Update Code to 1.110.0 (#7694)

* Update Code to 1.110.0
* Fix protected field error
* Lower mangle workers to 2 to fix oom
* Remove build timeouts

.eslintrc.yaml

@@ -1,43 +0,0 @@
-parser: "@typescript-eslint/parser"
-env:
-  browser: true
-  es6: true # Map, etc.
-  jest: true
-  node: true
-
-parserOptions:
-  ecmaVersion: 2018
-  sourceType: module
-
-extends:
-  - eslint:recommended
-  - plugin:@typescript-eslint/recommended
-  - plugin:import/recommended
-  - plugin:import/typescript
-  - plugin:prettier/recommended
-  # Prettier should always be last
-  # Removes eslint rules that conflict with prettier.
-  - prettier
-
-rules:
-  # Sometimes you need to add args to implement a function signature even
-  # if they are unused.
-  "@typescript-eslint/no-unused-vars": ["error", { "args": "none" }]
-  # For overloads.
-  no-dupe-class-members: off
-  "@typescript-eslint/no-use-before-define": off
-  "@typescript-eslint/no-non-null-assertion": off
-  "@typescript-eslint/ban-types": off
-  "@typescript-eslint/no-var-requires": off
-  "@typescript-eslint/explicit-module-boundary-types": off
-  "@typescript-eslint/no-explicit-any": off
-  "@typescript-eslint/no-extra-semi": off
-  eqeqeq: error
-  import/order:
-    [error, { alphabetize: { order: "asc" }, groups: [["builtin", "external", "internal"], "parent", "sibling"] }]
-  no-async-promise-executor: off
-
-settings:
-  import/resolver:
-    typescript:
-      alwaysTryTypes: true

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# Prettier 3.4.2
+9b0340a09276f93c054d705d1b9a5f24cc5dbc97

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -1,6 +1,5 @@
 name: Bug report
 description: File a bug report
-title: "[Bug]: "
 labels: ["bug", "triage"]
 body:
   - type: checkboxes
@@ -10,6 +9,7 @@ body:
       options:
         - label: I have searched the existing issues
           required: true
+
   - type: textarea
     attributes:
       label: OS/Web Information
@@ -20,6 +20,8 @@ body:
           - **Remote OS**: Ubuntu
           - **Remote Architecture**: amd64
           - **`code-server --version`**: 4.0.1
+
+        Please do not just put "latest" for the version.
       value: |
         - Web Browser:
         - Local OS:
@@ -28,58 +30,94 @@ body:
         - `code-server --version`:
     validations:
       required: true
+
   - type: textarea
     attributes:
       label: Steps to Reproduce
       description: |
-        1. open code-server
-        2. install extension
-        3. run command
+        Please describe exactly how to reproduce the bug. For example:
+        1. Open code-server in Firefox
+        2. Install extension `foo.bar` from the extensions sidebar
+        3. Run command `foo.bar.baz`
       value: |
-        1. 
+        1.
         2.
         3.
     validations:
       required: true
+
   - type: textarea
     attributes:
       label: Expected
       description: What should happen?
     validations:
       required: true
+
   - type: textarea
     attributes:
       label: Actual
       description: What actually happens?
     validations:
       required: true
+
   - type: textarea
     id: logs
     attributes:
       label: Logs
-      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `yarn global add code-server`).
+      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `npm install -g code-server`).
+      render: shell
+
   - type: textarea
     attributes:
       label: Screenshot/Video
       description: Please include a screenshot, gif or screen recording of your issue.
     validations:
       required: false
+
+  - type: dropdown
+    attributes:
+      label: Does this bug reproduce in native VS Code?
+      description: If the bug reproduces in native VS Code, submit the issue upstream instead (https://github.com/microsoft/vscode).
+      options:
+        - Yes, this is also broken in native VS Code
+        - No, this works as expected in native VS Code
+        - This cannot be tested in native VS Code
+        - I did not test native VS Code
+    validations:
+      required: true
+
+  - type: dropdown
+    attributes:
+      label: Does this bug reproduce in VS Code web?
+      description: If the bug reproduces in VS Code web, submit the issue upstream instead (https://github.com/microsoft/vscode). You can run VS Code web with `code serve-web` (this is not the same as vscode.dev).
+      options:
+        - Yes, this is also broken in VS Code web
+        - No, this works as expected in VS Code web
+        - This cannot be tested in VS Code web
+        - I did not test VS Code web
+    validations:
+      required: true
+
+  - type: dropdown
+    attributes:
+      label: Does this bug reproduce in GitHub Codespaces?
+      description: If the bug reproduces in GitHub Codespaces, submit the issue upstream instead (https://github.com/microsoft/vscode).
+      options:
+        - Yes, this is also broken in GitHub Codespaces
+        - No, this works as expected in GitHub Codespaces
+        - This cannot be tested in GitHub Codespaces
+        - I did not test GitHub Codespaces
+    validations:
+      required: true
+
   - type: checkboxes
     attributes:
-      label: Does this issue happen in VS Code or GitHub Codespaces?
-      description: Please try reproducing this issue in VS Code or GitHub Codespaces
+      label: Are you accessing code-server over a secure context?
+      description: code-server relies on service workers (which only work in secure contexts) for many features. Double-check that you are using a secure context like HTTPS or localhost.
       options:
-        - label: I cannot reproduce this in VS Code.
-          required: true
-        - label: I cannot reproduce this in GitHub Codespaces.
-          required: true
-  - type: checkboxes
-    attributes:
-      label: Are you accessing code-server over HTTPS?
-      description: code-server relies on service workers for many features. Double-check that you are using HTTPS.
-      options:
-        - label: I am using HTTPS.
-          required: true
+        - label: I am using a secure context.
+          required: false
+
   - type: textarea
     attributes:
       label: Notes

.github/ISSUE_TEMPLATE/doc.md

@@ -1,9 +1,7 @@
 ---
 name: Documentation improvement
 about: Suggest a documentation improvement
-title: "[Docs]: "
 labels: "docs"
-assignees: "@jsjoeio"
 ---
 
 ## What is your suggestion?

.github/ISSUE_TEMPLATE/feature-request.md

@@ -1,9 +1,7 @@
 ---
 name: Feature request
 about: Suggest an idea to improve code-server
-title: "[Feat]: "
 labels: enhancement
-assignees: ""
 ---
 
 ## What is your suggestion?

.github/PULL_REQUEST_TEMPLATE/release_template.md

@@ -1,17 +0,0 @@
-<!-- Note: this variable $CODE_SERVER_VERSION_TO_UPDATE will be set when you run the release-prep.sh script with `yarn release:prep` -->
-
-This PR is to generate a new release of `code-server` at `$CODE_SERVER_VERSION_TO_UPDATE`
-
-## Screenshot
-
-TODO
-
-## TODOs
-
-Follow "Publishing a release" steps in `ci/README.md`
-
-<!-- Note some of these steps below are redundant since they're listed in the "Publishing a release" docs -->
-
-- [ ] update `CHANGELOG.md`
-- [ ] manually run "Draft release" workflow after merging this PR
-- [ ] merge PR opened in [code-server-aur](https://github.com/coder/code-server-aur)

.github/ranger.yml

@@ -1,29 +0,0 @@
-# Configuration for the repo ranger bot
-# See docs: https://www.notion.so/Documentation-8d7627bb1f3c42b7b1820e8d6f157a57#9879d1374fab4d1f9c607c230fd5123d
-default:
-  close:
-    # Default time to wait before closing the label. Can either be a number in milliseconds
-    # or a string specified by the `ms` package (https://www.npmjs.com/package/ms)
-    delay: "2 days"
-
-    # Default comment to post when an issue is first marked with a closing label
-    comment: "⚠️ This issue has been marked $LABEL and will be closed in $DELAY."
-
-labels:
-  duplicate: close
-  wontfix: close
-  "squash when passing": merge
-  "rebase when passing": merge
-  "merge when passing": merge
-  "new contributor":
-    action: comment
-    delay: 5s
-    message: "Thanks for making your first contribution! :slightly_smiling_face:"
-  "upstream:vscode":
-    action: close
-    delay: 5s
-    comment: >
-      This issue has been marked as 'upstream:vscode'.
-      Please file this upstream: [link to open issue](https://github.com/microsoft/vscode/issues/new/choose)
-
-      This issue will automatically close in $DELAY.

.github/workflows/build.yaml

@@ -19,386 +19,270 @@ concurrency:
 # this ensures that it only executes if all previous jobs succeeded.
 
 # if: steps.cache-node-modules.outputs.cache-hit != 'true'
-# will skip running `yarn install` if it successfully fetched from cache
+# will skip running `npm install` if it successfully fetched from cache
 
 jobs:
-  prettier:
-    name: Format with Prettier
-    runs-on: ubuntu-20.04
-    timeout-minutes: 5
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      ci: ${{ steps.filter.outputs.ci }}
+      code: ${{ steps.filter.outputs.code }}
+      deps: ${{ steps.filter.outputs.deps }}
+      docs: ${{ steps.filter.outputs.docs }}
+      helm: ${{ steps.filter.outputs.helm }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Run prettier with actionsx/prettier
-        uses: actionsx/prettier@v3
+        uses: actions/checkout@v6
+      - name: Check changed files
+        uses: dorny/paths-filter@v3
+        id: filter
         with:
-          args: --check --loglevel=warn .
+          filters: |
+            ci:
+              - ".github/**"
+              - "ci/**"
+            docs:
+              - "docs/**"
+              - "README.md"
+              - "CHANGELOG.md"
+            helm:
+              - "ci/helm-chart/**"
+            code:
+              - "src/**"
+              - "test/**"
+            deps:
+              - "lib/**"
+              - "patches/**"
+              - "package-lock.json"
+              - "test/package-lock.json"
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  prettier:
+    name: Run prettier check
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - run: npx prettier --check .
 
