shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,615 Commits 1,133 Branches 344 Tags
da3ce16d0042dc3e501c07c98eee430eda0afc04
Commit Graph

14615 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot] da3ce16d00 chore: bump protobufjs from 7.5.6 to 7.6.1 in /site (#25958) 
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.6
to 7.6.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/protobufjs/protobuf.js/releases">protobufjs's
releases</a>.</em></p>
<blockquote>
<h2>protobufjs: v7.6.1</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.0...protobufjs-v7.6.1">7.6.1</a>
(2026-05-22)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport misc utility hardening (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0">8a45c13</a>)</li>
<li>Treat fixed64 as unsigned in converters (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb">479dfdc</a>)</li>
</ul>
<h2>protobufjs: v7.6.0</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.9...protobufjs-v7.6.0">7.6.0</a>
(2026-05-18)</h2>
<h3>Features</h3>
<ul>
<li>Support BigInt conversions (7.x) (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2258">#2258</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/f76924244504b159efe1bb13b154fd17be3c13e7">f769242</a>)</li>
</ul>
<h2>protobufjs: v7.5.9</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.8...protobufjs-v7.5.9">7.5.9</a>
(2026-05-17)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport bundler-safe optional module lookups (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2254">#2254</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/0853a625680f9247596b84ef48082b8f4e554797">0853a62</a>)</li>
</ul>
<h2>protobufjs: v7.5.8</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.7...protobufjs-v7.5.8">7.5.8</a>
(2026-05-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26">54b593f</a>)</li>
</ul>
<h2>protobufjs: v7.5.7</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.6...protobufjs-v7.5.7">7.5.7</a>
(2026-05-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Restore first-match namespace lookup (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2236">#2236</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/cc7d59559d4e8c533a35218310c67f4a5dda54f5">cc7d595</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.1/CHANGELOG.md">protobufjs's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.0...protobufjs-v7.6.1">7.6.1</a>
(2026-05-22)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport misc utility hardening (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0">8a45c13</a>)</li>
<li>Treat fixed64 as unsigned in converters (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb">479dfdc</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.9...protobufjs-v7.6.0">7.6.0</a>
(2026-05-18)</h2>
<h3>Features</h3>
<ul>
<li>Support BigInt conversions (7.x) (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2258">#2258</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/f76924244504b159efe1bb13b154fd17be3c13e7">f769242</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.8...protobufjs-v7.5.9">7.5.9</a>
(2026-05-17)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport bundler-safe optional module lookups (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2254">#2254</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/0853a625680f9247596b84ef48082b8f4e554797">0853a62</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.7...protobufjs-v7.5.8">7.5.8</a>
(2026-05-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26">54b593f</a>)</li>
</ul>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.6...protobufjs-v7.5.7">7.5.7</a>
(2026-05-09)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Restore first-match namespace lookup (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2236">#2236</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/cc7d59559d4e8c533a35218310c67f4a5dda54f5">cc7d595</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/f0b50d2fa1247d6652618190c2d6602e6830b90d"><code>f0b50d2</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2268">#2268</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0"><code>8a45c13</code></a>
fix: Backport misc utility hardening (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb"><code>479dfdc</code></a>
fix: Treat fixed64 as unsigned in converters (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/e30c3341382b504a975d0d83f19170218cb461c3"><code>e30c334</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2260">#2260</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/f76924244504b159efe1bb13b154fd17be3c13e7"><code>f769242</code></a>
feat: Support BigInt conversions (7.x) (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2258">#2258</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/ab3862d133ab9b824f12eab5f993784333543dbf"><code>ab3862d</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2255">#2255</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/0853a625680f9247596b84ef48082b8f4e554797"><code>0853a62</code></a>
fix: Backport bundler-safe optional module lookups (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2254">#2254</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/d7035f9b7f06210ea343cab1f2f1cc18ee5cc1d6"><code>d7035f9</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2248">#2248</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/54b593ffd960f7fe4b0c448a12542c3de0a0cf26"><code>54b593f</code></a>
fix: Backport parser hardening to 7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2245">#2245</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/e88fcea1635f79c414e8a070e164d38ea99e104a"><code>e88fcea</code></a>
chore: release protobufjs-v7.x (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/2239">#2239</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.6...protobufjs-v7.6.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=protobufjs&package-manager=npm_and_yarn&previous-version=7.5.6&new-version=7.6.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:22:09 +00:00
dependabot[bot] cc533846db chore: bump @babel/core from 7.29.0 to 7.29.7 in /site (#25956) 
Bumps
[@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core)
from 7.29.0 to 7.29.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/babel/babel/releases">@​babel/core's
releases</a>.</em></p>
<blockquote>
<h2>v7.29.7 (2026-05-25)</h2>
<p>Re-release all packages with npm provenance attestations</p>
<h2>v7.29.6 (2026-05-25)</h2>
<h4>🐛 Bug Fix</h4>
<ul>
<li><code>babel-generator</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/18014">#18014</a>
Catchup source map position in preserveFormat (<a
href="https://github.com/nicolo-ribaudo"><code>@​nicolo-ribaudo</code></a>)</li>
</ul>
</li>
<li><code>babel-core</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/18001">#18001</a>
[7.x packport]Improve input source map handling (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
<li><code>babel-core</code>, <code>babel-generator</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17998">#17998</a>
Preserve original identifier names from input sourcemaps (<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17992">#17992</a>)
(<a href="https://github.com/Andarist"><code>@​Andarist</code></a>)</li>
</ul>
</li>
</ul>
<h4>Committers: 3</h4>
<ul>
<li>Huáng Jùnliàng (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
<li>Mateusz Burzyński (<a
href="https://github.com/Andarist"><code>@​Andarist</code></a>)</li>
<li>Nicolò Ribaudo (<a
href="https://github.com/nicolo-ribaudo"><code>@​nicolo-ribaudo</code></a>)</li>
</ul>
<h2>v7.29.5 (2026-05-05)</h2>
<h4>🏠  Internal</h4>
<ul>
<li><code>babel-preset-env</code>
<ul>
<li>Update <code>@babel/*</code> dependencies</li>
</ul>
</li>
</ul>
<h2>v7.29.4 (2026-05-05)</h2>
<h4>🐛 Bug Fix</h4>
<ul>
<li><code>babel-plugin-transform-modules-systemjs</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17974">#17974</a>
[7.x backport]fix(systemjs): improve module string name support (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>Committers: 1</h4>
<ul>
<li>Huáng Jùnliàng (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
<h2>v7.29.3 (2026-04-30)</h2>
<h4>👓 Spec Compliance</h4>
<ul>
<li><code>babel-parser</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17923">#17923</a>
Support flow extends bound (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>🐛 Bug Fix</h4>
<ul>
<li><code>babel-helper-create-class-features-plugin</code>,
<code>babel-plugin-proposal-decorators</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17931">#17931</a>
fix(decorators): replace super within all removed static elements (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
<li><code>babel-register</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix
thread synchronization issues in <code>@babel/register</code> (<a
href="https://github.com/liuxingbaoyu"><code>@​liuxingbaoyu</code></a>)</li>
</ul>
</li>
<li><code>babel-compat-data</code>,
<code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>,
<code>babel-preset-env</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add
bugfix plugin for Safari array rest destructuring bug (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>💅 Polish</h4>
<ul>
<li><code>babel-parser</code></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/babel/babel/commit/4fba7541180bf5f58256d8e358b544e3831ad090"><code>4fba754</code></a>
v7.29.7</li>
<li><a
href="https://github.com/babel/babel/commit/04ea6b27fdac8f40c3481aec2080ac9678779509"><code>04ea6b2</code></a>
v7.29.6</li>
<li><a
href="https://github.com/babel/babel/commit/99f498a9b9fa0b900d603fbe8f6601bb3b9e42bb"><code>99f498a</code></a>
[7.x packport]Improve input source map handling (<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/18001">#18001</a>)</li>
<li><a
href="https://github.com/babel/babel/commit/feba0a3654c596bd369d1ef1231f5d56666d56dc"><code>feba0a3</code></a>
Preserve original identifier names from input sourcemaps (<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17992">#17992</a>)
(<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-core/issues/17998">#17998</a>)</li>
<li>See full diff in <a
href="https://github.com/babel/babel/commits/v7.29.7/packages/babel-core">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@babel/core&package-manager=npm_and_yarn&previous-version=7.29.0&new-version=7.29.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:20:55 +00:00
dependabot[bot] 5320702a8a chore: bump axios from 1.16.0 to 1.16.1 in /site (#25954) 
Bumps [axios](https://github.com/axios/axios) from 1.16.0 to 1.16.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>v1.16.1 — May 13, 2026</h2>
<p>This release ships a defence-in-depth fix for prototype pollution in
<code>formDataToJSON</code>, hardens proxy and CI workflows, restores
Webpack 4 compatibility for the fetch adapter, and includes several
small bug fixes and maintenance improvements.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li><strong>Prototype Pollution Defence-in-Depth:</strong> Hardened
<code>formDataToJSON</code> against already-polluted
<code>Object.prototype</code> by walking own properties only, so
attacker-controlled keys inherited from a poisoned prototype cannot
propagate through deserialization. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li>
<li><strong>Proxy Cleartext Leak:</strong> Fixed an issue where HTTPS
request data could be transmitted in cleartext to an HTTP proxy under
certain configurations. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10858">#10858</a></strong>)</li>
<li><strong>CI Cache Removal:</strong> Removed all GitHub Actions caches
as a defence-in-depth measure against cache poisoning vectors in the
build pipeline. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10882">#10882</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>Data URI Parsing:</strong> Updated the
<code>fromDataURI</code> regex to match RFC 2397 more strictly, fixing
edge cases in <code>data:</code> URL handling. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li>
<li><strong>Unicode Headers:</strong> Preserved Unicode header values
when running through request interceptors, so non-ASCII header content
is no longer corrupted before dispatch. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10850">#10850</a></strong>)</li>
<li><strong>XHR Upload Progress:</strong> Guarded against malformed
<code>ProgressEvent</code> payloads emitted by some environments during
XHR upload, preventing crashes when <code>loaded</code> /
<code>total</code> are missing or invalid. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li>
<li><strong>Webpack 4 Fetch Adapter:</strong> Fixed an &quot;unexpected
token&quot; error caused by syntax in the fetch adapter that Webpack 4
could not parse, restoring compatibility for legacy bundler users.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10864">#10864</a></strong>)</li>
