Backport of https://github.com/coder/coder/pull/24645 to `release/2.32`.
Once a user has touched a field, it is better to leave it alone and
display explicit validation errors over silently overwriting their
inputs. Same for auto-filled values (whether from query parameters or a
previous build).
Original PR: #24645 — fix: do not clobber dynamic parameters
Merge commit: d958d89b6fCloses#23418
<details>
<summary>Cherry-pick conflict resolution</summary>
Two conflicts resolved:
1. **`site/src/testHelpers/websockets.ts`**: File was empty on
release/2.32. Took the incoming version with the new
`mockDynamicParameterWebSocket` helper.
2.
**`site/src/pages/CreateWorkspacePage/CreateWorkspacePage.jest.tsx`**:
File is `.jest.tsx` on the release branch (`.test.tsx` on main). Applied
the incoming content (refactored websocket mocking, modernized test
calls) to the existing `.jest.tsx` filename.
</details>
> [!NOTE]
> Generated with [Coder Agents](https://coder.com) by @rowansmithau
---------
Co-authored-by: Asher <ash@coder.com>
Co-authored-by: Garrett Delfosse <delfossegarrett@gmail.com>
## Summary
Fixes the bundled Terraform binary in IronBank images being compiled
with an older Go toolchain that exposes 9 CVEs (1 Critical, 5 High, 3
Medium) fixed in Go 1.25.9.
## Problem
No upstream Terraform release is yet compiled with Go 1.25.9+:
- Terraform 1.14.5 (used by provisioner): compiled with **Go 1.25.6**
- Terraform 1.15.2 (latest stable): compiled with **Go 1.25.8**
- The previous IronBank manifest referenced Terraform 1.3.7, compiled
with Go ~1.19
## Fix
The IronBank build script now compiles Terraform **from source** using
the same Go toolchain as Coder (>= 1.25.9), ensuring all CVEs in the Go
stdlib are addressed.
### Changes
**`scripts/ironbank/build_ironbank.sh`**:
- Builds Terraform 1.14.5 from source instead of downloading a
precompiled binary
- Adds `go`, `zip`, and `git` as build dependencies
- Reads `TERRAFORM_VERSION` from `hardening_manifest.yaml`
**`scripts/ironbank/hardening_manifest.yaml`**:
- Updated all versions to match release/2.32 (was severely outdated):
- Coder: 0.15.3 -> 2.32.1
- Terraform: 1.3.7 -> 1.14.5 (built from source)
- Provider: 0.6.10 -> 2.15.0
- Replaced precompiled Terraform binary URL with source tarball
reference
- Added `TERRAFORM_VERSION` build arg for the build script
<details>
<summary>Decision log</summary>
- **Why build from source?** Neither the latest Terraform 1.14.5 (Go
1.25.6) nor 1.15.2 (Go 1.25.8) is compiled with Go 1.25.9+. Building
from source with our Go toolchain is the only way to address the CVEs
without waiting for an upstream release.
- **Why not bump to Terraform 1.15.x?** The provisioner on release/2.32
has `maxTerraformVersion = 1.14.9`. Bumping to 1.15.x would require
provisioner changes, which is risky on a release branch.
- **Why update the entire manifest?** The manifest was pinned to Coder
0.15.3, Terraform 1.3.7, and provider 0.6.10, all severely outdated and
inconsistent with the release/2.32 branch.
</details>
> Generated by Coder Agents. [Issue
ENT-23](https://linear.app/codercom/issue/ENT-23)
Anthropic task name responses can include valid JSON followed by a
closing fence or extra text, which made `json.Unmarshal` fail with
trailing-character errors and forced fallback naming.
This updates task name JSON extraction to accept the first JSON value
after optional fences and adds regression coverage for fenced and bare
JSON with trailing content.
(cherry picked from commit 87d580d3fe)
<!--
If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.
-->
Co-authored-by: Max Schwenk <maschwenk@gmail.com>
## Summary
Backports #25089 to `release/2.32` so `coder exp sync want` and `coder
exp sync start` print the dependency units involved in startup
coordination instead of generic success messages.