   doctoc:
     name: Doctoc markdown files
-    runs-on: ubuntu-20.04
-    timeout-minutes: 5
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: needs.changes.outputs.docs == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v38
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          files: |
-            docs/**
-
-      - name: Install Node.js v18
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-node@v3
-        with:
-          node-version: "18"
-          cache: "yarn"
-
-      - name: Install doctoc
-        run: yarn global add doctoc@2.2.1
-
-      - name: Run doctoc
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: yarn doctoc
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - run: npm run doctoc
 
   lint-helm:
     name: Lint Helm chart
-    runs-on: ubuntu-20.04
-    timeout-minutes: 5
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: needs.changes.outputs.helm == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v38
-        with:
-          files: |
-            ci/helm-chart/**
-
-      - name: Install helm
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: azure/setup-helm@v3.5
+      - uses: actions/checkout@v6
+      - uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install helm kubeval plugin
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: helm plugin install https://github.com/instrumenta/helm-kubeval
-
-      - name: Lint Helm chart
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: helm kubeval ci/helm-chart
+      - run: helm plugin install https://github.com/instrumenta/helm-kubeval
+      - run: helm kubeval ci/helm-chart
 
   lint-ts:
     name: Lint TypeScript files
-    runs-on: ubuntu-20.04
-    timeout-minutes: 5
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: needs.changes.outputs.code == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v38
-        with:
-          files: |
-            **/*.ts
-            **/*.js
-          files_ignore: |
-            lib/vscode/**
-
-      - name: Install Node.js v18
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-node@v3
-        with:
-          node-version: "18"
-
-      - name: Fetch dependencies from cache
-        if: steps.changed-files.outputs.any_changed == 'true'
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Install dependencies
-        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Lint TypeScript files
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: yarn lint:ts
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - run: npm run lint:ts
 
   lint-actions:
     name: Lint GitHub Actions
     runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.ci == 'true'
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
       - name: Check workflow files
         run: |
-          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash)
-          ./actionlint -color -shellcheck= -ignore "set-output"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.9
+          ./actionlint -color -shellcheck= -ignore "softprops/action-gh-release"
         shell: bash
 
   test-unit:
     name: Run unit tests
-    runs-on: ubuntu-20.04
-    timeout-minutes: 5
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: needs.changes.outputs.code == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v38
-        with:
-          files: |
-            **/*.ts
-          files_ignore: |
-            lib/vscode/**
-
-      - name: Install Node.js v18
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-node@v3
-        with:
-          node-version: "18"
-
-      - name: Fetch dependencies from cache
-        if: steps.changed-files.outputs.any_changed == 'true'
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Install dependencies
-        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Run unit tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: yarn test:unit
-
-      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - run: npm run test:unit
+      - uses: codecov/codecov-action@v5
+        if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-        if: success()
 
   build:
     name: Build code-server
-    runs-on: ubuntu-20.04
-    timeout-minutes: 60
+    runs-on: ubuntu-22.04
     env:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      DISABLE_V8_COMPILE_CACHE: 1
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v6
         with:
           submodules: true
-
-      - name: Install system dependencies
-        run: sudo apt update && sudo apt install -y libkrb5-dev
-
-      - name: Install quilt
-        uses: awalsh128/cache-apt-pkgs-action@latest
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
+      - uses: awalsh128/cache-apt-pkgs-action@latest
         with:
           packages: quilt
           version: 1.0
-
-      - name: Patch Code
-        run: quilt push -a
-
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - run: quilt push -a
+      - uses: actions/setup-node@v6
         with:
-          node-version: "18"
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-code-server-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-code-server-
-
-      - name: Install dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
-
-      - name: Build code-server
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - run: npm run build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: yarn build
-
       # Get Code's git hash.  When this changes it means the content is
       # different and we need to rebuild.
       - name: Get latest lib/vscode rev
         id: vscode-rev
         run: echo "rev=$(git rev-parse HEAD:./lib/vscode)" >> $GITHUB_OUTPUT
-
       # We need to rebuild when we have a new version of Code, when any of
       # the patches changed, or when the code-server version changes (since
       # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
       # force a rebuild.
       - name: Fetch prebuilt Code package from cache
         id: cache-vscode
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: lib/vscode-reh-web-*
           key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
-
       - name: Build vscode
         env:
           VERSION: "0.0.0"
         if: steps.cache-vscode.outputs.cache-hit != 'true'
-        run: yarn build:vscode
-
+        run: |
+          pushd lib/vscode
+          npm ci
+          popd
+          npm run build:vscode
       # The release package does not contain any native modules
       # and is neutral to architecture/os/libc version.
-      - name: Create release package
-        run: yarn release
+      - run: npm run release
         if: success()
-
       # https://github.com/actions/upload-artifact/issues/38
-      - name: Compress release package
-        run: tar -czf package.tar.gz release
-
-      - name: Upload npm package artifact
-        uses: actions/upload-artifact@v3
+      - run: tar -czf package.tar.gz release
+      - uses: actions/upload-artifact@v7
         with:
           name: npm-package
           path: ./package.tar.gz
 
   test-e2e:
     name: Run e2e tests
-    needs: build
-    runs-on: ubuntu-20.04
-    timeout-minutes: 25
+    runs-on: ubuntu-22.04
+    needs: [changes, build]
+    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Install system dependencies
-        run: sudo apt update && sudo apt install -y libkrb5-dev
-
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - uses: actions/checkout@v6
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
+      - uses: actions/setup-node@v6
         with:
-          node-version: "18"
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - uses: actions/download-artifact@v8
         with:
           name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Install release package dependencies
-        run: cd release && npm install --unsafe-perm --omit=dev
-
-      - name: Install dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
+      - run: tar -xzf package.tar.gz
+      - run: cd release && npm install --unsafe-perm --omit=dev
       - name: Install Playwright OS dependencies
         run: |
           ./test/node_modules/.bin/playwright install-deps
           ./test/node_modules/.bin/playwright install
-
-      - name: Run end-to-end tests
-        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e
-
-      - name: Upload test artifacts
+      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e
+      - uses: actions/upload-artifact@v7
         if: always()
-        uses: actions/upload-artifact@v3
         with:
           name: failed-test-videos
           path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release ./test/test-results
+      - run: rm -rf ./release ./test/test-results
 
   test-e2e-proxy:
     name: Run e2e tests behind proxy
-    needs: build
-    runs-on: ubuntu-20.04
-    timeout-minutes: 25
+    runs-on: ubuntu-22.04
+    needs: [changes, build]
+    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Install system dependencies
-        run: sudo apt update && sudo apt install -y libkrb5-dev
-
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - uses: actions/checkout@v6
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
+      - uses: actions/setup-node@v6
         with:
-          node-version: "18"
-
-      - name: Fetch dependencies from cache
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: "**/node_modules"
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            yarn-build-
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+      - uses: actions/download-artifact@v8
         with:
           name: npm-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Install release package dependencies
-        run: cd release && npm install --unsafe-perm --omit=dev
-
-      - name: Install dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
+      - run: tar -xzf package.tar.gz
+      - run: cd release && npm install --unsafe-perm --omit=dev
       - name: Install Playwright OS dependencies
         run: |
           ./test/node_modules/.bin/playwright install-deps
           ./test/node_modules/.bin/playwright install
-
       - name: Cache Caddy
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         id: caddy-cache
         with:
           path: |
             ~/.cache/caddy
           key: cache-caddy-2.5.2
-
       - name: Install Caddy
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -407,23 +291,13 @@ jobs:
           gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
           mkdir -p ~/.cache/caddy
           tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
-
-      - name: Start Caddy
-        run: sudo ~/.cache/caddy/caddy start --config ./ci/Caddyfile
-
-      - name: Run end-to-end tests
-        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e:proxy --global-timeout 840000
-
-      - name: Stop Caddy
+      - run: ~/.cache/caddy/caddy start --config ./ci/Caddyfile
+      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e:proxy
+      - run: ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
         if: always()
-        run: sudo ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
 
-      - name: Upload test artifacts
+      - uses: actions/upload-artifact@v7
         if: always()
-        uses: actions/upload-artifact@v3
         with:
           name: failed-test-videos-proxy
           path: ./test/test-results
-
-      - name: Remove release packages and test artifacts
-        run: rm -rf ./release ./test/test-results

.github/workflows/installer.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install code-server
         run: ./install.sh
@@ -44,7 +44,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install curl
         run: apk add curl
@@ -67,7 +67,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install code-server
         run: ./install.sh

.github/workflows/publish.yaml

@@ -21,78 +21,39 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
-  # NOTE: this job requires curl, jq and yarn
-  # All of them are included in ubuntu-latest.
   npm:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - name: Install Node.js
+        uses: actions/setup-node@v6
         with:
-          node-version: "18"
-          cache: "yarn"
+          node-version-file: .node-version
 
       - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.8
+        uses: robinraju/release-downloader@v1.12
         with:
           repository: "coder/code-server"
           tag: ${{ github.event.inputs.version || github.ref_name }}
           fileName: "package.tar.gz"
           out-file-path: "release-npm-package"
 
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - name: Publish npm package and tag with "latest"
-        run: yarn publish:npm
+      - run: npm run publish:npm
         env:
           VERSION: ${{ env.VERSION }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_ENVIRONMENT: "production"
 
-  homebrew:
-    needs: npm
-    runs-on: ubuntu-latest
-    steps:
-      # Ensure things are up to date
-      # Suggested by homebrew maintainers
-      # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
-      - name: Set up Homebrew
-        id: set-up-homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Checkout code-server
-        uses: actions/checkout@v3
-
-      - name: Configure git
-        run: |
-          git config --global user.name cdrci
-          git config --global user.email opensource@coder.com
-
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
-      - name: Get and set VERSION
-        run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
-          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-
-      - name: Bump code-server homebrew version
-        env:
-          VERSION: ${{ env.VERSION }}
-          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
-
-        run: ./ci/steps/brew-bump.sh
-
   aur:
-    needs: npm
     runs-on: ubuntu-latest
     timeout-minutes: 10
     env:
@@ -101,13 +62,13 @@ jobs:
     steps:
       # We need to checkout code-server so we can get the version
       - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           path: "./code-server"
 
       - name: Checkout code-server-aur repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           repository: "cdrci/code-server-aur"
           token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
@@ -124,15 +85,14 @@ jobs:
           git config --global user.name cdrci
           git config --global user.email opensource@coder.com
 
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
       - name: Validate package
-        uses: hapakaien/archlinux-package-action@v2
+        uses: heyhusen/archlinux-package-action@v3.0.0
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -151,46 +111,54 @@ jobs:
           git commit -m "chore: updating version to ${{ env.VERSION }}"
           git push -u origin $(git branch --show)
           gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
+
   docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - name: Download release artifacts
-        uses: robinraju/release-downloader@v1.8
+      - name: Download deb artifacts
+        uses: robinraju/release-downloader@v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
           fileName: "*.deb"
           out-file-path: "release-packages"
 
+      - name: Download rpm artifacts
+        uses: robinraju/release-downloader@v1.12
+        with:
+          repository: "coder/code-server"
+          tag: v${{ env.VERSION }}
+          fileName: "*.rpm"
+          out-file-path: "release-packages"
+
       - name: Publish to Docker
         run: ./ci/steps/docker-buildx-push.sh
         env:

.github/workflows/release.yaml

@@ -19,102 +19,27 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
-  # TODO: cache building yarn --production
-  # possibly 2m30s of savings(?)
-  # this requires refactoring our release scripts
-  package-linux-amd64:
-    name: x86-64 Linux build
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    needs: npm-version
-    container: "centos:8"
-    env:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
-        with:
-          node-version: "18.15.0"
-
-      - name: Install development tools
-        run: |
-          cd /etc/yum.repos.d/
-          sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
-          sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
-          yum install -y gcc-c++ make jq rsync python3 libsecret-devel krb5-devel
-
-      - name: Install nfpm and envsubst
-        run: |
-          mkdir -p ~/.local/bin
-          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.22.2/nfpm_2.22.2_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
-          curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
-          chmod +x envsubst
-          mv envsubst ~/.local/bin
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Install yarn
-        run: npm install -g yarn
-
-      - name: Download npm package
-        uses: actions/download-artifact@v3
-        with:
-          name: npm-release-package
-
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: npm run release:standalone
-
-      - name: Install test dependencies
-        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
-
-      - name: Run integration tests on standalone release
-        run: yarn test:integration
-
-      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-        if: success()
-
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
-      - name: Get and set VERSION
-        run: |
-          TAG="${{ inputs.version || github.ref_name }}"
-          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-
-      - name: Build packages with nfpm
-        env:
-          VERSION: ${{ env.VERSION }}
-        run: yarn package
-
-      - uses: softprops/action-gh-release@v1
-        with:
-          draft: true
-          discussion_category_name: "📣 Announcements"
-          files: ./release-packages/*
-
   package-linux-cross:
-    name: Linux cross-compile builds
+    name: ${{ matrix.prefix }}
     runs-on: ubuntu-latest
     timeout-minutes: 15
     needs: npm-version
-    container: "debian:buster"
+    container: "python:3.8-slim-buster"
     strategy:
       matrix:
         include:
+          - prefix: x86_64-linux-gnu
+            npm_arch: x64
+            apt_arch: amd64
+            package_arch: amd64
           - prefix: aarch64-linux-gnu
             npm_arch: arm64
             apt_arch: arm64
+            package_arch: arm64
           - prefix: arm-linux-gnueabihf
             npm_arch: armv7l
             apt_arch: armhf
+            package_arch: armv7l
 
     env:
       AR: ${{ format('{0}-ar', matrix.prefix) }}
@@ -128,24 +53,29 @@ jobs:
       PKG_CONFIG_PATH: ${{ format('/usr/lib/{0}/pkgconfig', matrix.prefix) }}
       TARGET_ARCH: ${{ matrix.apt_arch }}
       npm_config_arch: ${{ matrix.npm_arch }}
-      NODE_VERSION: v18.15.0
+      PKG_ARCH: ${{ matrix.package_arch }}
       # Not building from source results in an x86_64 argon2, as if
       # npm_config_arch is being ignored.
       npm_config_build_from_source: true
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - name: Install Node.js
+        uses: actions/setup-node@v6
         with:
-          node-version: "18.15.0"
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
 
       - name: Install cross-compiler and system dependencies
         run: |
+          sed -i 's/deb\.debian\.org/archive.debian.org/g' /etc/apt/sources.list
           dpkg --add-architecture $TARGET_ARCH
-          apt-get update && apt-get install -y --no-install-recommends \
+          apt update && apt install -y --no-install-recommends \
             crossbuild-essential-$TARGET_ARCH \
             libx11-dev:$TARGET_ARCH \
             libx11-xcb-dev:$TARGET_ARCH \
@@ -155,6 +85,8 @@ jobs:
             ca-certificates \
             curl wget rsync gettext-base
 
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+
       - name: Install nfpm
         run: |
           mkdir -p ~/.local/bin
@@ -162,33 +94,29 @@ jobs:
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
       - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v8
         with:
           name: npm-release-package
 
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
-
-      - name: Build standalone release
-        run: npm run release:standalone
+      - run: tar -xzf package.tar.gz
+      - run: npm run release:standalone
 
       - name: Replace node with cross-compile equivalent
         run: |
-          wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${npm_config_arch}.tar.xz
-          tar -xf node-${NODE_VERSION}-linux-${npm_config_arch}.tar.xz node-${NODE_VERSION}-linux-${npm_config_arch}/bin/node --strip-components=2
+          node_version=$(node --version)
+          wget https://nodejs.org/dist/${node_version}/node-${node_version}-linux-${npm_config_arch}.tar.xz
+          tar -xf node-${node_version}-linux-${npm_config_arch}.tar.xz node-${node_version}-linux-${npm_config_arch}/bin/node --strip-components=2
           mv ./node ./release-standalone/lib/node
 
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
-      - name: Build packages with nfpm
-        env:
+      - env:
           VERSION: ${{ env.VERSION }}
-        run: npm run package ${npm_config_arch}
+        run: npm run package $PKG_ARCH
 
       - uses: softprops/action-gh-release@v1
         with:
@@ -198,17 +126,26 @@ jobs:
 
   package-macos-amd64:
     name: x86-64 macOS build
-    runs-on: macos-latest
+    runs-on: macos-15-intel
     timeout-minutes: 15
     needs: npm-version
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - name: Install Node.js
+        uses: actions/setup-node@v6
         with:
-          node-version: "18.15.0"
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
 
       - name: Install nfpm
         run: |
@@ -216,25 +153,22 @@ jobs:
           curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
+      # The version of node-gyp we use depends on distutils but it was removed
+      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
+      # next update Node we can probably remove this.  For now, install
+      # setuptools since it contains distutils.
+      - run: brew install python-setuptools
+
       - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v8
         with:
           name: npm-release-package
 
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
+      - run: tar -xzf package.tar.gz
+      - run: npm run release:standalone
+      - run: npm run test:native
 
-      - name: Build standalone release
-        run: npm run release:standalone
-
-      - name: Install test dependencies
-        run: SKIP_SUBMODULE_DEPS=1 yarn install
-
-      - name: Run native module tests on standalone release
-        run: yarn test:native
-
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ inputs.version || github.ref_name }}"
@@ -243,7 +177,68 @@ jobs:
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
-        run: yarn package
+        run: npm run package
+
+      - uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          discussion_category_name: "📣 Announcements"
+          files: ./release-packages/*
+
+  package-macos-arm64:
+    name: arm64 macOS build
+    runs-on: macos-latest
+    timeout-minutes: 15
+    needs: npm-version
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .node-version
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            test/package-lock.json
+
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
+
+      - name: Install nfpm
+        run: |
+          mkdir -p ~/.local/bin
+          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      # The version of node-gyp we use depends on distutils but it was removed
+      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
+      # next update Node we can probably remove this.  For now, install
+      # setuptools since it contains distutils.
+      - run: brew install python-setuptools
+
+      - name: Download npm package
+        uses: actions/download-artifact@v8
+        with:
+          name: npm-release-package
+
+      - run: tar -xzf package.tar.gz
+      - run: npm run release:standalone
+      - run: npm run test:native
+
+      # Strip out the v (v4.9.1 -> 4.9.1).
+      - name: Get and set VERSION
+        run: |
+          TAG="${{ inputs.version || github.ref_name }}"
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+
+      - name: Build packages with nfpm
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: npm run package
 
       - uses: softprops/action-gh-release@v1
         with:
@@ -258,7 +253,7 @@ jobs:
     needs: npm-version
     steps:
       - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v8
         with:
           name: npm-release-package
 
@@ -274,7 +269,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v16
         id: download
         with:
           branch: ${{ github.ref }}
@@ -284,11 +279,9 @@ jobs:
           check_artifacts: false
           if_no_artifact_found: fail
 
-      - name: Decompress npm package
-        run: tar -xzf package.tar.gz
+      - run: tar -xzf package.tar.gz
 
-      # NOTE@jsjoeio - we do this so we can strip out the v
-      # i.e. v4.9.1 -> 4.9.1
+      # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
           TAG="${{ inputs.version || github.ref_name }}"
@@ -307,11 +300,10 @@ jobs:
           # Ensure it has the same permissions as before
           chmod 644 release/lib/vscode/product.json
 
-      - name: Compress release package
-        run: tar -czf package.tar.gz release
+      - run: tar -czf package.tar.gz release
 
       - name: Upload npm package artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v7
         with:
           name: npm-release-package
           path: ./package.tar.gz

.github/workflows/scripts.yaml

@@ -41,7 +41,7 @@ jobs:
     container: "alpine:3.17"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install test utilities
         run: apk add bats checkbashisms
@@ -58,7 +58,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install lint utilities
         run: sudo apt install shellcheck

.github/workflows/security.yaml

@@ -19,27 +19,23 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
-  audit-ci:
+  audit:
     name: Audit node modules
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - name: Install Node.js v18
-        uses: actions/setup-node@v3
+      - name: Install Node.js
+        uses: actions/setup-node@v6
         with:
-          node-version: "18"
-
-      - name: Audit yarn for vulnerabilities
-        run: yarn audit
-        if: success()
+          node-version-file: .node-version
 
       - name: Audit npm for vulnerabilities
-        run: npm shrinkwrap && npm audit
+        run: npm audit
         if: success()
 
   trivy-scan-repo:
@@ -47,15 +43,15 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           scan-type: "fs"
           scan-ref: "."
@@ -66,7 +62,7 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: "trivy-repo-results.sarif"
 
@@ -76,21 +72,21 @@ jobs:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/autobuild to send a status report
     name: Analyze with CodeQL
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v4
         with:
           config-file: ./.github/codeql-config.yml
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v4

.github/workflows/trivy-docker.yaml

@@ -44,14 +44,14 @@ concurrency:
 
 jobs:
   trivy-scan-image:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true
@@ -60,6 +60,6 @@ jobs:
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: "trivy-image-results.sarif"

.node-version

@@ -1 +1 @@
-18
+22.22.0

.prettierignore

@@ -7,3 +7,4 @@ helm-chart
 test/scripts
 test/e2e/extensions/test-extension
 .pc
+package-lock.json

.tours/start-development.tour

@@ -5,7 +5,7 @@
     {
       "file": "package.json",
       "line": 31,
-      "description": "## Commands\n\nTo start developing, make sure you have Node 16+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> yarn\n\n3. Start development mode (and watch for changes):\n>> yarn watch"
+      "description": "## Commands\n\nTo start developing, make sure you have Node 16+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> npm\n\n3. Start development mode (and watch for changes):\n>> npm run watch"
     },
     {
       "file": "src/node/app.ts",
@@ -20,7 +20,7 @@
     {
       "file": "src/node/app.ts",
       "line": 62,
-      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `yarn watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\"])\n- [Docs: FAQ.md](https://github.com/coder/code-server/blob/main/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/coder/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
+      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `npm run watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\"])\n- [Docs: FAQ.md](https://github.com/coder/code-server/blob/main/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/coder/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
     }
   ]
-}
+}