<li><strong>Type Definitions:</strong> Made <code>parseReviver</code>
<code>context.source</code> optional in the type definitions to align
with the ES2023 specification. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10837">#10837</a></strong>)</li>
<li><strong>URL Object Support Reverted:</strong> Reverted the change
that allowed passing a <code>URL</code> object as
<code>config.url</code> (originally <strong><a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)
due to regressions; this support will be reintroduced in a later release
once the underlying issues are addressed. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10874">#10874</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Cycle Detection Refactor:</strong> Replaced the array-based
cycle tracker in <code>toJSONObject</code> with a <code>WeakSet</code>,
improving performance and memory behaviour on large nested structures.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10832">#10832</a></strong>)</li>
<li><strong>composeSignals Cleanup:</strong> Refactored
<code>composeSignals</code> to use a clearer early-return structure,
simplifying the cancellation/abort composition path. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10844">#10844</a></strong>)</li>
<li><strong>AI Readiness &amp; Repo Docs:</strong> Added
<code>AGENTS.md</code> and related contributor-guide updates for both
human and AI agents, plus post-release documentation improvements.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10835">#10835</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10841">#10841</a></strong>)</li>
<li><strong>Docs Improvements:</strong> Clarified the GET request
example, fixed the interceptor <code>eject</code> example to reference
the correct instance, and corrected the Buzzoid sponsor description in
the README. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li>
<li><strong>Sponsorship Tooling:</strong> Fixed empty sponsor arrays in
the sponsor processing script, added the ability to inject additional
sponsors, updated the sponsorship link, and added a Twicsy advertisement
entry. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10843">#10843</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10859">#10859</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10869">#10869</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped <code>@commitlint/cli</code>
from 20.5.0 to 20.5.2. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10846">#10846</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/hpinmetaverse"><code>@​hpinmetaverse</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>)</li>
<li><strong><a
href="https://github.com/tommyhgunz14"><code>@​tommyhgunz14</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li>
<li><strong><a
href="https://github.com/abhu85"><code>@​abhu85</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li>
<li><strong><a
href="https://github.com/divyanshuraj1095"><code>@​divyanshuraj1095</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>)</li>
<li><strong><a
href="https://github.com/sagodi97"><code>@​sagodi97</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li>
<li><strong><a
href="https://github.com/rkdfx"><code>@​rkdfx</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li>
<li><strong><a
href="https://github.com/Liuwei1125"><code>@​Liuwei1125</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)</li>
</ul>
<p><a
href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">Full
Changelog</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h2>v1.16.1 — May 13, 2026</h2>
<p>This release ships a defence-in-depth fix for prototype pollution in
<code>formDataToJSON</code>, hardens proxy and CI workflows, restores
Webpack 4 compatibility for the fetch adapter, and includes several
small bug fixes and maintenance improvements.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li><strong>Prototype Pollution Defence-in-Depth:</strong> Hardened
<code>formDataToJSON</code> against already-polluted
<code>Object.prototype</code> by walking own properties only, so
attacker-controlled keys inherited from a poisoned prototype cannot
propagate through deserialization. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li>
<li><strong>Proxy Cleartext Leak:</strong> Fixed an issue where HTTPS
request data could be transmitted in cleartext to an HTTP proxy under
certain configurations. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10858">#10858</a></strong>)</li>
<li><strong>CI Cache Removal:</strong> Removed all GitHub Actions caches
as a defence-in-depth measure against cache poisoning vectors in the
build pipeline. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10882">#10882</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>Data URI Parsing:</strong> Updated the
<code>fromDataURI</code> regex to match RFC 2397 more strictly, fixing
edge cases in <code>data:</code> URL handling. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li>
<li><strong>Unicode Headers:</strong> Preserved Unicode header values
when running through request interceptors, so non-ASCII header content
is no longer corrupted before dispatch. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10850">#10850</a></strong>)</li>
<li><strong>XHR Upload Progress:</strong> Guarded against malformed
<code>ProgressEvent</code> payloads emitted by some environments during
XHR upload, preventing crashes when <code>loaded</code> /
<code>total</code> are missing or invalid. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li>
<li><strong>Webpack 4 Fetch Adapter:</strong> Fixed an &quot;unexpected
token&quot; error caused by syntax in the fetch adapter that Webpack 4
could not parse, restoring compatibility for legacy bundler users.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10864">#10864</a></strong>)</li>
<li><strong>Type Definitions:</strong> Made <code>parseReviver</code>
<code>context.source</code> optional in the type definitions to align
with the ES2023 specification. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10837">#10837</a></strong>)</li>
<li><strong>URL Object Support Reverted:</strong> Reverted the change
that allowed passing a <code>URL</code> object as
<code>config.url</code> (originally <strong><a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)
due to regressions; this support will be reintroduced in a later release
once the underlying issues are addressed. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10874">#10874</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Cycle Detection Refactor:</strong> Replaced the array-based
cycle tracker in <code>toJSONObject</code> with a <code>WeakSet</code>,
improving performance and memory behaviour on large nested structures.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10832">#10832</a></strong>)</li>
<li><strong>composeSignals Cleanup:</strong> Refactored
<code>composeSignals</code> to use a clearer early-return structure,
simplifying the cancellation/abort composition path. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10844">#10844</a></strong>)</li>
<li><strong>AI Readiness &amp; Repo Docs:</strong> Added
<code>AGENTS.md</code> and related contributor-guide updates for both
human and AI agents, plus post-release documentation improvements.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10835">#10835</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10841">#10841</a></strong>)</li>
<li><strong>Docs Improvements:</strong> Clarified the GET request
example, fixed the interceptor <code>eject</code> example to reference
the correct instance, and corrected the Buzzoid sponsor description in
the README. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li>
<li><strong>Sponsorship Tooling:</strong> Fixed empty sponsor arrays in
the sponsor processing script, added the ability to inject additional
sponsors, updated the sponsorship link, and added a Twicsy advertisement
entry. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10843">#10843</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10859">#10859</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10869">#10869</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped <code>@commitlint/cli</code>
from 20.5.0 to 20.5.2. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10846">#10846</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/hpinmetaverse"><code>@​hpinmetaverse</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>)</li>
<li><strong><a
href="https://github.com/tommyhgunz14"><code>@​tommyhgunz14</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li>
<li><strong><a
href="https://github.com/abhu85"><code>@​abhu85</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li>
<li><strong><a
href="https://github.com/divyanshuraj1095"><code>@​divyanshuraj1095</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>)</li>
<li><strong><a
href="https://github.com/sagodi97"><code>@​sagodi97</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li>
<li><strong><a
href="https://github.com/rkdfx"><code>@​rkdfx</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li>
<li><strong><a
href="https://github.com/Liuwei1125"><code>@​Liuwei1125</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)</li>
</ul>
<p><a
href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">Full
Changelog</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/axios/axios/commit/1337d6b537afb2d3f501074c8ac4ef4308221197"><code>1337d6b</code></a>
chore(release): prepare release 1.16.1 (<a
href="https://redirect.github.com/axios/axios/issues/10877">#10877</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/858a790cec06054547d0d3f941916d6fb2a4d18e"><code>858a790</code></a>
fix: remove all caches (<a
href="https://redirect.github.com/axios/axios/issues/10882">#10882</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/34adfd90efc9c145488399e1cf7fa96de67080fa"><code>34adfd9</code></a>
revert: &quot;fix: support URL object as config.url input (<a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a>)&quot;
(<a
href="https://redirect.github.com/axios/axios/issues/10874">#10874</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/847d89b43654405d9a231e0b669832c2092b621f"><code>847d89b</code></a>
fix: support URL object as config.url input (<a
href="https://redirect.github.com/axios/axios/issues/10866">#10866</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/40948863677bb793bfff0293cce7e7b4f8a1b212"><code>4094886</code></a>
fix(progress): guard malformed XHR upload events (<a
href="https://redirect.github.com/axios/axios/issues/10868">#10868</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/44f0c5bf73c45df6009365141faa394d73596bd7"><code>44f0c5b</code></a>
chore: change sponsorship link and add Twicsy advertisement (<a
href="https://redirect.github.com/axios/axios/issues/10869">#10869</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/64e1095efedc64c9fecf5176bd9cf2e5e93140d6"><code>64e1095</code></a>
chore: update PR and issue template to use h2 (<a
href="https://redirect.github.com/axios/axios/issues/10865">#10865</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/3e6b4e1f311b43aa1dc77d78150a601d9fe4b280"><code>3e6b4e1</code></a>
fix: error unexpected token in fetch JS compatibility issue with Webpack
4 (#...</li>
<li><a
href="https://github.com/axios/axios/commit/c4453bab70f53575175903aee60810c821f72129"><code>c4453ba</code></a>
fix: add the ability to add additional sponsors to the process sponsors
scrip...</li>
<li><a
href="https://github.com/axios/axios/commit/caa00a90b524bb67ed033474abcf4d8645ced793"><code>caa00a9</code></a>
fix: https data in cleartext to proxy (<a
href="https://redirect.github.com/axios/axios/issues/10858">#10858</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.16.0&new-version=1.16.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:20:33 +00:00
dependabot[bot] 91aee5010d chore: bump @fontsource-variable/geist from 5.2.8 to 5.2.9 in /site (#25953) 
Bumps
[@fontsource-variable/geist](https://github.com/fontsource/font-files/tree/HEAD/fonts/variable/geist)
from 5.2.8 to 5.2.9.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/fontsource/font-files/commits/HEAD/fonts/variable/geist">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@fontsource-variable/geist&package-manager=npm_and_yarn&previous-version=5.2.8&new-version=5.2.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:19:57 +00:00
dependabot[bot] 0182219011 chore: bump the react group across 1 directory with 3 updates (#25950) 
[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps the react group with 3 updates in the /site directory:
[react](https://github.com/facebook/react/tree/HEAD/packages/react),
[@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)
and
[react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom).

