Changelog
Note
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
BREAKING CHANGES
- fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ffe7645)
- fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, fb52711)
- fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 120b37a)
Features
Bug fixes
- Escape agent log HTML (#25808, bf5a220)
- Escape appearance values in HTML output (#25804, aba0853)
- Clamp template port sharing level in SubAgentAPI (#26061, b78ec31)
- Use a random value for a simulated hash for built-in users (#26205, 6879532)
- Require update permission to recreate devcontainers (#25812, e822677)
- Server: Verify workspace owner matches app username (#26085, 3019613)
- Always verify TLS on aibridgeproxyd upstream transport (#26131, 6293c89)
- Check user user is active in aibridge auth (#26173, 943b04f)
- Add max bytes request limit to aibridge (#26164, 9fc2550)
- Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, f3839eb)
- Server: Suppress AI Governance seat-count error for not-entitled licenses (#26276, 6419f53)
- Preserve gemini thought signatures (#25933, 9595e6c)
- Server: Prevent user-admin from resetting owner password (#25709, f15a934)
- Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 531ef5e)
- Reject oversized and invalid zip uploads (#25877, 430ba84)
- Allow lifecycle code path to retry failed stop jobs (#26278, 05e50d1)
- Server: Prevent cross-tenant workspace app rebinding (#26103, e4a7657) (@dylanhuff-at-coder)
- Agent: Prevent command injection in shell execer (#26235, b949480) (@zedkipp)
- Validate agent-supplied AllowedIPs in coordinator (#26144, c3e7e94) (@f0ssel)
- Only trust x-forwarded-host from configured trusted proxies (#2… (#26296, 3c46473)
- Prevent session token exfiltration via external app URLs (#26146, d7774e5) (@zedkipp)
Chores
Compare: v2.34.1...v2.34.2
Container image
docker pull ghcr.io/coder/coder:2.34.2
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.