CHANGELOG.md

@@ -22,6 +22,644 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.109.5](https://github.com/coder/code-server/releases/tag/v4.109.5) - 2026-03-02
+
+Code v1.109.5
+
+### Changed
+
+- Update to Code 1.109.5
+
+## [4.109.2](https://github.com/coder/code-server/releases/tag/v4.109.2) - 2026-02-12
+
+Code v1.109.2
+
+### Changed
+
+- Update to Code 1.109.2
+
+## [4.109.0](https://github.com/coder/code-server/releases/tag/v4.109.0) - 2026-02-12
+
+Code v1.109.0
+
+### Changed
+
+- Update to Code 1.109.0
+
+## [4.108.2](https://github.com/coder/code-server/releases/tag/v4.108.2) - 2026-01-26
+
+Code v1.108.2
+
+### Changed
+
+- Update to Code 1.108.2
+
+## [4.108.1](https://github.com/coder/code-server/releases/tag/v4.108.1) - 2026-01-16
+
+Code v1.108.1
+
+### Changed
+
+- Update to Code 1.108.1
+
+## [4.108.0](https://github.com/coder/code-server/releases/tag/v4.108.0) - 2026-01-12
+
+Code v1.108.0
+
+### Changed
+
+- Update to Code 1.108.0
+
+## [4.107.1](https://github.com/coder/code-server/releases/tag/v4.107.1) - 2026-01-09
+
+Code v1.107.1
+
+### Changed
+
+- Update to Code 1.107.1
+
+## [4.107.0](https://github.com/coder/code-server/releases/tag/v4.107.0) - 2026-12-17
+
+Code v1.107.0
+
+### Changed
+
+- Update to Code 1.107.0
+
+### Added
+
+- New `--cookie-suffix` flag that can be used to add a suffix to the cookie when
+  using the built-in password authentication. You can use this to avoid
+  collisions with other instances of code-server.
+- Support a new property `authorizationHeaderToken` on the extension gallery
+  configuration. This will be added to marketplace requests as a bearer token
+  using the `Authorization` header.
+
+## [4.106.3](https://github.com/coder/code-server/releases/tag/v4.106.3) - 2025-12-01
+
+Code v1.106.3
+
+### Changed
+
+- Update to Code 1.106.3
+
+## [4.106.2](https://github.com/coder/code-server/releases/tag/v4.106.2) - 2025-11-19
+
+Code v1.106.2
+
+### Changed
+
+- Update to Code 1.106.2
+
+## [4.106.0](https://github.com/coder/code-server/releases/tag/v4.106.0) - 2025-11-19
+
+Code v1.106.0
+
+### Changed
+
+- Update to Code 1.106.0
+
+## [4.105.1](https://github.com/coder/code-server/releases/tag/v4.105.1) - 2025-10-20
+
+Code v1.105.1
+
+### Changed
+
+- Update to Code 1.105.1
+
+## [4.105.0](https://github.com/coder/code-server/releases/tag/v4.105.0) - 2025-10-17
+
+Code v1.105.0
+
+### Changed
+
+- Update to Code 1.105.0
+
+## [4.104.3](https://github.com/coder/code-server/releases/tag/v4.104.3) - 2025-10-07
+
+Code v1.104.3
+
+### Changed
+
+- Update to Code 1.104.3.
+
+## [4.104.2](https://github.com/coder/code-server/releases/tag/v4.104.2) - 2025-09-26
+
+Code v1.104.2
+
+### Changed
+
+- Update to Code 1.104.2.
+
+## [4.104.1](https://github.com/coder/code-server/releases/tag/v4.104.1) - 2025-09-19
+
+Code v1.104.1
+
+### Changed
+
+- Update to Code 1.104.1.
+
+## [4.104.0](https://github.com/coder/code-server/releases/tag/v4.104.0) - 2025-09-15
+
+Code v1.104.0
+
+### Fixed
+
+- Fix "extension not found" errors from Open VSX when trying to install the
+  latest version of an extension.
+
+### Changed
+
+- Update to Code 1.104.0.
+
+## [4.103.2](https://github.com/coder/code-server/releases/tag/v4.103.2) - 2025-08-25
+
+Code v1.103.2
+
+### Changed
+
+- Update to Code 1.103.2.
+
+## [4.103.1](https://github.com/coder/code-server/releases/tag/v4.103.1) - 2025-08-15
+
+Code v1.103.1
+
+### Changed
+
+- Update to Code 1.103.1.
+
+## [4.103.0](https://github.com/coder/code-server/releases/tag/v4.103.0) - 2025-08-12
+
+Code v1.103.0
+
+### Changed
+
+- Update to Code 1.103.0.
+
+## [4.102.2](https://github.com/coder/code-server/releases/tag/v4.102.2) - 2025-07-24
+
+Code v1.102.2
+
+### Changed
+
+- Update to Code 1.102.2.
+
+## [4.102.1](https://github.com/coder/code-server/releases/tag/v4.102.1) - 2025-07-17
+
+Code v1.102.1
+
+### Changed
+
+- Update to Code 1.102.1.
+
+## [4.102.0](https://github.com/coder/code-server/releases/tag/v4.102.0) - 2025-07-16
+
+Code v1.102.0
+
+### Changed
+
+- Update to Code 1.102.0.
+
+### Added
+
+- Custom strings can be configured using the `--i18n` flag set to a JSON
+  file. This can be used for either translation (and can be used alongside
+  `--locale`) or for customizing the strings. See
+  [./src/node/i18n/locales/en.json](./src/node/i18n/locales/en.json) for the
+  available keys.
+
+## [4.101.2](https://github.com/coder/code-server/releases/tag/v4.101.2) - 2025-06-25
+
+Code v1.101.2
+
+### Changed
+
+- Update to Code 1.101.2.
+
+### Fixed
+
+- Fix web views not loading due to 401 when requesting the service worker.
+
+## [4.101.1](https://github.com/coder/code-server/releases/tag/v4.101.1) - 2025-06-20
+
+Code v1.101.1
+
+### Changed
+
+- Update to Code 1.101.1.
+
+## [4.101.0](https://github.com/coder/code-server/releases/tag/v4.101.0) - 2025-06-20
+
+Code v1.101.0
+
+### Changed
+
+- Update to Code 1.101.0.
+
+## [4.100.3](https://github.com/coder/code-server/releases/tag/v4.100.3) - 2025-06-03
+
+Code v1.100.3
+
+### Changed
+
+- Update to Code 1.100.3.
+
+## [4.100.2](https://github.com/coder/code-server/releases/tag/v4.100.2) - 2025-05-15
+
+Code v1.100.2
+
+### Changed
+
+- Update to Code 1.100.2.
+
+## [4.100.1](https://github.com/coder/code-server/releases/tag/v4.100.1) - 2025-05-13
+
+Code v1.100.1
+
+### Changed
+
+- Update to Code 1.100.1.
+
+## [4.100.0](https://github.com/coder/code-server/releases/tag/v4.100.0) - 2025-05-12
+
+Code v1.100.0
+
+### Added
+
+- Trusted domains for links can now be set at run-time by configuring
+  `linkProtectionTrustedDomains` in the `lib/vscode/product.json` file or via
+  the `--link-protection-trusted-domains` flag.
+
+### Changed
+
+- Update to Code 1.100.0.
+- Disable extension signature verification, which previously was skipped by
+  default (the package used for verification is not available to OSS builds of
+  VS Code) but now reportedly throws hard errors making it impossible to install
+  extensions.
+
+### Fixed
+
+- Flags with repeatable options now work via the config file.
+
+## [4.99.4](https://github.com/coder/code-server/releases/tag/v4.99.4) - 2025-05-02
+
+Code v1.99.3
+
+### Security
+
+- Validate that ports in the path proxy are numbers, to prevent proxying to
+  arbitrary domains.
+
+## [4.99.3](https://github.com/coder/code-server/releases/tag/v4.99.3) - 2025-04-17
+
+Code v1.99.3
+
+### Added
+
+- Added `--skip-auth-preflight` flag to let preflight requests through the
+  proxy.
+
+### Changed
+
+- Update to Code 1.99.3.
+
+## [4.99.2](https://github.com/coder/code-server/releases/tag/v4.99.2) - 2025-04-10
+
+Code v1.99.2
+
+### Changed
+
+- Update to Code 1.99.2.
+
+## [4.99.1](https://github.com/coder/code-server/releases/tag/v4.99.1) - 2025-04-08
+
+Code v1.99.1
+
+### Changed
+
+- Update to Code 1.99.1.
+
+## [4.99.0](https://github.com/coder/code-server/releases/tag/v4.99.0) - 2025-04-07
+
+Code v1.99.0
+
+### Changed
+
+- Update to Code 1.99.0.
+
+## [4.98.0](https://github.com/coder/code-server/releases/tag/v4.98.0) - 2025-03-07
+
+Code v1.98.0
+
+### Changed
+
+- Update to Code 1.98.0.
+
+## [4.97.2](https://github.com/coder/code-server/releases/tag/v4.96.4) - 2025-02-18
+
+Code v1.97.2
+
+### Added
+
+- Added back macOS amd64 builds.
+
+### Changed
+
+- Update to Code 1.97.2.
+- Softened dark mode login page colors.
+
+## [4.96.4](https://github.com/coder/code-server/releases/tag/v4.96.4) - 2025-01-20
+
+Code v1.96.4
+
+### Changed
+
+- Update to Code 1.96.4.
+
+## [4.96.2](https://github.com/coder/code-server/releases/tag/v4.96.2) - 2024-12-20
+
+Code v1.96.2
+
+### Changed
+
+- Update to Code 1.96.2.
+
+## [4.96.1](https://github.com/coder/code-server/releases/tag/v4.96.1) - 2024-12-18
+
+Code v1.96.1
+
+### Added
+
+- Dark color scheme for login and error pages.
+
+### Changed
+
+- Update to Code 1.96.1.
+
+## [4.95.3](https://github.com/coder/code-server/releases/tag/v4.95.3) - 2024-11-18
+
+Code v1.95.3
+
+### Changed
+
+- Update to Code 1.95.3.
+
+## [4.95.2](https://github.com/coder/code-server/releases/tag/v4.95.2) - 2024-11-12
+
+Code v1.95.2
+
+### Changed
+
+- Update to Code 1.95.2.
+
+## [4.95.1](https://github.com/coder/code-server/releases/tag/v4.95.1) - 2024-11-06
+
+Code v1.95.1
+
+### Changed
+
+- Update to Code 1.95.1.
+
+## [4.93.1](https://github.com/coder/code-server/releases/tag/v4.93.1) - 2024-09-23
+
+Code v1.93.1
+
+### Changed
+
+- Updated to Code 1.93.1.
+
+### Added
+
+- Added `--abs-proxy-base-path` flag for when code-server is not at the root.
+
+## [4.92.2](https://github.com/coder/code-server/releases/tag/v4.92.2) - 2024-08-19
+
+Code v1.92.2
+
+### Breaking changes
+
+- Dropped a patch that changed the compile target from es2022 to es2020 because
+  it no longer works with the way VS Code uses static properties. This may break
+  older browsers, so those browsers will either have to be updated or use an
+  older version of code-server.
+
+### Changed
+
+- Updated to Code 1.92.2.
+
+## [4.91.0](https://github.com/coder/code-server/releases/tag/v4.91.0) - 2024-07-10
+
+Code v1.91.0
+
+### Changed
+
+- Updated to Code 1.91.0.
+
+## [4.90.3](https://github.com/coder/code-server/releases/tag/v4.90.3) - 2024-06-21
+
+Code v1.90.2
+
+### Changed
+
+- Updated to Code 1.90.2.
+
+### Fixed
+
+- When the log gets rotated it will no longer incorrectly be moved to a new
+  directory created in the current working directory named with a date.
+  Instead, the file itself is prepended with the date and kept in the same
+  directory, as originally intended.
+
+## [4.90.2](https://github.com/coder/code-server/releases/tag/v4.90.2) - 2024-06-14
+
+Code v1.90.1
+
+### Changed
+
+- Updated to Code 1.90.1.
+
+## [4.90.1](https://github.com/coder/code-server/releases/tag/v4.90.1) - 2024-06-12
+
+Code v1.90.0
+
+### Fixed
+
+- Cache a call to get CPU information used in telemetry that could result in a
+  lack responsiveness if it was particularly slow.
+
+## [4.90.0](https://github.com/coder/code-server/releases/tag/v4.90.0) - 2024-06-11
+
+Code v1.90.0
+
+### Changed
+
+- Updated to Code 1.90.0.
+- Updated Node to 20.11.1.
+
+### Added
+
+- Send contents to the clipboard in the integrated terminal by piping to
+  `code-server --stdin-to-clipboard` or `code-server -c`.
+
+  You may want to make this an alias:
+
+  ```
+  alias xclip="code-server --stdin-to-clipboard"
+  echo -n "hello world" | xclip
+  ```
+
+## [4.89.1](https://github.com/coder/code-server/releases/tag/v4.89.1) - 2024-04-14
+
+Code v1.89.1
+
+### Changed
+
+- Updated to Code 1.89.1.
+
+## [4.89.0](https://github.com/coder/code-server/releases/tag/v4.89.0) - 2024-04-08
+
+Code v1.89.0
+
+### Changed
+
+- Updated to Code 1.89.0.
+
+## [4.23.1](https://github.com/coder/code-server/releases/tag/v4.23.1) - 2024-04-15
+
+Code v1.88.1
+
+### Changed
+
+- Updated to Code 1.88.1.
+
+## [4.23.0](https://github.com/coder/code-server/releases/tag/v4.23.0) - 2024-04-08
+
+Code v1.88.0
+
+### Changed
+
+- Updated to Code 1.88.0.
+- Updated Node to 18.18.2.
+
+### Fixed
+
+- Fix masking the exit code when failing to install extensions on the command
+  line outside the integrated terminal. Installing extensions inside the
+  integrated terminal still masks the exit code and is an upstream bug.
+
+## [4.22.1](https://github.com/coder/code-server/releases/tag/v4.22.1) - 2024-03-14
+
+Code v1.87.2
+
+### Changed
+
+- Updated to Code 1.87.2.
+- Enable keep-alive for proxy agent.
+
+## [4.22.0](https://github.com/coder/code-server/releases/tag/v4.22.0) - 2024-03-03
+
+Code v1.87.0
+
+### Changed
+
+- Updated to Code 1.87.0.
+
+## [4.21.2](https://github.com/coder/code-server/releases/tag/v4.21.2) - 2024-02-28
+
+Code v1.86.2
+
+### Changed
+
+- Updated to Code 1.86.2.
+
+## [4.21.1](https://github.com/coder/code-server/releases/tag/v4.21.1) - 2024-02-09
+
+Code v1.86.1
+
+### Changed
+
+- Updated to Code 1.86.1.
+- Updated to Node 18.17.1.
+
+### Added
+
+- Docker images for Fedora and openSUSE.
+
+## [4.21.0](https://github.com/coder/code-server/releases/tag/v4.21.0) - 2024-02-05
+
+Code v1.86.0
+
+### Changed
+
+- Updated to Code 1.86.0.
+
+## [4.20.1](https://github.com/coder/code-server/releases/tag/v4.20.1) - 2024-01-22
+
+Code v1.85.2
+
+### Changed
+
+- Updated to Code 1.85.2.
+
+### Fixed
+
+- Query variables are no longer double-encoded when going over the path proxy.
+
+## [4.20.0](https://github.com/coder/code-server/releases/tag/v4.20.0) - 2023-12-21
+
+Code v1.85.1
+
+### Added
+
+- New flag `--disable-file-uploads` to disable uploading files to the remote by
+  drag and drop and to disable opening local files via the "show local" button
+  in the file open prompt. Note that you can still open local files by drag and
+  dropping the file onto the editor pane.
+- Added `wget` to the release image.
+
+### Changed
+
+- Updated to Code 1.85.1.
+- The `--disable-file-downloads` flag will now disable the "show local" button
+  in the file save prompt as well.
+- Debian release image updated to use Bookworm.
+
+## [4.19.1](https://github.com/coder/code-server/releases/tag/v4.19.1) - 2023-11-29
+
+Code v1.84.2
+
+### Fixed
+
+- Fixed an issue where parts of the editor would not load (like the file
+  explorer, source control, etc) when using a workspace file.
+
+## [4.19.0](https://github.com/coder/code-server/releases/tag/v4.19.0) - 2023-11-18
+
+Code v1.84.2
+
+### Changed
+
+- Updated to Code 1.84.2.
+
+## [4.18.0](https://github.com/coder/code-server/releases/tag/v4.18.0) - 2023-10-20
+
+Code v1.83.1
+
+### Changed
+
+- Updated to Code 1.83.1.
+
+## [4.17.1](https://github.com/coder/code-server/releases/tag/v4.17.1) - 2023-09-29
+
+Code v1.82.2
+
+### Fixed
+
+- Make secret storage persistent. For example, logging in with GitHub should
+  persist between browser refreshes and code-server restarts.
+- Issues with argon2 on arm builds should be fixed now.
+
 ## [4.17.0](https://github.com/coder/code-server/releases/tag/v4.17.0) - 2023-09-22
 