Updates `react` from 19.2.5 to 19.2.6
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facebook/react/releases">react's
releases</a>.</em></p>
<blockquote>
<h2>19.2.6 (May 6th, 2026)</h2>
<h2>React Server Components</h2>
<ul>
<li>Type hardening and performance improvements
(<a
href="https://redirect.github.com/facebook/react/pull/36425">#36425</a>
by <a href="https://github.com/eps1lon"><code>@​eps1lon</code></a> and
<a
href="https://github.com/unstubbable"><code>@​unstubbable</code></a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/facebook/react/commit/eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401"><code>eaf3e95</code></a>
Version 19.2.6</li>
<li>See full diff in <a
href="https://github.com/facebook/react/commits/v19.2.6/packages/react">compare
view</a></li>
</ul>
</details>
<br />

Updates `@types/react` from 19.2.14 to 19.2.15
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare
view</a></li>
</ul>
</details>
<br />

Updates `react-dom` from 19.2.5 to 19.2.6
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facebook/react/releases">react-dom's
releases</a>.</em></p>
<blockquote>
<h2>19.2.6 (May 6th, 2026)</h2>
<h2>React Server Components</h2>
<ul>
<li>Type hardening and performance improvements
(<a
href="https://redirect.github.com/facebook/react/pull/36425">#36425</a>
by <a href="https://github.com/eps1lon"><code>@​eps1lon</code></a> and
<a
href="https://github.com/unstubbable"><code>@​unstubbable</code></a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/facebook/react/commit/eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401"><code>eaf3e95</code></a>
Version 19.2.6</li>
<li>See full diff in <a
href="https://github.com/facebook/react/commits/v19.2.6/packages/react-dom">compare
view</a></li>
</ul>
</details>
<br />

Updates `@types/react` from 19.2.14 to 19.2.15
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:18:02 +00:00
dependabot[bot] 8d93aea1b0 chore: bump @types/node from 20.19.39 to 20.19.41 in /offlinedocs (#25952) 
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 20.19.39 to 20.19.41.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/node&package-manager=npm_and_yarn&previous-version=20.19.39&new-version=20.19.41)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-06-02 08:15:48 +00:00
Paweł Banaszewski f22d4e2cbb feat: add ai_gateway_keys table and related RBAC (#25563) 
Adds table to store keys that AI Gateway standalone replicas will use
to authenticate into Coderd.
Also adds RBAC and audit boilerplate.
 2026-06-02 09:28:43 +02:00
Ethan 49c2142d2d fix: allow unlinking chat workspaces (#25833) 
This allows a Coder Agents chat to detach from its linked workspace
without deleting or changing the workspace, so a different workspace can
be linked later. It adds detach controls wherever the linked workspace
appears, including the workspace pill menu, fallback workspace badges,
and the workspace picker. The workspace selection state now updates
consistently across desktop and mobile.

Running workspace:
<img width="453" height="296" alt="image"
src="https://github.com/user-attachments/assets/ac5197a7-f0f4-4123-bbea-d3ddaca7a3e4"
/>

Stopped workspace:
<img width="389" height="203" alt="image"
src="https://github.com/user-attachments/assets/f5a8a90c-4bb0-405a-ade3-791146687b2d"
/>


Closes CODAGT-510
 2026-06-02 14:40:07 +10:00
Ethan 97dde1f824 fix: refresh attach workspace picker dynamically (#25834) 
After the chat agent creates a workspace via the `create_workspace`
tool, opening the composer `+` menu and clicking "Attach workspace"
could show "No workspaces found" until a full page refresh, even though
the workspace pill already rendered the linked workspace correctly.

The picker was sourced only from the `owner:me` workspace list query,
whose cache could be stale right after `create_workspace` completed. The
fix derives the picker options at render time from both the owner
workspace list and the linked workspace already fetched by ID for the
pill, prepending or replacing the linked workspace only when the current
user owns it. This keeps the picker consistent with the pill without
broadening visibility beyond `owner:me` or invalidating workspace lists
on chat link updates.

Relates to CODAGT-510
 2026-06-02 14:37:12 +10:00
Thomas Kosiewski 550aa6d6a2 ci: install gotestsum in flake check workflow (#25934) 
The Flake Check workflow runs `make test` through the `test-go-pg`
action, which invokes `gotestsum`, but the workflow never installs it.
The mise refactor (#25727) deleted the `setup-go` action that previously
installed `gotestsum` implicitly, and added explicit `mise install ...
go:gotest.tools/gotestsum` steps to every other Go test job. The flake
check's `Install Go mise tools` step only listed `whichtests`, so the
check fails with `gotestsum: command not found` whenever it selects
changed tests to run.

