-name.diff

patches/sourcemaps.diff

@@ -6,7 +6,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.ts
 +++ code-server/lib/vscode/build/gulpfile.reh.ts
-@@ -296,10 +296,15 @@ function packageTask(type: string, platf
+@@ -261,10 +261,15 @@ function packageTask(type: string, platf
  	const destination = path.join(BUILD_ROOT, destinationFolderName);
  
  	return () => {

patches/telemetry.diff

@@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
  import { NullPolicyService } from '../../platform/policy/common/policy.js';
  import { OneDataSystemAppender } from '../../platform/telemetry/node/1dsAppender.js';
  import { LoggerService } from '../../platform/log/node/loggerService.js';
-@@ -176,11 +178,23 @@ export async function setupServerService
+@@ -174,11 +176,23 @@ export async function setupServerService
  	const requestService = new RequestService('remote', configurationService, environmentService, logService);
  	services.set(IRequestService, requestService);
  

patches/trusted-domains.diff

@@ -12,7 +12,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -122,6 +123,7 @@ export interface ServerParsedArgs {
+@@ -118,6 +119,7 @@ export interface ServerParsedArgs {
  	'disable-file-uploads'?: boolean;
  	'disable-getting-started-override'?: boolean,
  	'locale'?: string

patches/update-check.diff

@@ -134,7 +134,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
  
  	/* ----- server setup ----- */
  
-@@ -108,6 +110,8 @@ export const serverOptions: OptionDescri
+@@ -104,6 +106,8 @@ export const serverOptions: OptionDescri
  };
  
  export interface ServerParsedArgs {

patches/webview.diff

@@ -41,7 +41,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/envi
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
-@@ -226,7 +226,7 @@ export class BrowserWorkbenchEnvironment
+@@ -223,7 +223,7 @@ export class BrowserWorkbenchEnvironment
  
  	@memoize
  	get webviewExternalEndpoint(): string {
@@ -70,8 +70,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
  	<meta charset="UTF-8">
  
  	<meta http-equiv="Content-Security-Policy"
--		content="default-src 'none'; script-src 'sha256-nXjtuhBilO++r8hfxl5VjEScSmdm07wDAk6jw228DgM=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-q+WTr+fBXpLLE3++yWNaxT6BTWQtsKscoeIlynBRk4E=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-A6/szVNdTzyi4hDa+9OLbzS8tSd2iUV4CqimLNWex2Y=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
++		content="default-src 'none'; script-src 'sha256-m1DlJtsIJd46QuWYNcsaYIG1xI+9FyjKQu+cfp+zq5Q=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
  
  	<!-- Disable pinch zooming -->
  	<meta name="viewport"

src/node/cli.ts

@@ -677,7 +677,9 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
   }
   args["proxy-domain"] = finalProxies
 
-  args["app-name"] ??= process.env.CODE_SERVER_APP_NAME || "code-server"
+  if (!args["app-name"]) {
+    args["app-name"] = "code-server"
+  }
 
   args._ = getResolvedPathsFromArgs(args)
 

src/node/proxy.ts

@@ -1,7 +1,5 @@
-import * as cookie from "cookie"
-import type { Request } from "express"
 import proxyServer from "http-proxy"
-import { getCookieSessionName, HttpCode } from "../common/http"
+import { HttpCode } from "../common/http"
 
 export const proxy = proxyServer.createProxyServer({})
 
@@ -20,19 +18,6 @@ proxy.on("error", (error, _, res) => {
   }
 })
 
-// Strip the code-server cookie if it exists to avoid transmitting the cookie
-// to potentially malicious local ports.
-proxy.on("proxyReq", (preq, req) => {
-  const cookieSessionName = getCookieSessionName((req as Request).args["cookie-suffix"])
-  preq.setHeader(
-    "Cookie",
-    cookie.stringifyCookie({
-      ...(req as Request).cookies,
-      [cookieSessionName]: undefined,
-    }),
-  )
-})
-
 // Intercept the response to rewrite absolute redirects against the base path.
 // Is disabled when the request has no base path which means /absproxy is in use.
 proxy.on("proxyRes", (res, req) => {

test/e2e/appName.test.ts

@@ -1,9 +0,0 @@
-import { version } from "../../src/node/constants"
-import { describe, test, expect } from "./baseFixture"
-
-const appName = "testnäme"
-describe("--app-name", [`--app-name=${appName}`], {}, () => {
-  test("should use app-name for the title", async ({ codeServerPage }) => {
-    expect(await codeServerPage.page.title()).toContain(appName)
-  })
-})

test/playwright.config.ts

@@ -5,10 +5,10 @@ import path from "path"
 // The default configuration runs all tests in three browsers with workers equal
 // to half the available threads. See 'npm run test:e2e --help' to customize
 // from the command line. For example:
-//   npm run test:e2e -- --workers 1        # Run with one worker
+//   npm run test:e2e --workers 1        # Run with one worker
-//   npm run test:e2e -- --project Chromium # Only run on Chromium
+//   npm run test:e2e --project Chromium # Only run on Chromium
-//   npm run test:e2e -- --grep login       # Run tests matching "login"
+//   npm run test:e2e --grep login       # Run tests matching "login"
-//   PWDEBUG=1 npm run test:e2e             # Run Playwright inspector
+//   PWDEBUG=1 npm run test:e2e          # Run Playwright inspector
 const config: PlaywrightTestConfig = {
   testDir: path.join(__dirname, "e2e"), // Search for tests in this directory.
   timeout: 60000, // Each test is given 60 seconds.