 Code v1.82.2
@@ -298,7 +936,7 @@ Code v1.71.0
 
 ### Fixed
 
-- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstsall.sh` which ensures installing with npm works correctly
+- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstall.sh` which ensures installing with npm works correctly
 
 ## [4.6.1](https://github.com/coder/code-server/releases/tag/v4.6.1) - 2022-09-31
 
@@ -346,7 +984,6 @@ Code v1.68.1
   would be accessible at `my.domain/proxy/8000/` without any authentication.
 
   If all of the following apply to you please update as soon as possible:
-
   - You run code-server with the built-in password authentication.
   - You run unprotected HTTP services on ports accessible by code-server.
 

ci/README.md

@@ -16,20 +16,18 @@ This directory contains scripts used for the development of code-server.
 
 - [./ci/dev/image](./dev/image)
   - See [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md) for docs on the development container.
-- [./ci/dev/fmt.sh](./dev/fmt.sh) (`yarn fmt`)
+- [./ci/dev/fmt.sh](./dev/fmt.sh) (`npm run fmt`)
   - Runs formatters.
-- [./ci/dev/lint.sh](./dev/lint.sh) (`yarn lint`)
+- [./ci/dev/lint.sh](./dev/lint.sh) (`npm run lint`)
   - Runs linters.
-- [./ci/dev/test-unit.sh](./dev/test-unit.sh) (`yarn test:unit`)
+- [./ci/dev/test-unit.sh](./dev/test-unit.sh) (`npm run test:unit`)
   - Runs unit tests.
-- [./ci/dev/test-e2e.sh](./dev/test-e2e.sh) (`yarn test:e2e`)
+- [./ci/dev/test-e2e.sh](./dev/test-e2e.sh) (`npm run test:e2e`)
   - Runs end-to-end tests.
-- [./ci/dev/ci.sh](./dev/ci.sh) (`yarn ci`)
-  - Runs `yarn fmt`, `yarn lint` and `yarn test`.
-- [./ci/dev/watch.ts](./dev/watch.ts) (`yarn watch`)
+- [./ci/dev/watch.ts](./dev/watch.ts) (`npm run watch`)
   - Starts a process to build and launch code-server and restart on any code changes.
   - Example usage in [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md).
-- [./ci/dev/gen_icons.sh](./dev/gen_icons.sh) (`yarn icons`)
+- [./ci/dev/gen_icons.sh](./dev/gen_icons.sh) (`npm run icons`)
   - Generates the various icons from a single `.svg` favicon in
     `src/browser/media/favicon.svg`.
   - Requires [imagemagick](https://imagemagick.org/index.php)
@@ -39,20 +37,20 @@ This directory contains scripts used for the development of code-server.
 This directory contains the scripts used to build and release code-server.
 You can disable minification by setting `MINIFY=`.
 
-- [./ci/build/build-code-server.sh](./build/build-code-server.sh) (`yarn build`)
+- [./ci/build/build-code-server.sh](./build/build-code-server.sh) (`npm run build`)
   - Builds code-server into `./out` and bundles the frontend into `./dist`.
-- [./ci/build/build-vscode.sh](./build/build-vscode.sh) (`yarn build:vscode`)
+- [./ci/build/build-vscode.sh](./build/build-vscode.sh) (`npm run build:vscode`)
   - Builds vscode into `./lib/vscode/out-vscode`.
-- [./ci/build/build-release.sh](./build/build-release.sh) (`yarn release`)
+- [./ci/build/build-release.sh](./build/build-release.sh) (`npm run release`)
   - Bundles the output of the above two scripts into a single node module at `./release`.
-- [./ci/build/clean.sh](./build/clean.sh) (`yarn clean`)
+- [./ci/build/clean.sh](./build/clean.sh) (`npm run clean`)
   - Removes all build artifacts.
   - Useful to do a clean build.
 - [./ci/build/code-server.sh](./build/code-server.sh)
   - Copied into standalone releases to run code-server with the bundled node binary.
-- [./ci/build/test-standalone-release.sh](./build/test-standalone-release.sh) (`yarn test:standalone-release`)
+- [./ci/build/test-standalone-release.sh](./build/test-standalone-release.sh) (`npm run test:standalone-release`)
   - Ensures code-server in the `./release-standalone` directory works by installing an extension.
-- [./ci/build/build-packages.sh](./build/build-packages.sh) (`yarn package`)
+- [./ci/build/build-packages.sh](./build/build-packages.sh) (`npm run package`)
   - Packages `./release-standalone` into a `.tar.gz` archive in `./release-packages`.
   - If on linux, [nfpm](https://github.com/goreleaser/nfpm) is used to generate `.deb` and `.rpm`.
 - [./ci/build/nfpm.yaml](./build/nfpm.yaml)
@@ -61,15 +59,15 @@ You can disable minification by setting `MINIFY=`.
   - Entrypoint script for code-server for `.deb` and `.rpm`.
 - [./ci/build/code-server.service](./build/code-server.service)
   - systemd user service packaged into the `.deb` and `.rpm`.
-- [./ci/build/release-github-draft.sh](./build/release-github-draft.sh) (`yarn release:github-draft`)
+- [./ci/build/release-github-draft.sh](./build/release-github-draft.sh) (`npm run release:github-draft`)
   - Uses [gh](https://github.com/cli/cli) to create a draft release with a template description.
-- [./ci/build/release-github-assets.sh](./build/release-github-assets.sh) (`yarn release:github-assets`)
+- [./ci/build/release-github-assets.sh](./build/release-github-assets.sh) (`npm run release:github-assets`)
   - Downloads the release-package artifacts for the current commit from CI.
   - Uses [gh](https://github.com/cli/cli) to upload the artifacts to the release
     specified in `package.json`.
 - [./ci/build/npm-postinstall.sh](./build/npm-postinstall.sh)
   - Post install script for the npm package.
-  - Bundled by`yarn release`.
+  - Bundled by`npm run release`.
 