## Validation
- `git diff --check origin/release/2.32..HEAD`
- `go test ./cli -run TestSyncCommands -count=1`
> [!NOTE]
> `make test RUN=TestSyncCommands` hit an unrelated `codersdk/toolsdk`
filtered-test failure because that package expects all tools to be
tested. The affected CLI test passed with the package-scoped command
above.
> 🤖 This PR was created with the help of Coder Agents, and needs a human
review. 🧑💻
Co-authored-by: Max Schwenk <maschwenk@gmail.com>
Cherry-pick backport of #24474 and #24529 to `release/2.32`.
- #24474: fix(coderd): add frame-ancestors CSP directive to prevent
clickjacking
- #24529: fix(coderd): omit frame-ancestors CSP for embed routes
Both commits cherry-picked cleanly with no conflicts.
> Generated by Coder Agents
The Azure instance-identity authentication endpoint parsed the PKCS7
envelope and verified the certificate chain, but never verified the
PKCS7 signature itself. An attacker could forge a PKCS7 envelope with a
legitimate, publicly obtainable Azure certificate and arbitrary vmId
content to obtain any agent auth token.
Add verifyPKCS7Signature(), a custom PKCS7 signature verification that
handles Azure non-standard use of sha256WithRSAEncryption (OID
1.2.840.113549.1.1.11) as the DigestAlgorithm. The upstream
go.mozilla.org/pkcs7 library Verify() rejects this combination.
The verification checks:
1. Content digest matches the signed message-digest attribute
2. Signature over the authenticated attributes is valid
Tests added:
- TestValidate_TamperedContent: forges a PKCS7 with modified vmId,
confirms rejection
- TestValidate_UntrustedCertWithValidSignature: valid PKCS7 signature
with untrusted cert chain, confirms rejection
Co-authored-by: Jakub Domeracki <jakub@coder.com>
## Summary
Update the IronBank Dockerfile to use UBI9 (9.6) instead of UBI8 (8.7)
and explicitly remove `python3-urllib3` to address CVE-2026-44431.
### Changes
- **Dockerfile**: Upgrade base image from `ubi8-minimal:8.7` to
`ubi9-minimal:9.6`
- **Dockerfile**: Add `microdnf remove python3-urllib3` step after
package install
- **build_ironbank.sh**: Update local build args to match the new UBI9
base image
### Context
urllib3 1.26.5 is bundled in the UBI base image. Coder is a Go binary
and does not invoke Python at runtime, so this library is unused. The
removal step is a belt-and-suspenders safeguard in case UBI9 still ships
the package.
Fixes: ENT-52
> [!NOTE]
> This PR was generated by [Coder
Agents](https://coder.com/docs/agents).
Go 1.25.10 (released 2026-05-07) includes 11 security fixes for CVEs
affecting the go command, pack tool, html/template, net, net/http,
net/http/httputil, net/mail, and syscall packages.
Fixes IronBank v2.32.x Go stdlib CVE exposure by upgrading from Go
1.25.9 to 1.25.10.
Reference: https://groups.google.com/g/golang-dev/c/h6eZjndBMqQ
### Changed files
- `go.mod`: `go 1.25.9` to `go 1.25.10`
- `dogfood/coder/Dockerfile`: `GO_VERSION` and `GO_CHECKSUM`
- `.github/actions/setup-go/action.yaml`: default version
> Generated by Coder Agents
Cherry-pick of #24165 to `release/2.32`.
Moves the flaky pagination query key test from vitest to a Storybook
story. The test timed out in CI because `renderWithAuth` boots 12+ MSW
round-trips before the page mounts. The story uses decorators to
pre-seed the query cache, skipping the MSW waterfall entirely.
> 🤖 Generated by Coder Agent
Co-authored-by: Danielle Maywood <danielle@themaywoods.com>
Cherry-pick of go-git v5.19.0 bump to `release/2.32` to fix
CVE-2026-45022 (improper object parsing).