test/unit/node/proxy.test.ts

@@ -1,12 +1,15 @@
 import * as express from "express"
+import * as http from "http"
+import nodeFetch from "node-fetch"
 import { HttpCode } from "../../../src/common/http"
+import { proxy } from "../../../src/node/proxy"
 import { wss, Router as WsRouter } from "../../../src/node/wsRouter"
-import { mockLogger } from "../../utils/helpers"
+import { getAvailablePort, mockLogger } from "../../utils/helpers"
 import * as httpserver from "../../utils/httpserver"
 import * as integration from "../../utils/integration"
 
 describe("proxy", () => {
-  const proxyTarget = new httpserver.HttpServer()
+  const nhooyrDevServer = new httpserver.HttpServer()
   const wsApp = express.default()
   const wsRouter = WsRouter()
   let codeServer: httpserver.HttpServer | undefined
@@ -16,22 +19,21 @@ describe("proxy", () => {
 
   beforeAll(async () => {
     wsApp.use("/", wsRouter.router)
-    await proxyTarget.listen((req, res) => {
+    await nhooyrDevServer.listen((req, res) => {
       e(req, res)
     })
-    proxyTarget.listenUpgrade(wsApp)
+    nhooyrDevServer.listenUpgrade(wsApp)
-    proxyPath = `/proxy/${proxyTarget.port()}/wsup`
+    proxyPath = `/proxy/${nhooyrDevServer.port()}/wsup`
     absProxyPath = proxyPath.replace("/proxy/", "/absproxy/")
   })
 
   afterAll(async () => {
-    await proxyTarget.dispose()
+    await nhooyrDevServer.dispose()
   })
 
   beforeEach(() => {
     e = express.default()
     mockLogger()
-    delete process.env.PASSWORD
   })
 
   afterEach(async () => {
@@ -281,42 +283,65 @@ describe("proxy", () => {
     const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
     expect(resp.status).toBe(200)
   })
+})
 
-  it("should return a 500 when no target is running ", async () => {
+// NOTE@jsjoeio
-    const target = new httpserver.HttpServer()
+// Both this test suite and the one above it are very similar
-    await target.listen(() => {})
+// The main difference is this one uses http and node-fetch
-    const port = target.port()
+// and specifically tests the proxy in isolation vs. using
-    target.dispose()
+// the httpserver abstraction we've built.
-    codeServer = await integration.setup(["--auth=none"], "")
+//
-    const resp = await codeServer.fetch(`/proxy/${port}/wsup`)
+// Leaving this as a separate test suite for now because
-    expect(resp.status).toBe(HttpCode.ServerError)
+// we may consider refactoring the httpserver abstraction
-    expect(resp.statusText).toBe("Internal Server Error")
+// in the future.
+//
+// If you're writing a test specifically for code in
+// src/node/proxy.ts, you should probably add it to
+// this test suite.
+describe("proxy (standalone)", () => {
+  let URL = ""
+  let PROXY_URL = ""
+  let testServer: http.Server
+  let proxyTarget: http.Server
+
+  beforeEach(async () => {
+    const PORT = await getAvailablePort()
+    const PROXY_PORT = await getAvailablePort()
+    URL = `http://localhost:${PORT}`
+    PROXY_URL = `http://localhost:${PROXY_PORT}`
+    // Define server and a proxy server
+    testServer = http.createServer((req, res) => {
+      proxy.web(req, res, {
+        target: PROXY_URL,
+      })
+    })
+
+    proxyTarget = http.createServer((req, res) => {
+      res.writeHead(200, { "Content-Type": "text/plain" })
+      res.end()
+    })
+
+    // Start both servers
+    proxyTarget.listen(PROXY_PORT)
+    testServer.listen(PORT)
   })
 
-  it("should strip token cookie", async () => {
+  afterEach(async () => {
-    const token = "my-super-secure-token"
+    testServer.close()
-    process.env.HASHED_PASSWORD = token
+    proxyTarget.close()
-    codeServer = await integration.setup(["--auth=password"])
+  })
 
-    // Set up a listener that just prints the cookies it got.
+  it("should return a 500 when proxy target errors ", async () => {
-    e.get("/wsup/cookies", (req, res) => {
+    // Close the proxy target so that proxy errors
-      res.writeHead(HttpCode.Ok, { "Content-Type": "text/plain" })
+    proxyTarget.close()
-      res.end(req.headers.cookie)
+    const errorResp = await nodeFetch(`${URL}/error`)
-    })
+    expect(errorResp.status).toBe(HttpCode.ServerError)
+    expect(errorResp.statusText).toBe("Internal Server Error")
+  })
 
-    // Send the token along with other cookies which should be preserved.
+  it("should proxy correctly", async () => {
-    // Encode one to make sure they are being re-encoded properly.
+    const resp = await nodeFetch(`${URL}/route`)
-    const value = "hello=there"
-    const encodedValue = encodeURIComponent(value)
-    const resp = await codeServer.fetch(proxyPath + "/cookies", {
-      headers: {
-        cookie: `cookie1=${encodedValue}; code-server-session=${token}; cookie2=hello;`,
-      },
-    })
-
-    // The proxied listener should not have printed the code-server token.
     expect(resp.status).toBe(200)
-    const text = await resp.text()
+    expect(resp.statusText).toBe("OK")
-    expect(text).toBe(`cookie1=${encodedValue}; cookie2=hello`)
   })
 })