 ## release-image
 
@@ -89,15 +87,15 @@ This directory contains the scripts used in CI.
 Helps avoid clobbering the CI configuration.
 
 - [./steps/fmt.sh](./steps/fmt.sh)
-  - Runs `yarn fmt`.
+  - Runs `npm run fmt`.
 - [./steps/lint.sh](./steps/lint.sh)
-  - Runs `yarn lint`.
+  - Runs `npm run lint`.
 - [./steps/test-unit.sh](./steps/test-unit.sh)
-  - Runs `yarn test:unit`.
+  - Runs `npm run test:unit`.
 - [./steps/test-integration.sh](./steps/test-integration.sh)
-  - Runs `yarn test:integration`.
+  - Runs `npm run test:integration`.
 - [./steps/test-e2e.sh](./steps/test-e2e.sh)
-  - Runs `yarn test:e2e`.
+  - Runs `npm run test:e2e`.
 - [./steps/release.sh](./steps/release.sh)
   - Runs the release process.
   - Generates the npm package at `./release`.

ci/build/build-packages.sh

@@ -1,8 +1,10 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Packages code-server for the current OS and architecture into ./release-packages.
-# This script assumes that a standalone release is built already into ./release-standalone
+# Given a platform-specific release found in ./release-standalone, generate an
+# compressed archives and bundles (as appropriate for the platform) named after
+# the platform's architecture and OS and place them in ./release-packages and
+# ./release-gcp.
 
 main() {
   cd "$(dirname "${0}")/../.."
@@ -50,11 +52,6 @@ release_nfpm() {
 
   export NFPM_ARCH
 
-  # Code deletes some files from the extension node_modules directory which
-  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
-  # on these broken symlinks so clean them up.
-  rm -fr "./release-standalone/lib/vscode/extensions/node_modules/.bin"
-
   PKG_FORMAT="deb"
   NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
   nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"

ci/build/build-release.sh

@@ -1,13 +1,16 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# This script requires vscode to be built with matching MINIFY.
+# Once both code-server and VS Code have been built, use this script to copy
+# them into a single directory (./release), prepare the package.json and
+# product.json, and add shrinkwraps.  This results in a generic NPM package that
+# we published to NPM and also use to compile platform-specific packages.
 
-# MINIFY controls whether minified vscode is bundled.
+# MINIFY controls whether minified VS Code is bundled. It must match the value
+# used when VS Code was built.
 MINIFY="${MINIFY-true}"
 
-# KEEP_MODULES controls whether the script cleans all node_modules requiring a yarn install
-# to run first.
+# node_modules are not copied by default.  Set KEEP_MODULES=1 to copy them.
 KEEP_MODULES="${KEEP_MODULES-0}"
 
 main() {
@@ -41,12 +44,8 @@ bundle_code_server() {
   rsync src/browser/pages/*.css "$RELEASE_PATH/src/browser/pages"
   rsync src/browser/robots.txt "$RELEASE_PATH/src/browser"
 
-  # Add typings for plugins
-  mkdir -p "$RELEASE_PATH/typings"
-  rsync typings/pluginapi.d.ts "$RELEASE_PATH/typings"
-
   # Adds the commit to package.json
-  jq --slurp '.[0] * .[1]' package.json <(
+  jq --slurp '(.[0] | del(.scripts,.jest,.devDependencies)) * .[1]' package.json <(
     cat << EOF
   {
     "commit": "$(git rev-parse HEAD)",
@@ -88,49 +87,50 @@ bundle_vscode() {
 
   rsync "${rsync_opts[@]}" ./lib/vscode-reh-web-*/ "$VSCODE_OUT_PATH"
 
-  # Use the package.json for the web/remote server.  It does not have the right
-  # version though so pull that from the main package.json.
-  jq --slurp '.[0] * {version: .[1].version}' \
+  # Merge the package.json for the web/remote server so we can include
+  # dependencies, since we want to ship this via NPM.
+  jq --slurp '.[0] * .[1]' \
     "$VSCODE_SRC_PATH/remote/package.json" \
-    "$VSCODE_SRC_PATH/package.json" > "$VSCODE_OUT_PATH/package.json"
-
-  mv "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
+    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
+  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
+  cp "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
 
   # Include global extension dependencies as well.
   rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions/package.json"
-  mv "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
+  cp "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
   rsync "$VSCODE_SRC_PATH/extensions/postinstall.mjs" "$VSCODE_OUT_PATH/extensions/postinstall.mjs"
 }
 
 create_shrinkwraps() {
-  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
-  # not packaged when publishing to the NPM registry.
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
-  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
-  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
-  # These will include devDependencies, but those will be ignored when installing globally (for code-server), and
-  # because we use --omit=dev when installing vscode.
+  # package-lock.json files (used to ensure deterministic versions of
+  # dependencies) are not packaged when publishing to the NPM registry.
+  #
+  # To ensure deterministic dependency versions (even when code-server is
+  # installed with NPM), we create an npm-shrinkwrap.json file from the
+  # currently installed node_modules. This ensures the versions used from
+  # development (that the package-lock.json guarantees) are also the ones
+  # installed by end-users.  These will include devDependencies, but those will
+  # be ignored when installing globally (for code-server), and because we use
+  # --omit=dev (for VS Code).
 
-  # We first generate the shrinkwrap file for code-server itself - which is the current directory
-  create_shrinkwrap_keeping_yarn_lock
+  # We first generate the shrinkwrap file for code-server itself - which is the
+  # current directory.
+  cp package-lock.json package-lock.json.temp
+  npm shrinkwrap
+  mv package-lock.json.temp package-lock.json
 
-  # Then the shrinkwrap files for the bundled VSCode
+  # Then the shrinkwrap files for the bundled VS Code.
   pushd "$VSCODE_SRC_PATH/remote/"
-  create_shrinkwrap_keeping_yarn_lock
+  cp package-lock.json package-lock.json.temp
+  npm shrinkwrap
+  mv package-lock.json.temp package-lock.json
   popd
 
   pushd "$VSCODE_SRC_PATH/extensions/"
-  create_shrinkwrap_keeping_yarn_lock
+  cp package-lock.json package-lock.json.temp
+  npm shrinkwrap
+  mv package-lock.json.temp package-lock.json
   popd
 }
 
-create_shrinkwrap_keeping_yarn_lock() {
-  # HACK@edvincent: Generating a shrinkwrap alters the yarn.lock which we don't want (with NPM URLs rather than the Yarn URLs)
-  # But to generate a valid shrinkwrap, it has to exist... So we copy it to then restore it
-  cp yarn.lock yarn.lock.temp
-  npm shrinkwrap
-  cp yarn.lock.temp yarn.lock
-  rm yarn.lock.temp
-}
-
 main "$@"

ci/build/build-standalone-release.sh

@@ -1,6 +1,10 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+# Once we have an NPM package, use this script to copy it to a separate
+# directory (./release-standalone) and install the dependencies.  This new
+# directory can then be packaged as a platform-specific release.
+
 main() {
   cd "$(dirname "${0}")/../.."
 
@@ -9,11 +13,10 @@ main() {
   rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone"
   RELEASE_PATH+=-standalone
 
-  # We cannot get the path to Node from $PATH (for example via `which node`)
-  # because Yarn shims a script called `node` and we would end up just copying
-  # that script.  Instead we run Node and have it print its actual path.
+  # Package managers may shim their own "node" wrapper into the PATH, so run
+  # node and ask it for its true path.
   local node_path
-  node_path="$(node <<< 'console.info(process.execPath)')"
+  node_path="$(node -p process.execPath)"
 
   mkdir -p "$RELEASE_PATH/bin"
   mkdir -p "$RELEASE_PATH/lib"
@@ -24,6 +27,10 @@ main() {
 
   pushd "$RELEASE_PATH"
   npm install --unsafe-perm --omit=dev
+  # Code deletes some files from the extension node_modules directory which
+  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
+  # on these broken symlinks so clean them up.
+  rm -fr "./lib/vscode/extensions/node_modules/.bin"
   popd
 }
 

ci/build/build-vscode.sh

@@ -40,22 +40,29 @@ main() {
 
   source ./ci/lib.sh
 
+  # Set the commit Code will embed into the product.json.  We need to do this
+  # since Code tries to get the commit from the `.git` directory which will fail
+  # as it is a submodule.
+  #
+  # Also, we use code-server's commit rather than VS Code's otherwise it would
+  # not update when only our patch files change, and that will cause caching
+  # issues where the browser keeps using outdated code.
+  export BUILD_SOURCEVERSION
+  BUILD_SOURCEVERSION=$(git rev-parse HEAD)
+
   pushd lib/vscode
 
   if [[ ! ${VERSION-} ]]; then
     echo "VERSION not set. Please set before running this script:"
-    echo "VERSION='0.0.0' yarn build:vscode"
+    echo "VERSION='0.0.0' npm run build:vscode"
     exit 1
   fi
 
-  # Set the commit Code will embed into the product.json.  We need to do this
-  # since Code tries to get the commit from the `.git` directory which will fail
-  # as it is a submodule.
-  export BUILD_SOURCEVERSION
-  BUILD_SOURCEVERSION=$(git rev-parse HEAD)
-
-  # Add the date, our name, links, and enable telemetry (this just makes
-  # telemetry available; telemetry can still be disabled by flag or setting).
+  # Add the date, our name, links, enable telemetry (this just makes telemetry
+  # available; telemetry can still be disabled by flag or setting), and
+  # configure trusted extensions (since some, like github.copilot-chat, never
+  # ask to be trusted and this is the only way to get auth working).
+  #
   # This needs to be done before building as Code will read this file and embed
   # it into the client-side code.
   git checkout product.json             # Reset in case the script exited early.
@@ -89,6 +96,11 @@ main() {
     "linkProtectionTrustedDomains": [
       "https://open-vsx.org"
     ],
+    "trustedExtensionAuthAccess": [
+      "vscode.git", "vscode.github",
+      "github.vscode-pull-request-github",
+      "github.copilot", "github.copilot-chat"
+    ],
     "aiConfig": {
       "ariaKey": "code-server"
     }
@@ -100,7 +112,9 @@ EOF
   # this because we have an NPM package that could be installed on any platform.
   # The correct platform dependencies and scripts will be installed as part of
   # the post-install during `npm install` or when building a standalone release.
-  yarn gulp "vscode-reh-web-linux-x64${MINIFY:+-min}"
+  node --max-old-space-size=16384 --optimize-for-size \
+       ./node_modules/gulp/bin/gulp.js \
+       "vscode-reh-web-linux-x64${MINIFY:+-min}"
 