Add `go:gotest.tools/gotestsum` to the flake check's install step,
matching the other `test-go-pg` jobs in `ci.yaml` and
`nightly-gauntlet.yaml`.

Refs #25727

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-02 12:11:00 +10:00
Mathias Fredriksson ed4311b2cb ci: add Git usr/bin to PATH on Windows (#25939) 
## Summary

Fixes all 9 Windows CI test failures caused by the mise CI refactor
(`fe257666d7`, PR #25727).

### Root cause

`jdx/mise-action` exports `Path` (Windows convention) via `GITHUB_ENV`.
Bash on Windows maintains its own `PATH`. When Go's `os.Environ()`
returns both, `cmd.exe` subprocesses non-deterministically pick the
MSYS-translated `PATH` (forward slashes), causing Windows executables
(`printf`, `powershell.exe`, `cmd.exe`) to be unresolvable.

These failures only appeared on `main` (where `-count=1` forces real
test execution) and were masked on PRs by Go test cache.

### Fixes applied

**CI (`setup-mise` action)**:
- Write both `Path` and `PATH` to `GITHUB_ENV` with Git usr/bin
prepended

**Code (`cli/root.go`)**:
- Add `appendAndDedupEnv` helper that deduplicates case-insensitive env
vars on Windows, preferring native Windows paths (backslashes) over MSYS
paths

**Code (`cli/configssh_windows.go`)**:
- Use absolute paths for `powershell.exe` and `cmd.exe` in the SSH
config `Match exec` escape function, avoiding PATH resolution entirely

**Tests**:
- Switch `--header-command` tests from `printf` to `echo` (cmd.exe
builtin) for reliable cross-platform execution
- Add env dedup in `Test_sshConfigMatchExecEscape` for subprocess PATH
consistency

Fixes coder/internal#1556, coder/internal#1558, coder/internal#1559

> 🤖 Generated by Coder agent, will be reviewed by @mafredri. 🏂🏻
 2026-06-02 11:51:16 +10:00
TJ fc01aeeb0f fix(site): show condensed count for multi-provider in sessions list (#25705) 
The Provider column in the AI sessions list now shows:

- **Multiple providers**: condensed count badge (e.g. `2 providers`)
- **Single provider**: icon + display name badge (e.g. `OpenAI`)
(existing behavior)
- **Empty**: nothing rendered

## Changes

| File | Change |
|------|--------|
| `ListSessionsRow.tsx` | Conditional rendering for the provider cell
based on `providers.length` |
| `ListSessionsRow.stories.tsx` | Added stories: `SingleProvider`,
`MultipleProviders`, `EmptyProviders` |
| `ListSessionsPageView.stories.tsx` | `MultipleSessions` story
alternates single/multi provider rows |

> Generated by Coder Agents on behalf of @tracyjohnsonux
 2026-06-01 10:59:13 -07:00
Danielle Maywood 372265a0b5 docs: document chat sharing (#25592) 2026-06-01 12:29:25 -05:00
Susana Ferreira 98c2b60820 docs(docs/ai-coder/ai-gateway): document key failover for AI Gateway (#25893) 
Document the automatic key failover feature for AI Gateway, which allows
configuring multiple centralized API keys per provider instance (OpenAI
and Anthropic only).

## Changes

- **`docs/ai-coder/ai-gateway/providers.md`**: Add "Key failover"
section covering supported providers, configuration via the API (max 5
keys), and failover behavior (auth errors permanently disable a key
until restart/reload, exhausted pool returns `429` or `502`).
- **`docs/ai-coder/ai-gateway/auth.md`**: Add note in BYOK section
clarifying that key failover is skipped when a user-supplied credential
is present.

> [!NOTE]
> Generated by Coder Agents (by @ssncferreira)
 2026-06-01 16:04:55 +01:00
Mathias Fredriksson 9fc12afdaa test(codersdk/toolsdk): use portable echo in WorkspaceSSHExec test (#25840) 
PowerShell's echo aliases to Write-Output, which rejects -e as
an ambiguous parameter and exits 1. Use plain echo with spaces
instead. Remove the Windows t.Skip and TestMain exception.

TestMain untested-tools check now only fails on full-suite runs.
Filtered runs (e.g. -run TestTools) warn instead.

Closes CODAGT-518
 2026-06-01 18:01:19 +03:00
Ethan aa9ef66d81 fix(site/src/pages/AgentsPage): drop misleading response-startup warning (#25905) 
The agents UI showed "Response startup is taking longer than expected"
after a 15s grace period while waiting on the LLM provider. The message
implied a problem was about to occur, but it does not actually lead to a
timeout. The typical underlying cause is provider slowness rather than a
client-side issue, so the warning is alarmist and unhelpful.

Drop the delayed message and its timer entirely. The `starting` phase
now keeps showing the shimmering "Thinking..." indicator until the first
stream chunk arrives. Also remove the now-dead `startingResetKey` /
`chatID` plumbing that only existed to remount the placeholder and reset
the delayed-message timer when switching chats.

Closes CODAGT-536
 2026-06-02 00:16:17 +10:00
Thomas Kosiewski fe257666d7 ci: refactor CI to use mise for shared tool setup (#25727) 2026-06-01 15:55:19 +02:00
Ethan 644820cb28 fix(site/src/pages/AgentsPage): stabilize settings story (#25899) 
I ran into the `SettingsViewResets` Storybook flake twice on my branch.
The story reopens Agents settings immediately after clicking `Back to
Agents`, but the helper was synchronously checking for the desktop
`Settings` link before React Router had finished rendering `/agents`; on
desktop it could then fall through to the mobile-only `More options`
menu and fail.

Use `findByRole` for the desktop `Settings` link so the helper waits for
the accessible sidebar link before clicking it, matching the existing
Storybook interaction pattern used elsewhere in Agents stories.
 2026-06-01 23:36:39 +10:00
Danny Kopping f9937a8931 docs: document AI providers seeding mechanism & support for new types (#25855) 
Adds a new **Provider Configuration** reference page (`providers.md`) covering:

- The migration from environment-variable-based provider config to database-backed management introduced in v2.34, including the one-time seeding behavior and deprecation of `CODER_AI_GATEWAY_PROVIDER_<N>_*` and related flags
- All supported provider types (`openai`, `anthropic`, `bedrock`, `copilot`, `azure`, `google`, `openrouter`, `vercel`, `openai-compat`) with setup notes for each
- Provider lifecycle statuses (`enabled`, `disabled`, `error`) and their effect on request handling
- Reload behavior and how configuration changes apply without restarting `coderd`
- Bring Your Own Key (BYOK) and failure mode reference table

Updates **Setup** (`setup.md`) to replace the environment-variable-based provider configuration instructions with dashboard-driven steps (Add provider form, provider list, edit/disable flow), referencing the new `providers.md` page for deeper detail. Screenshots of the provider list, add, and edit forms are included.

Adds a **Provider metrics** section to **Monitoring** (`monitoring.md`) documenting the `coder_aibridged_*` and `coder_aibridgeproxyd_*` Prometheus metrics for provider status and reload timestamps, along with two suggested PromQL alert queries.
 2026-06-01 15:33:37 +02:00
Ethan d0fa9ff986 fix(coderd/x/chatd/chattool): retry workspace name conflicts (#25668) 
Retry Coder Agents workspace creation once with a generated random
suffix when the requested workspace name already exists. This preserves
structured errors for other conflicts and avoids surfacing avoidable
name collisions.

Closes CODAGT-386
 2026-06-01 13:31:25 +00:00
Danny Kopping 85f56e4944 fix: recreate ai_provider_type instead of ADD VALUE (#25895) 
Coder runs all migrations in a single transaction (`pgTxnDriver`).
Postgres forbids using an enum value added by `ALTER TYPE ... ADD VALUE`
within the same transaction that added it. Migration `000499` widened
`ai_provider_type` with `ADD VALUE`, and `000504` casts existing
`chat_providers` rows to that enum in the same transaction. On
deployments with a legacy provider using one of the new values (for
example `openai-compat`), the batch failed with `unsafe use of new
value` and the server could not start.