Original PR: https://github.com/coder/coder/pull/25124
Ref:
https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp
Supersedes #25226 (rebased on top of #25224).
> [!NOTE]
> This PR was authored by Coder Agents.
<details><summary>Context</summary>
The cherry-pick of the original commit (`c1c3b978`) had merge conflicts
in `go.mod`/`go.sum` due to dependency drift between `main` and
`release/2.32`. Instead, the bump was applied directly via `go get
github.com/go-git/go-git/v5@v5.19.0` followed by `go mod tidy`,
producing equivalent results.
Linear: ENT-24
</details>
Cherry-pick of #24650 and #24765 to release/2.32.
Adds a confirmation dialog before executing commands from the
`?command=` URL parameter in the terminal page. Canceling closes the
terminal window.
> 🤖 Generated by Coder Agents
---------
Co-authored-by: Seth Shelnutt <seth@coder.com>
Partial backport of #24369 to `release/2.32`.
Only the `CreateChat` fix in `coderd/x/chatd/chatd.go` applies here —
the second call site in `subagent.go`
(`createChildSubagentChatWithOptions`) doesn't exist on this branch
since the child-subagent-chat creation path was added after the branch
cut.
The fix hoists the `resolveDeploymentSystemPrompt` call out of the
`InTx` closure so the transaction doesn't hold one DB connection while
the helper tries to check out another via `p.db`. Under concurrent chat
creation load this pattern can cause pool starvation.
This is not urgent enough to warrant an immediate patch release — the
bug only manifests under high concurrent chat creation load. It should
be fine to ride along with the next scheduled 2.32.x patch.
## Summary
- backport `go-getter` 1.8.6 and its indirect dependency updates to
`release/2.32`
- backport the Go toolchain bump to 1.25.9
- include the latest local backport commits on
`sec/release-2.32-security`
## Testing
- not run
## Cherry-pick of #24187 onto `release/2.32`
This cherry-picks commit ad2415ede7 to
bring the `coder/tailscale` bump (`e956a95`, [PR
#113](https://github.com/coder/tailscale/pull/113)) onto the
`release/2.32` branch.
### Context
On Darwin, `RTM_MISS` route-socket messages (fired on every failed route
lookup) were not filtered by `netmon`, causing each one to be treated as
a `LinkChange`. When netcheck sends STUN probes to an IPv6 address with
no route, this creates a self-sustaining feedback loop: `RTM_MISS` →
`LinkChange` → `ReSTUN` → netcheck → v6 STUN probe → `RTM_MISS` → …
The loop drives DERP home-region flapping at ~70× baseline, which at
fleet scale saturates PostgreSQL's `NOTIFY` lock and causes coordinator
health-check timeouts.
The upstream fix adds a single `if msg.Type == unix.RTM_MISS { return
true }` check to `skipRouteMessage`, which is safe because `RTM_MISS` is
a lookup-path signal, not a table-mutation signal.
This issue has been reported since users updated to macOS 26.4.
Relates to ENG-2394
> 🤖 Generated by Coder Agents
Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com>
I said I wouldn't but the illustrious @jakehwll added a ResizeObserver
recently so imma do that too.
This makes `<ExpandableText>` determine if it should be expandable or
not on resize
The default `net.Dialer` in the Coder Connect path had no timeout,
falling back to the OS TCP timeout when the tunnel was broken but DNS
still resolved. Add a 5s dial timeout and 30s TCP keepalive.
Fixes#24006
When `coder ssh` connects to a workspace after laptop wake, DNS or the
control plane may be briefly unavailable. Previously this caused an
immediate failure, which VS Code Remote SSH classified as permanent
("Reload Window").
Wrap each network step (workspace resolution, template version fetch,
agent connection info, Coder Connect dial, tailnet dial) with
`retryWithInterval` so transient errors (DNS, connection refused, 5xx)
are retried individually. Non-retryable errors (auth, 404) and context
cancellation stop immediately. Data transfer is never retried.
Nick Vigilante