   # Reset so if you develop after building you will not be stuck with the wrong
   # commit (the dev client will use `oss-dev` but the dev server will still use

ci/build/npm-postinstall.sh

@@ -51,6 +51,18 @@ symlink_bin_script() {
   cd "$oldpwd"
 }
 
+command_exists() {
+  if [ ! "$1" ]; then return 1; fi
+  command -v "$@" > /dev/null
+}
+
+is_root() {
+  if command_exists id && [ "$(id -u)" = 0 ]; then
+    return 0
+  fi
+  return 1
+}
+
 OS="$(os)"
 
 main() {
@@ -64,8 +76,8 @@ main() {
     echo "USE AT YOUR OWN RISK!"
   fi
 
-  if [ "$major_node_version" -ne "${FORCE_NODE_VERSION:-18}" ]; then
-    echo "ERROR: code-server currently requires node v18."
+  if [ "$major_node_version" -ne "${FORCE_NODE_VERSION:-22}" ]; then
+    echo "ERROR: code-server currently requires node v22."
     if [ -n "$FORCE_NODE_VERSION" ]; then
       echo "However, you have overrided the version check to use v$FORCE_NODE_VERSION."
     fi
@@ -75,17 +87,20 @@ main() {
     exit 1
   fi
 
-  case "${npm_config_user_agent-}" in npm*)
-    # We are running under npm.
-    if [ "${npm_config_unsafe_perm-}" != "true" ]; then
-      echo "Please pass --unsafe-perm to npm to install code-server"
-      echo "Otherwise the postinstall script does not have permissions to run"
-      echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
-      echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
-      exit 1
-    fi
-    ;;
-  esac
+  # Under npm, if we are running as root, we need --unsafe-perm otherwise
+  # post-install scripts will not have sufficient permissions to do their thing.
+  if is_root; then
+    case "${npm_config_user_agent-}" in npm*)
+      if [ "${npm_config_unsafe_perm-}" != "true" ]; then
+        echo "Please pass --unsafe-perm to npm to install code-server"
+        echo "Otherwise post-install scripts will not have permissions to run"
+        echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
+        echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
+        exit 1
+      fi
+      ;;
+    esac
+  fi
 
   if ! vscode_install; then
     echo "You may not have the required dependencies to build the native modules."
@@ -102,14 +117,11 @@ main() {
 
 install_with_yarn_or_npm() {
   echo "User agent: ${npm_config_user_agent-none}"
-  # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
-  # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
+  # For development we enforce npm, but for installing the package as an
+  # end-user we want to keep using whatever package manager is in use.
   case "${npm_config_user_agent-}" in
     npm*)
-      # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
-      # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
-      # See https://github.com//pull/5071
-      if ! npm install --unsafe-perm --legacy-peer-deps --omit=dev; then
+      if ! npm install --unsafe-perm --omit=dev; then
         return 1
       fi
       ;;

ci/dev/audit.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  # Prevents integration with moderate or higher vulnerabilities
-  # Docs: https://github.com/IBM/audit-ci#options
-  yarn audit-ci --moderate
-}
-
-main "$@"

ci/dev/ci.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-
-  yarn fmt
-  yarn lint
-  yarn _audit
-  yarn test:unit
-}
-
-main "$@"

ci/dev/doctoc.sh

@@ -18,7 +18,7 @@ main() {
     echo "Files need generation or are formatted incorrectly:"
     git -c color.ui=always status | grep --color=no '\[31m'
     echo "Please run the following locally:"
-    echo "  yarn doctoc"
+    echo "  npm run doctoc"
     exit 1
   fi
 }

ci/dev/gen_icons.sh

@@ -1,44 +1,50 @@
 #!/bin/sh
 set -eu
 
+# Generate icons from a single favicon.svg.  favicon.svg should have no fill
+# colors set.
 main() {
   cd src/browser/media
 
-  # We need .ico for backwards compatibility.
-  # The other two are the only icon sizes required by Chrome and
-  # we use them for stuff like apple-touch-icon as well.
-  # https://web.dev/add-manifest/
+  # We need .ico for backwards compatibility.  The other two are the only icon
+  # sizes required by Chrome and we use them for stuff like apple-touch-icon as
+  # well.  https://web.dev/add-manifest/
   #
   # This should be enough and we can always add more if there are problems.
-
+  #
+  # -quiet to avoid https://github.com/ImageMagick/ImageMagick/issues/884
   # -background defaults to white but we want it transparent.
+  # -density somehow makes the image both sharper and smaller in file size.
+  #
   # https://imagemagick.org/script/command-line-options.php#background
-  convert -quiet -background transparent -resize 256x256 favicon.svg favicon.ico
-  # We do not generate the pwa-icon from the favicon as they are slightly different
-  # designs and sizes.
-  # See favicon.afdesign and #2401 for details on the differences.
-  convert -quiet -background transparent -resize 192x192 pwa-icon.png pwa-icon-192.png
-  convert -quiet -background transparent -resize 512x512 pwa-icon.png pwa-icon-512.png
+  convert -quiet -background transparent \
+          -resize 256x256 -density 256x256 \
+          favicon.svg favicon.ico
 
-  # We use -quiet above to avoid https://github.com/ImageMagick/ImageMagick/issues/884
+  # Generate PWA icons.  There should be enough padding to support masking.
+  convert -quiet -border 60x60 -bordercolor white -background white \
+          -resize 192x192 -density 192x192 \
+          favicon.svg pwa-icon-maskable-192.png
+  convert -quiet -border 160x160 -bordercolor white -background white \
+          -resize 512x512 -density 512x512 \
+          favicon.svg pwa-icon-maskable-512.png
 
-  # The following adds dark mode support for the favicon as favicon-dark-support.svg
-  # There is no similar capability for pwas or .ico so we can only add support to the svg.
-  favicon_dark_style="<style>
-@media (prefers-color-scheme: dark) {
-  * {
-    fill: white;
-  }
-}
-</style>"
-  # See https://stackoverflow.com/a/22901380/4283659
-  # This escapes all newlines so that sed will accept them.
-  favicon_dark_style="$(printf "%s\n" "$favicon_dark_style" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')"
-  sed "$(
-    cat -n << EOF
-s%<rect id="favicon"%$favicon_dark_style<rect id="favicon"%
-EOF
-  )" favicon.svg > favicon-dark-support.svg
+  # Generate non-maskable PWA icons.
+  magick pwa-icon-maskable-192.png \
+         \( +clone -threshold 101% -fill white -draw "roundRectangle 0,0 %[fx:int(w)],%[fx:int(h)] 50,50" \) \
+         -channel-fx "| gray=>alpha" \
+         pwa-icon-192.png
+  magick pwa-icon-maskable-512.png \
+         \( +clone -threshold 101% -fill white -draw "roundRectangle 0,0 %[fx:int(w)],%[fx:int(h)] 100,100" \) \
+         -channel-fx "| gray=>alpha" \
+         pwa-icon-512.png
+
+  # The following adds dark mode support for the favicon as
+  # favicon-dark-support.svg There is no similar capability for pwas or .ico so
+  # we can only add support to the svg.
+  favicon_dark_style="<style>@media (prefers-color-scheme: dark) {* { fill: white; }}</style>"
+  cp favicon.svg favicon-dark-support.svg
+  sed "s%<path%$favicon_dark_style\n  <path%" favicon.svg > favicon-dark-support.svg
 }
 
 main "$@"

ci/dev/postinstall.sh

@@ -3,14 +3,13 @@ set -euo pipefail
 
 # Install dependencies in $1.
 install-deps() {
-  local args=(install)
+  local args=()
   if [[ ${CI-} ]]; then
-    args+=(--frozen-lockfile)
+    args+=(ci)
+  else
+    args+=(install)
   fi
-  if [[ "$1" == "lib/vscode" ]]; then
-    args+=(--no-default-rc)
-  fi
-  # If there is no package.json then yarn will look upward and end up installing
+  # If there is no package.json then npm will look upward and end up installing
   # from the root resulting in an infinite loop (this can happen if you have not
   # checked out the submodule yet for example).
   if [[ ! -f "$1/package.json" ]]; then
@@ -19,7 +18,7 @@ install-deps() {
   fi
   pushd "$1"
   echo "Installing dependencies for $PWD"
-  yarn "${args[@]}"
+  npm "${args[@]}"
   popd
 }
 

ci/dev/preinstall.js

@@ -0,0 +1,3 @@
+if (process.env.npm_execpath.includes("yarn")) {
+  throw new Error("`yarn` is no longer supported; please use `npm install` instead")
+}

ci/dev/test-e2e.sh

@@ -2,9 +2,9 @@
 set -euo pipefail
 
 help() {
-  echo >&2 "  You can build with 'yarn watch' or you can build a release"
-  echo >&2 "  For example: 'yarn build && yarn build:vscode && KEEP_MODULES=1 yarn release'"
-  echo >&2 "  Then 'CODE_SERVER_TEST_ENTRY=./release yarn test:e2e'"
+  echo >&2 "  You can build with 'npm run watch' or you can build a release"
+  echo >&2 "  For example: 'npm run build && npm run build:vscode && KEEP_MODULES=1 npm run release'"
+  echo >&2 "  Then 'CODE_SERVER_TEST_ENTRY=./release npm run test:e2e'"
   echo >&2 "  You can manually run that release with 'node ./release'"
 }
 
@@ -15,7 +15,7 @@ main() {
 
   pushd test/e2e/extensions/test-extension
   echo "Building test extension"
-  yarn build
+  npm run build
   popd
 
   local dir="$PWD"
@@ -44,7 +44,7 @@ main() {
   fi
 
   cd test
-  yarn playwright test "$@"
+  ./node_modules/.bin/playwright test "$@"
 }
 
 main "$@"

ci/dev/test-integration.sh

@@ -2,9 +2,9 @@
 set -euo pipefail
 
 help() {
-  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
   echo >&2 "  Or you can pass in a custom path."
-  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 
 # Make sure a code-server release works. You can pass in the path otherwise it
@@ -33,7 +33,7 @@ main() {
     exit 1
   fi
 