Recreate the type (create a new enum, alter the column, drop and rename)
instead of using `ADD VALUE`, matching the existing precedent in
`000144_user_status_dormant`. A freshly created enum's values are usable
immediately in the same transaction, so the cast in `000504` succeeds.
The resulting schema is identical, so `make gen` produces no `dump.sql`
diff and databases that already applied these migrations see no drift.

Added a regression test that seeds an `openai-compat` provider and
applies `000499` through `000504` in a single transaction, reproducing
the production path. The per-step `Stepper` used by the other migration
tests commits each migration separately and cannot surface this class of
bug.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Danny Kopping <danny@coder.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-01 13:30:45 +00:00
Danny Kopping a85462bd49 feat: support adding GitHub Copilot AI provider via UI (#25888) 
Copilot is the only AI provider type that could not be added through the `/ai/settings` UI. The aibridge runtime and the env-var seeding path already supported it, but the runtime CRUD API rejected `type=copilot` and the UI omitted it entirely. The root cause is that Copilot's auth model (a per-request GitHub OAuth token, with no pre-shared key) does not fit the credential-centric add-provider flow that every other provider uses.

## Backend

Allow `type=copilot` in `CreateAIProviderRequest.Validate()`, and reject `api_keys` for Copilot on both create (validation) and update (handler sentinel), mirroring the existing Bedrock guards. Copilot carries no stored credential.

## Frontend

Add Copilot to the provider type picker (with the `github-copilot.svg` icon) and give the form a credential-free branch: name, display name, and a free-text endpoint defaulting to `https://api.business.githubcopilot.com`, with copy explaining that authentication happens via the user's GitHub token at request time. Copilot maps to the distinct `copilot` wire type rather than collapsing to `openai`, and the edit flow recovers it correctly.

The endpoint stays required with a business-tier default; users on the individual or enterprise endpoints edit the field.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
 2026-06-01 15:26:37 +02:00
Mathias Fredriksson 82752844bc fix: isolate MCP HTTP transports from DefaultTransport in tests (#25821) 
Use testing.Testing() inside createTransport to automatically
clone http.DefaultTransport when running in tests. In production,
DefaultTransport is used as-is (efficient connection pooling).

This fixes the CloseIdleConnections flake class: httptest.Server.Close()
calls http.DefaultTransport.CloseIdleConnections(), which disrupts
any MCP client sharing that transport. The testing.Testing() check
means every MCP transport created during tests gets isolation
automatically, with no caller changes needed.

Closes coder/internal#1016
Closes PLAT-291
 2026-06-01 16:17:29 +03:00
Danny Kopping c8555e2163 fix: deprecate ai provider seeding env config (#25854) 
Environment variables used to configure AI Gateway providers are now deprecated, and we need to reflect this as such.
 2026-06-01 15:15:47 +02:00
Nick Vigilante 61a9c4a61d chore: Style fixes and nits across the AI Governance docs (#25793) 
- Add the "AI Governance Add-On" label across all pages
- Use a generic `coder.example.com` URL across examples
- Fix a few typos
- Remove mentions of command access as a feature of AI Gov

Fixes DOCS-262

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->

---------

Co-authored-by: Danny Kopping <danny@coder.com>
 2026-06-01 13:04:14 +00:00
Nick Vigilante ca337915cc docs: fix broken and naked relative links (#25825) 
Several relative links in the docs pointed at pages that no longer exist
or rendered incorrectly on coder.com.

Fixes:

- `start/first-template.md`: IDE links repointed from the removed
`../ides.md` / `../ides/web-ides.md` to their current homes under
`user-guides/workspace-access/`.
- `tutorials/example-guide.md`: contributing link repointed to
`../about/contributing/documentation.md`.
- `about/contributing/backend.md`: the `migrations/testdata/fixtures`
and `full_dumps` references (and the `000024_example.up.sql` example)
used relative paths that escape `docs/` and render as bogus
`/docs/coderd/...` routes on the site. Normalized to the canonical
`github.com/coder/coder/(blob|tree)/main/...` form already used by ~120
other source links in the docs.
- Normalized extensionless directory links (`ai-coder/ai-gateway`,
`user-guides/workspace-access`, `install`) to their `/index.md` targets
for consistency with the rest of the docs.

This class of bug is invisible to the local doc checks (`make
lint/markdown` / `pnpm check-docs` only run markdownlint + table
formatting); only CI's Linkspector job validates link targets. Found via
a relative-link audit while investigating the docs preview on #25816.

Source-link version-awareness (so older docs versions don't all point at
`main`) is tracked separately in DOCS-268 and will be handled in the
coder.com render layer.


Linear: DOCS-278

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-01 08:47:29 -04:00
Ethan 1fcb4002d7 fix: show execute tool errors (#25886) 
Execute tool failures that only return an `error` field, such as
stopped-workspace connection failures, were rendered as a generic failed
command without showing the backend detail.

Normalize execute results into transcript blocks so shell output and
tool errors both render in the *expanded* command transcript, and add
Storybook coverage for connection errors plus output-with-error cases.

<img width="832" height="482" alt="image"
src="https://github.com/user-attachments/assets/50b04b9a-b153-48e5-ab5e-6c2fa000f21e"
/>

edit: i've dropped the red on the danger icon, though it was
pre-existing. no point alerting the user to an error the model will
handle.


Closes CODAGT-530
 2026-06-01 21:25:29 +10:00
Mathias Fredriksson 6ecf804896 test(cli): eliminate race in PausedDuringWaitForReady test (#25858) 
The PausedDuringWaitForReady and WaitsForWorkingAppState tests flaked
because the quartz resetTrap was released immediately after catching
ticker.Reset (line 174), allowing client.TaskByID (line 175) to race
with the subsequent DB mutation (pauseTask / PatchAppStatus).

Fix: keep the resetTrap open across both poll iterations. On the first
poll, release the trap so the goroutine sees the initial state and
continues. On the second poll, hold the goroutine frozen at
ticker.Reset while mutating state. Then release; client.TaskByID
deterministically sees the mutated state. No race because the
goroutine cannot execute client.TaskByID while trapped.

Closes CODAGT-482
 2026-06-01 13:58:57 +03:00
Mathias Fredriksson 8b7e040105 fix(coderd/x/chatd/chatloop): discourage doctrine in compaction summaries (#25850) 
Two additions to the compaction summary prompt:

1. Error specificity: the "errors encountered" bullet now instructs the
   model to keep error notes specific (name the file, the error, the
   fix) and not generalize from a specific failure to a blanket
   tool-avoidance rule. This addresses the doctrine crystallization
   pattern where a single tool failure gets promoted to a standing
   "avoid tool X" rule that persists across compactions and model swaps.

2. Reproducibility: a new closing sentence instructs the model to
   reference reproducible content by path, command, or URL rather than
   inlining it. Content without a stable reproducer is still preserved
   inline with a brief summary. This targets summary bloat from
   inlined code blocks (worst case: 34k chars, 76 code blocks
   reproducing repo content verbatim).

Refs CODAGT-331
 2026-06-01 12:42:09 +03:00
Ethan 76d3181aba ci(.github/workflows): bump action-linkspector to v1.5.2 (#25882) 
The `check-docs` job has been failing on every PR touching `docs/**`
since 2026-05-29. `umbrelladocs/action-linkspector` runs linkspector
under puppeteer, which expects an exact Chrome build (e.g.
`148.0.7778.97`) in `/home/runner/.cache/puppeteer`. When that build
isn't present on the hosted runner, linkspector crashes with `Could not
find Chrome` and reviewdog then fails parsing the empty rdjson output
with `proto: syntax error`.

The pinned `v1.4.1` of the action was installing linkspector `0.4.7`,
whose puppeteer requires `148.0.7778.97`; that build is no longer in the
runner cache. Upstream `v1.5.2` upgrades linkspector to `0.5.3` and adds
Chromium fallback logic, but on `ubuntu-22.04` x86_64 none of its new
code paths fire (the AppArmor branch is gated on `lsb_release -rs ==
"24.04"`, the system-Chromium branch on aarch64 or missing 24.04
sysctl), so the bump alone leaves the same Chrome error in place.

