Changelog
Bug fixes
- Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 (CVE-2026-39883) (#25254, c0f52b1)
- fix(deps): upgrade go-git/go-git/v5 to v5.19.0 (CVE-2026-45022) (#25256, 84b3f71)
- Upgrade google.golang.org/grpc to v1.79.3 (CVE-2026-33186) (#25262, bc9ee3b)
- Bump go-jose/go-jose/v4 to v4.1.4 (CVE-2026-34986) (#25263, e02a00e)
- Upgrade go-jose/v4 to v4.1.4 (CVE-2026-34986) (#25264, dfdbf8b)
- Upgrade buger/jsonparser to v1.1.2 (GHSA-6g7g-w4f8-9c9x) (#25265, c40a25e)
- Upgrade buger/jsonparser to v1.1.2 (GHSA-6g7g-w4f8-9c9x) (#25266, cd5d736)
- Upgrade golang.org/x/net to v0.53.0 (CVE-2026-33814) (#25258, 7d00d11)
- fix(go.mod): bump gomarkdown/markdown to fix GHSA-77fj-vx54-gvh7 (v2.29) (#25251, c67fe2c)
- fix(go.mod): upgrade goldmark to v1.7.17 (CVE-2026-5160) (#25252, 8782002)
- Bump Go from 1.25.8 to 1.25.10 (#25253, 5d6a67f)
- fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#25245, 9557b1e)
- Server: Harden Azure identity certificate fetch (cherry-pick v2.29) (#25279, ec183eb)
- Verify PKCS7 signature on Azure instance identity tokens (backport 2.29) (#25307, 25ddc1c)
Compare: v2.29.12...v2.29.13
Container image
docker pull ghcr.io/coder/coder:2.29.13
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.