-  CODE_SERVER_PATH="$path" CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration" --testPathIgnorePatterns "./test/integration/fixtures"
+  CODE_SERVER_PATH="$path" ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration" --testPathIgnorePatterns "./test/integration/fixtures"
 }
 
 main "$@"

ci/dev/test-native.sh

@@ -2,9 +2,9 @@
 set -euo pipefail
 
 help() {
-  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
   echo >&2 "  Or you can pass in a custom path."
-  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 
 # Make sure a code-server release works. You can pass in the path otherwise it

ci/dev/test-unit.sh

@@ -6,15 +6,10 @@ main() {
 
   source ./ci/lib.sh
 
-  echo "Building test plugin"
-  pushd test/unit/node/test-plugin
-  make -s out/index.js
-  popd
-
   # We must keep jest in a sub-directory. See ../../test/package.json for more
   # information. We must also run it from the root otherwise coverage will not
   # include our source files.
-  CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --testRegex "./test/unit/.*ts" --testPathIgnorePatterns "./test/unit/node/test-plugin"
+  ./test/node_modules/.bin/jest "$@" --testRegex "./test/unit/.*ts"
 }
 
 main "$@"

ci/dev/watch.ts

@@ -45,9 +45,11 @@ class Watcher {
 
   private readonly compilers: DevelopmentCompilers = {
     codeServer: spawn("tsc", ["--watch", "--pretty", "--preserveWatchOutput"], { cwd: this.rootPath }),
-    vscode: spawn("yarn", ["watch"], { cwd: this.paths.vscodeDir }),
-    vscodeWebExtensions: spawn("yarn", ["watch-web"], { cwd: this.paths.vscodeDir }),
-    plugins: this.paths.pluginDir ? spawn("yarn", ["build", "--watch"], { cwd: this.paths.pluginDir }) : undefined,
+    vscode: spawn("npm", ["run", "watch"], { cwd: this.paths.vscodeDir }),
+    vscodeWebExtensions: spawn("npm", ["run", "watch-web"], { cwd: this.paths.vscodeDir }),
+    plugins: this.paths.pluginDir
+      ? spawn("npm", ["run", "build", "--watch"], { cwd: this.paths.pluginDir })
+      : undefined,
   }
 
   public async initialize(): Promise<void> {

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.13.0
+version: 3.33.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.17.0
+appVersion: 4.109.5

ci/helm-chart/templates/deployment.yaml

@@ -3,23 +3,21 @@ kind: Deployment
 metadata:
   name: {{ include "code-server.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
+  {{- if .Values.annotations }}
+  annotations: {{- toYaml .Values.annotations | nindent 4 }}
+  {{- end }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicaCount | default 1 }}
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "code-server.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- include "code-server.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: {{ include "code-server.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- include "code-server.selectorLabels" . | nindent 8 }}
       {{- if .Values.podAnnotations }}
       annotations: {{- toYaml .Values.podAnnotations | nindent 8 }}
       {{- end }}
@@ -35,8 +33,9 @@ spec:
       securityContext:
         fsGroup: {{ .Values.securityContext.fsGroup }}
       {{- end }}
-      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+      {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.extraInitContainers }}
       initContainers:
+      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
       - name: init-chmod-data
         image: busybox:latest
         imagePullPolicy: IfNotPresent
@@ -50,6 +49,7 @@ spec:
         volumeMounts:
         - name: data
           mountPath: /home/coder
+      {{- end }}
 {{- if .Values.extraInitContainers }}
 {{ tpl .Values.extraInitContainers . | indent 6}}
 {{- end }}
@@ -123,14 +123,18 @@ spec:
               containerPort: {{ .port }}
               protocol: {{ .protocol }}
           {{- end }}
+          {{- if ne .Values.livenessProbe.enabled false }}
           livenessProbe:
             httpGet:
-              path: /
+              path: /healthz
               port: http
+          {{- end }}
+          {{- if ne .Values.readinessProbe.enabled false }}
           readinessProbe:
             httpGet:
-              path: /
+              path: /healthz
               port: http
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
@@ -177,9 +181,12 @@ spec:
         {{- if .existingClaim }}
         persistentVolumeClaim:
           claimName: {{ .existingClaim }}
-        {{- else }}
+        {{- else if .hostPath }}
         hostPath:
           path: {{ .hostPath }}
           type: Directory
+        {{- else }}
+        emptyDir:
+          {{- toYaml .emptyDir | nindent 10 }}
         {{- end }}
       {{- end }}

ci/helm-chart/templates/pvc.yaml

@@ -9,10 +9,7 @@ metadata:
 {{ toYaml . | indent 4 }}
 {{- end }}
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
 spec:
   accessModes:
     - {{ .Values.persistence.accessMode | quote }}

ci/helm-chart/templates/secrets.yaml

@@ -6,10 +6,7 @@ metadata:
   annotations:
     "helm.sh/hook": "pre-install"
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
 type: Opaque
 data:
   {{- if .Values.password }}

ci/helm-chart/templates/service.yaml

@@ -3,10 +3,7 @@ kind: Service
 metadata:
   name: {{ include "code-server.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:

ci/helm-chart/templates/serviceaccount.yaml

@@ -3,9 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
   name: {{ template "code-server.serviceAccountName" . }}
 {{- end -}}

ci/helm-chart/templates/tests/test-connection.yaml

@@ -3,16 +3,13 @@ kind: Pod
 metadata:
   name: "{{ include "code-server.fullname" . }}-test-connection"
   labels:
-    app.kubernetes.io/name: {{ include "code-server.name" . }}
-    helm.sh/chart: {{ include "code-server.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{- include "code-server.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
 spec:
   containers:
     - name: wget
       image: busybox
       command: ['wget']
-      args:  ['{{ include "code-server.fullname" . }}:{{ .Values.service.port }}']
+      args:  ['{{ include "code-server.fullname" . }}:{{ .Values.service.port }}/healthz']
   restartPolicy: Never

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.17.0'
+  tag: '4.109.5'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a
@@ -19,6 +19,9 @@ nameOverride: ""
 fullnameOverride: ""
 hostnameOverride: ""
 
+# The existing secret to use for code-server authentication in the frontend. the password is stored in the secret under the key `password`
+# existingSecret: ""
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -28,6 +31,9 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+# Specifies annotations for deployment
+annotations: {}
+
 podAnnotations: {}
 
 podSecurityContext: {}
@@ -71,9 +77,10 @@ extraArgs: []
 # Optional additional environment variables
 extraVars: []
 #  - name: DISABLE_TELEMETRY
-#    value: true
+#    value: "true"
+# if dind is desired:
 #  - name: DOCKER_HOST
-#    value: "tcp://localhost:2375"
+#    value: "tcp://localhost:2376"
 
 ##
 ## Init containers parameters:
@@ -104,6 +111,12 @@ resources: {}
   #  cpu: 100m
   #  memory: 1000Mi
 
+livenessProbe:
+  enabled: true
+
+readinessProbe:
+  enabled: true
+
 nodeSelector: {}
 
 tolerations: []
@@ -136,25 +149,39 @@ lifecycle:
   #      - -c
   #      - curl -s -L SOME_SCRIPT | bash
 
+  # for dind, the following may be helpful
+  # postStart:
+  #   exec:
+  #     command:
+  #       - /bin/sh
+  #       - -c
+  #       - |
+  #         sudo apt-get update \
+  #           && sudo apt-get install -y docker.io
+
 ## Enable an Specify container in extraContainers.
 ## This is meant to allow adding code-server dependencies, like docker-dind.
 extraContainers: |
 # If docker-dind is used, DOCKER_HOST env is mandatory to set in "extraVars"
-#- name: docker-dind
-#  image: docker:19.03-dind
-#  imagePullPolicy: IfNotPresent
-#  resources:
-#    requests:
-#      cpu: 250m
-#      memory: 256M
-#  securityContext:
-#    privileged: true
-#    procMount: Default
-#  env:
-#  - name: DOCKER_TLS_CERTDIR
-#    value: ""
-#  - name: DOCKER_DRIVER
-#    value: "overlay2"
+# - name: docker-dind
+#   image: docker:28.3.2-dind
+#   imagePullPolicy: IfNotPresent
+#   resources:
+#     requests:
+#       cpu: 1
+#       ephemeral-storage: "50Gi"
+#       memory: 10Gi
+#   securityContext:
+#     privileged: true
+#     procMount: Default
+#   env:
+#     - name: DOCKER_TLS_CERTDIR
+#       value: "" # disable TLS setup
+#   command:
+#     - dockerd
+#     - --host=unix:///var/run/docker.sock
+#     - --host=tcp://0.0.0.0:2376
+
 
 extraInitContainers: |
 # - name: customization
@@ -190,6 +217,7 @@ extraVolumeMounts: []
   #   readOnly: true
   #   existingClaim: volume-claim
   #   hostPath: ""
+  #   emptyDir: {}
 
 extraConfigmapMounts: []
   # - name: certs-configmap

ci/release-image/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:experimental
 
-ARG BASE=debian:11
+ARG BASE=debian:12
 FROM scratch AS packages
 COPY release-packages/code-server*.deb /tmp/
 
@@ -10,18 +10,19 @@ RUN apt-get update \
   && apt-get install -y \
     curl \
     dumb-init \
-    zsh \
-    htop \
-    locales \
-    man \
-    nano \
     git \
     git-lfs \
-    procps \
-    openssh-client \
-    sudo \
-    vim.tiny \
+    htop \
+    locales \
     lsb-release \
+    man-db \
+    nano \
+    openssh-client \
+    procps \
+    sudo \
+    vim-tiny \
+    wget \
+    zsh \
   && git lfs install \
   && rm -rf /var/lib/apt/lists/*
 
@@ -30,11 +31,14 @@ RUN sed -i "s/# en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen \
   && locale-gen
 ENV LANG=en_US.UTF-8
 
-RUN adduser --gecos '' --disabled-password coder \
+RUN if grep -q 1000 /etc/passwd; then \
+    userdel -r "$(id -un 1000)"; \
+  fi \
+  && adduser --gecos '' --disabled-password coder \
   && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
 
 RUN ARCH="$(dpkg --print-architecture)" \
-  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
   && chown root:root /usr/local/bin/fixuid \
   && chmod 4755 /usr/local/bin/fixuid \
   && mkdir -p /etc/fixuid \

ci/release-image/Dockerfile.fedora

@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:experimental
+
+ARG BASE=fedora:39
+FROM scratch AS packages
+COPY release-packages/code-server*.rpm /tmp/
+
+FROM $BASE
+
+RUN dnf update -y \
+    && dnf install -y \
+    curl \
+    git \
+    git-lfs \
+    htop \
+    nano \
+    openssh-clients \
+    procps \
+    wget \
+    zsh \
+    dumb-init \
+    glibc-langpack-en \
+    && rm -rf /var/cache/dnf
+RUN git lfs install
+
+ENV LANG=en_US.UTF-8
+RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
+
+RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+
+COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
+RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+ENV ENTRYPOINTD=${HOME}/entrypoint.d
+
+EXPOSE 8080
+# This way, if someone sets $DOCKER_USER, docker-exec will still work as
+# the uid will remain the same. note: only relevant if -u isn't passed to
+# docker-run.
+USER 1000
+ENV USER=coder
+WORKDIR /home/coder
+ENTRYPOINT ["/usr/bin/entrypoint.sh", "--bind-addr", "0.0.0.0:8080", "."]

ci/release-image/Dockerfile.opensuse

@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:experimental
+
+ARG BASE=opensuse/tumbleweed
+FROM scratch AS packages
+COPY release-packages/code-server*.rpm /tmp/
+
+FROM $BASE
+
+RUN zypper dup -y \
+    && zypper in -y \
+    curl \
+    git \
+    git-lfs \
+    htop \
+    nano \
+    openssh-clients \
+    procps \
+    wget \
+    zsh \
+    sudo \
+    catatonit \
+    && rm -rf /var/cache/zypp /var/cache/zypper
+RUN git lfs install
+
+ENV LANG=en_US.UTF-8
+RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
+
+RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+
+COPY ci/release-image/entrypoint-catatonit.sh /usr/bin/entrypoint-catatonit.sh
+RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+ENV ENTRYPOINTD=${HOME}/entrypoint.d
+
+EXPOSE 8080
+# This way, if someone sets $DOCKER_USER, docker-exec will still work as
+# the uid will remain the same. note: only relevant if -u isn't passed to
+# docker-run.