This PR:

- Bumps the action to `v1.5.2` (linkspector `0.5.3`).
- Sets `PUPPETEER_EXECUTABLE_PATH=/usr/bin/google-chrome` on the action
step. The hosted `ubuntu-22.04` image ships Google Chrome at that path.
`v1.5.2`'s `script.sh` short-circuits Chromium setup when this env is
set, so puppeteer skips the cache lookup and uses the runner binary
directly.

End-to-end verified by temporarily perturbing `docs/**` on this branch
so the workflow's `pull_request` trigger would fire:
https://github.com/coder/coder/actions/runs/26732938434. `check-docs`
ran linkspector against `docs/**` for ~2m30s and exited 0, with no
`Could not find Chrome` or reviewdog parse errors in the log. That
perturbation has been removed from the branch.

Refs UmbrellaDocs/action-linkspector#62,
UmbrellaDocs/action-linkspector#61
 2026-06-01 13:42:37 +10:00
Dean Sheather 9c111a2be2 chore: disable release freezing on dev.coder.com (#25881) 2026-05-31 13:36:05 +00:00
Atif Ali 6f5220202d fix(site/src/modules/resources): clarify agent log download button label (#25641) 2026-05-31 10:03:34 +05:00
35C4n0r 8bec65a56a chore(dogfood): remove tasks bits from coder and vscode-coder templates (#25479) 
Co-authored-by: Atif Ali <atif@coder.com>
 2026-05-30 13:14:01 +05:00
blinkagent[bot] 9d28489abb chore(provisioner/terraform): preserve existing AWS_SDK_UA_APP_ID (#24606) 
Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>
Co-authored-by: Atif Ali <atif@coder.com>
 2026-05-30 13:05:51 +05:00
Spike Curtis 3a727a9087 test: batch 01 of refactoring CLI tests not to use PTY (#25871) 
Part of https://github.com/coder/internal/issues/1400

Batch of refactored CLI tests to avoid creating PTYs.
 2026-05-29 20:12:52 +00:00
Spike Curtis 8a47b7fa14 test: batch 00 of refactoring CLI tests not to use PTY (#25868) 
Part of https://github.com/coder/internal/issues/1400

Batch of refactored CLI tests to avoid creating PTYs.
 2026-05-29 15:33:45 -04:00
dylanhuff-at-coder 0401ed3af5 fix(coderd/notifications): serialize pending updates gauge writes (#25495) 
Fixes a race where concurrent notification dispatch goroutines could
overwrite `coderd_notifications_pending_updates` with an older
buffer-length snapshot. Pending update snapshots now serialize count
evaluation with the gauge write, and inhibited dispatch results refresh
the metric when buffered.
 2026-05-29 11:02:13 -07:00
Jon Ayers 5cdc9e28a9 feat: add nats cluster peer support (#25632) 2026-05-29 11:35:59 -05:00
TJ 22cbf85e96 fix(site): adjust agents sidebar spacing (#25857) 
Fixes minor spacing issues in the agents sidebar.

## Changes

- Reduce gap between New Agent / Search nav items from `gap-1` (0.25rem)
to `gap-[0.15rem]`
- Change Chats header top spacing from `mt-4` (margin-top 1rem) to
`pt-6` (padding-top 1.5rem)
- Remove `pt-5` padding-top from the scroll content groups container
(Today, Yesterday, etc.)
- Add `pr-1` (0.25rem padding-right) to the unread indicator circle

> Generated by Coder Agents on behalf of @tracyjohnsonux
 2026-05-29 09:24:53 -07:00
dependabot[bot] 011914bb14 chore: bump axios from 1.15.2 to 1.16.0 in /site (#25861) 
Bumps [axios](https://github.com/axios/axios) from 1.15.2 to 1.16.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>v1.16.0 — May 2, 2026</h2>
<p>This release adds support for the QUERY HTTP method and a new
<code>ECONNREFUSED</code> error constant, lands a substantial wave of
HTTP, fetch, and XHR adapter bug fixes around redirects, aborts,
headers, and timeouts, and welcomes 23 new contributors.</p>
<h2>⚠️ Notable Changes</h2>
<p>A handful of fixes in this release are either security-adjacent or
change observable behaviour. Please review before upgrading:</p>
<ul>
<li><strong>Fetch adapter now enforces <code>maxBodyLength</code> and
<code>maxContentLength</code>.</strong> These limits were silently
ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as
a safety net (DoS protection, accidental large uploads) had no
protection. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10795">#10795</a></strong>)</li>
<li><strong>Proxy requests now preserve user-supplied <code>Host</code>
headers.</strong> Previously, the proxy path could overwrite a custom
<code>Host</code>. Virtual-host-style routing through a proxy will now
behave correctly. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10822">#10822</a></strong>)</li>
<li><strong>Basic auth credentials embedded in URLs are now
URL-decoded.</strong> If you have percent-encoded credentials in a URL
(e.g. <code>https://user:p%40ss@host</code>), the decoded value is what
now goes on the wire. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10825">#10825</a></strong>)</li>
<li><strong><code>parseProtocol</code> now strictly requires a colon in
the protocol separator.</strong> Strings that loosely parsed as
protocols before may no longer match. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
<li><strong>Deprecated <code>unescape()</code> replaced with modern
UTF-8 encoding.</strong> Non-ASCII URL handling is now spec-correct;
consumers depending on legacy <code>unescape()</code> quirks may see
different output bytes. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7378">#7378</a></strong>)</li>
<li><strong><code>transformRequest</code> input typing change was
reverted.</strong> The typing change introduced in <a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a>
was reverted in <a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a>
after follow-up review — net behavior is unchanged from 1.15.2.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a></strong>)</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong>QUERY HTTP Method:</strong> Added support for the QUERY HTTP
method across adapters and type definitions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10802">#10802</a></strong>)</li>
<li><strong>ECONNREFUSED Error Constant:</strong> Exposed
<code>ECONNREFUSED</code> as a constant on <code>AxiosError</code> so
callers can match connection-refused failures without comparing string
literals (closes <a
href="https://redirect.github.com/axios/axios/issues/6485">#6485</a>).
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10680">#10680</a></strong>)</li>
<li><strong>Encode Helper Export:</strong> Exported the internal
<code>encode</code> helper from <code>buildURL</code> so userland param
serializers can reuse the same encoding logic that axios uses
internally. (<strong><a
href="https://redirect.github.com/axios/axios/issues/6897">#6897</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>HTTP Adapter — Redirects &amp; Headers:</strong> Cleared
stale headers when a redirect targets a no-proxy host, fixed the
redirect listener chain so listeners no longer stack across hops,
restored the missing <code>requestDetails</code> argument on
<code>beforeRedirect</code>, preserved user-supplied <code>Host</code>
headers when forwarding through a proxy, and properly URL-decoded basic
auth credentials. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10794">#10794</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10800">#10800</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6241">#6241</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10822">#10822</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10825">#10825</a></strong>)</li>
<li><strong>HTTP Adapter — Streams &amp; Timeouts:</strong> Preserved
the partial response object on <code>AxiosError</code> when a stream is
aborted after headers arrive, honoured the <code>timeout</code> option
during the connect phase when redirects are disabled, and resolved an
unsettled-promise hang when an aborted request was combined with
compression and <code>maxRedirects: 0</code>. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10708">#10708</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10819">#10819</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7149">#7149</a></strong>)</li>
<li><strong>Fetch Adapter:</strong> Enforced <code>maxBodyLength</code>
/ <code>maxContentLength</code> in the fetch adapter, set the
<code>User-Agent</code> header to match the HTTP adapter, preserved the
original abort reason instead of replacing it with a generic error, and
deferred global access so importing the module no longer throws a
<code>TypeError</code> in restricted environments. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10795">#10795</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10772">#10772</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10806">#10806</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7260">#7260</a></strong>)</li>
<li><strong>XHR Adapter:</strong> Unsubscribed the
<code>cancelToken</code> and <code>AbortSignal</code> listeners on the
error, timeout, and abort code paths to prevent leaked subscriptions.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10787">#10787</a></strong>)</li>
<li><strong>Error Handling:</strong> Attached the parsed response to
<code>AxiosError</code> when <code>JSON.parse</code> fails inside
<code>dispatchRequest</code>, prevented <code>settle</code> from
emitting <code>undefined</code> error codes, and tightened the
<code>parseProtocol</code> regex to require a colon in the protocol
separator. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10724">#10724</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7276">#7276</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
<li><strong>Types &amp; Exports:</strong> Aligned the CommonJS
<code>CancelToken</code> typings with the ESM build, fixed a compiler
error caused by <code>RawAxiosHeaders</code>, and re-exported
<code>create</code> from the package index. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7414">#7414</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6389">#6389</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6460">#6460</a></strong>)</li>
<li><strong>UTF-8 Encoding:</strong> Replaced the deprecated
<code>unescape()</code> call with a modern UTF-8 encoding
implementation. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7378">#7378</a></strong>)</li>
<li><strong>Misc Cleanup:</strong> Resolved a batch of small
inconsistencies and gadget-level issues across the codebase. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10833">#10833</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Refactor — ES6 Modernisation:</strong> Modernised the
<code>utils</code> module and XHR adapter to use ES6 features, and
tidied the multipart boundary error message. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10588">#10588</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7419">#7419</a></strong>)</li>
<li><strong>Tests:</strong> Hardened the HTTP test server lifecycle to
fix flaky <code>FormData</code> EPIPE failures, fixed Win32 platform
support for the pipe tests, and corrected an incorrect test assumption.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10820">#10820</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10791">#10791</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10796">#10796</a></strong>)</li>
<li><strong>Docs:</strong> Documented
<code>paramsSerializer.encode</code> for strict RFC 3986 query encoding,
updated the <code>parseReviver</code> TypeScript definitions and
configuration docs for ES2023, added timeout guidance to the README's
first async example, and expanded notes around the recent type changes.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10821">#10821</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10782">#10782</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10759">#10759</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10804">#10804</a></strong>)</li>
<li><strong>Reverted:</strong> Reverted the
<code>transformRequest</code> input typing change from <a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a>
after follow-up review. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped
<code>actions/setup-node</code>, the <code>github-actions</code> group,
and <code>postcss</code> (in <code>/docs</code>) to their latest
versions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10785">#10785</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10813">#10813</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10814">#10814</a></strong>)</li>
<li><strong>Release:</strong> Updated changelog and packages, and
prepared the 1.16.0 release. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10790">#10790</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10834">#10834</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/singhankit001"><code>@​singhankit001</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10588">#10588</a></strong>)</li>
<li><strong><a
href="https://github.com/cuiweixie"><code>@​cuiweixie</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7419">#7419</a></strong>)</li>
<li><strong><a
href="https://github.com/iruizsalinas"><code>@​iruizsalinas</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10787">#10787</a></strong>)</li>
<li><strong><a
href="https://github.com/MarcosNocetti"><code>@​MarcosNocetti</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10680">#10680</a></strong>)</li>
<li><strong><a
href="https://github.com/deepview-autofix"><code>@​deepview-autofix</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h2>v1.16.0 — May 2, 2026</h2>
<p>This release adds support for the QUERY HTTP method and a new
<code>ECONNREFUSED</code> error constant, lands a substantial wave of
HTTP, fetch, and XHR adapter bug fixes around redirects, aborts,
headers, and timeouts, and welcomes 23 new contributors.</p>
<h2>⚠️ Notable Changes</h2>
<p>A handful of fixes in this release are either security-adjacent or
change observable behaviour. Please review before upgrading:</p>
<ul>
<li><strong>Fetch adapter now enforces <code>maxBodyLength</code> and
<code>maxContentLength</code>.</strong> These limits were silently
ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as
a safety net (DoS protection, accidental large uploads) had no
protection. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10795">#10795</a></strong>)</li>
<li><strong>Proxy requests now preserve user-supplied <code>Host</code>
headers.</strong> Previously, the proxy path could overwrite a custom
<code>Host</code>. Virtual-host-style routing through a proxy will now
behave correctly. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10822">#10822</a></strong>)</li>
<li><strong>Basic auth credentials embedded in URLs are now
URL-decoded.</strong> If you have percent-encoded credentials in a URL
(e.g. <code>https://user:p%40ss@host</code>), the decoded value is what
now goes on the wire. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10825">#10825</a></strong>)</li>
<li><strong><code>parseProtocol</code> now strictly requires a colon in
the protocol separator.</strong> Strings that loosely parsed as
protocols before may no longer match. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
<li><strong>Deprecated <code>unescape()</code> replaced with modern
UTF-8 encoding.</strong> Non-ASCII URL handling is now spec-correct;
consumers depending on legacy <code>unescape()</code> quirks may see
different output bytes. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7378">#7378</a></strong>)</li>
<li><strong><code>transformRequest</code> input typing change was
reverted.</strong> The typing change introduced in <a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a>
was reverted in <a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a>
after follow-up review — net behavior is unchanged from 1.15.2.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a></strong>)</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong>QUERY HTTP Method:</strong> Added support for the QUERY HTTP
method across adapters and type definitions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10802">#10802</a></strong>)</li>
<li><strong>ECONNREFUSED Error Constant:</strong> Exposed
<code>ECONNREFUSED</code> as a constant on <code>AxiosError</code> so
callers can match connection-refused failures without comparing string
literals (closes <a
href="https://redirect.github.com/axios/axios/issues/6485">#6485</a>).
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10680">#10680</a></strong>)</li>
<li><strong>Encode Helper Export:</strong> Exported the internal
<code>encode</code> helper from <code>buildURL</code> so userland param
serializers can reuse the same encoding logic that axios uses
internally. (<strong><a
href="https://redirect.github.com/axios/axios/issues/6897">#6897</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>HTTP Adapter — Redirects &amp; Headers:</strong> Cleared
stale headers when a redirect targets a no-proxy host, fixed the
redirect listener chain so listeners no longer stack across hops,
restored the missing <code>requestDetails</code> argument on
<code>beforeRedirect</code>, preserved user-supplied <code>Host</code>
headers when forwarding through a proxy, and properly URL-decoded basic
auth credentials. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10794">#10794</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10800">#10800</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6241">#6241</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10822">#10822</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10825">#10825</a></strong>)</li>
<li><strong>HTTP Adapter — Streams &amp; Timeouts:</strong> Preserved
the partial response object on <code>AxiosError</code> when a stream is
aborted after headers arrive, honoured the <code>timeout</code> option
during the connect phase when redirects are disabled, and resolved an
unsettled-promise hang when an aborted request was combined with
compression and <code>maxRedirects: 0</code>. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10708">#10708</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10819">#10819</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7149">#7149</a></strong>)</li>
<li><strong>Fetch Adapter:</strong> Enforced <code>maxBodyLength</code>
/ <code>maxContentLength</code> in the fetch adapter, set the
<code>User-Agent</code> header to match the HTTP adapter, preserved the
original abort reason instead of replacing it with a generic error, and
deferred global access so importing the module no longer throws a
<code>TypeError</code> in restricted environments. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10795">#10795</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10772">#10772</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10806">#10806</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7260">#7260</a></strong>)</li>
<li><strong>XHR Adapter:</strong> Unsubscribed the
<code>cancelToken</code> and <code>AbortSignal</code> listeners on the
error, timeout, and abort code paths to prevent leaked subscriptions.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10787">#10787</a></strong>)</li>
<li><strong>Error Handling:</strong> Attached the parsed response to
<code>AxiosError</code> when <code>JSON.parse</code> fails inside
<code>dispatchRequest</code>, prevented <code>settle</code> from
emitting <code>undefined</code> error codes, and tightened the
<code>parseProtocol</code> regex to require a colon in the protocol
separator. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10724">#10724</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7276">#7276</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
<li><strong>Types &amp; Exports:</strong> Aligned the CommonJS
<code>CancelToken</code> typings with the ESM build, fixed a compiler
error caused by <code>RawAxiosHeaders</code>, and re-exported
<code>create</code> from the package index. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7414">#7414</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6389">#6389</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/6460">#6460</a></strong>)</li>
<li><strong>UTF-8 Encoding:</strong> Replaced the deprecated
<code>unescape()</code> call with a modern UTF-8 encoding
implementation. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7378">#7378</a></strong>)</li>
<li><strong>Misc Cleanup:</strong> Resolved a batch of small
inconsistencies and gadget-level issues across the codebase. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10833">#10833</a></strong>)</li>
</ul>
<h2>🔧 Maintenance &amp; Chores</h2>
<ul>
<li><strong>Refactor — ES6 Modernisation:</strong> Modernised the
<code>utils</code> module and XHR adapter to use ES6 features, and
tidied the multipart boundary error message. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10588">#10588</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/7419">#7419</a></strong>)</li>
<li><strong>Tests:</strong> Hardened the HTTP test server lifecycle to
fix flaky <code>FormData</code> EPIPE failures, fixed Win32 platform
support for the pipe tests, and corrected an incorrect test assumption.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10820">#10820</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10791">#10791</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10796">#10796</a></strong>)</li>
<li><strong>Docs:</strong> Documented
<code>paramsSerializer.encode</code> for strict RFC 3986 query encoding,
updated the <code>parseReviver</code> TypeScript definitions and
configuration docs for ES2023, added timeout guidance to the README's
first async example, and expanded notes around the recent type changes.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10821">#10821</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10782">#10782</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10759">#10759</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10804">#10804</a></strong>)</li>
<li><strong>Reverted:</strong> Reverted the
<code>transformRequest</code> input typing change from <a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a>
after follow-up review. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10745">#10745</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10810">#10810</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped
<code>actions/setup-node</code>, the <code>github-actions</code> group,
and <code>postcss</code> (in <code>/docs</code>) to their latest
versions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10785">#10785</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10813">#10813</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10814">#10814</a></strong>)</li>
<li><strong>Release:</strong> Updated changelog and packages, and
prepared the 1.16.0 release. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10790">#10790</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10834">#10834</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/singhankit001"><code>@​singhankit001</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10588">#10588</a></strong>)</li>
<li><strong><a
href="https://github.com/cuiweixie"><code>@​cuiweixie</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7419">#7419</a></strong>)</li>
<li><strong><a
href="https://github.com/iruizsalinas"><code>@​iruizsalinas</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10787">#10787</a></strong>)</li>
<li><strong><a
href="https://github.com/MarcosNocetti"><code>@​MarcosNocetti</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10680">#10680</a></strong>)</li>
<li><strong><a
href="https://github.com/deepview-autofix"><code>@​deepview-autofix</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10729">#10729</a></strong>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/axios/axios/commit/df53d7dd99b202fb194217abd127ae6a630e70dc"><code>df53d7d</code></a>
chore(release): prepare release 1.16.0 (<a
href="https://redirect.github.com/axios/axios/issues/10834">#10834</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/9d92bcd32639d1eea5b89f03ae45f248d3bb058e"><code>9d92bcd</code></a>
fix: gadgets and smaller issues (<a
href="https://redirect.github.com/axios/axios/issues/10833">#10833</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/5107ee69aee527b19eabaf80000ca65752135435"><code>5107ee6</code></a>
fix: prevent undefined error codes in settle (<a
href="https://redirect.github.com/axios/axios/issues/7276">#7276</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/e57349992f230b6b13e80613eb84302560aa5ba8"><code>e573499</code></a>
fix(fetch): defer global access in fetch adapter (<a
href="https://redirect.github.com/axios/axios/issues/7260">#7260</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/ad68e1a484b50086af427f767bbd7d6e3aab7ac3"><code>ad68e1a</code></a>
fix(http): honor timeout during connect without redirects (<a
href="https://redirect.github.com/axios/axios/issues/10819">#10819</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/2a51828213128691d2e37502b5eb2cf4965a737d"><code>2a51828</code></a>
fix(http): decode URL basic auth credentials (<a
href="https://redirect.github.com/axios/axios/issues/10825">#10825</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/0e8b6bbb542131bae9940618d84d5286255d4db1"><code>0e8b6bb</code></a>
fix(http): preserve user-supplied Host header when forwarding through a
proxy...</li>
<li><a
href="https://github.com/axios/axios/commit/79f39e1d041dca87173226d0255f90eaf252564b"><code>79f39e1</code></a>
docs: document paramsSerializer.encode for strict RFC 3986 query
encoding (<a
href="https://redirect.github.com/axios/axios/issues/1">#1</a>...</li>
<li><a
href="https://github.com/axios/axios/commit/0fe3a5fc14829535e1d517c662d448e86c33438e"><code>0fe3a5f</code></a>
[Docs/Types] Update <code>parseReviver</code> TypeScript definitions for
ES2023 and add ...</li>
<li><a
href="https://github.com/axios/axios/commit/cd6737fd84bdb7caf2a319d3579573a49f9d238d"><code>cd6737f</code></a>
chore: matches the sibling responseStream.on(aborted) handler and added
tests...</li>
<li>Additional commits viewable in <a
href="https://github.com/axios/axios/compare/v1.15.2...v1.16.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=axios&package-manager=npm_and_yarn&previous-version=1.15.2&new-version=1.16.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/coder/coder/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-29 16:07:32 +00:00
Mathias Fredriksson 98d5e7948d fix(coderd/autobuild): handle concurrent build number race in lifecycle executor (#25824) 
The lifecycle executor did not handle unique-violation errors from
InsertWorkspaceBuild. When a concurrent actor (API handler, another
lifecycle executor, or prebuilds reconciler) inserts a workspace build
with the same build number, PostgreSQL returns a unique constraint
violation on workspace_builds_workspace_id_build_number_key. The
lifecycle executor treated this as a hard error, logging it and storing
it in stats.Errors.

The per-workspace advisory lock (pg_try_advisory_xact_lock) prevents
two lifecycle executors from racing, but does not protect against
races with the CreateWorkspaceBuild API handler or the prebuilds
reconciler, which use different (or no) locking.

Catch the specific unique-violation error after InTx returns (where
the transaction is already rolled back) and clear it. The concurrent
actor's build takes effect; the lifecycle executor treats the
workspace as a no-op for this tick.

Closes coder/internal#455
Closes PLAT-290
 2026-05-29 17:12:31 +03:00
Yevhenii Shcherbina 1a91d31793 feat: add user AI budget override endpoints (#25439) 
Implements https://linear.app/codercom/issue/AIGOV-285
Follow the structure established in
https://github.com/coder/coder/pull/25203

## Summary

Adds the `user_ai_budget_overrides` table and CRUD API at
`/api/v2/users/{user}/ai/budget`. An override sets a custom per-user
spend cap that supersedes group-budget resolution, attributing spend to
a specific group.

## Schema

```sql
CREATE TABLE user_ai_budget_overrides (
    user_id            UUID        PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
    group_id           UUID        NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
    spend_limit_micros BIGINT      NOT NULL CHECK (spend_limit_micros >= 0),
    created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
```

## Membership lifecycle

The membership invariant — a user must be a member of the attributed
group, including when that group is "Everyone" — would naturally be
expressed as a composite FK on `(user_id, group_id) →
group_members_expanded(user_id, group_id)`. PostgreSQL doesn't allow
foreign keys to reference views, so enforcement is split across two
mechanisms:

- **Write-time check.** A CHECK constraint on the table
(`user_ai_budget_overrides_must_be_group_member`) calls a `STABLE`
function `is_group_member(user_id, group_id)` that queries
`group_members_expanded`. The view surfaces both regular group
memberships and the implicit "Everyone" group memberships from
`organization_members`. Any INSERT or UPDATE that violates the predicate
is rejected with a Postgres `check_violation`, which the handler maps to
a 400. `is_group_member` is defined as a general predicate, reusable by
any future table that needs the same check.

- **Cascade on removal.** Two `BEFORE DELETE` triggers handle membership
loss:
- `trigger_delete_user_ai_budget_overrides_on_group_member_delete` on
`group_members` — covers regular group removals (admin action, OIDC
sync).
- `trigger_delete_user_ai_budget_overrides_on_org_member_delete` on
`organization_members` — covers the "Everyone" group, whose membership
lives in `organization_members`.

The single-column FKs on `users(id)` and `groups(id)` remain to cascade
on user or group deletion (those paths don't pass through
`group_members`).

## Authorization

The dbauthz layer gates each operation against the `User` and (for
writes) `Group` resources:

| Operation | User resource  | Group resource |
|-----------|----------------|----------------|
| `GET`     | `ActionRead`   | —              |
| `PUT`     | `ActionUpdate` | `ActionUpdate` |
| `DELETE`  | `ActionUpdate` | `ActionUpdate` |

For `DELETE`, the dbauthz layer fetches the existing override first to
learn the attributed `group_id`, then runs both checks.

### Role matrix

| Role         | GET | PUT | DELETE |
|--------------|-----|-----|--------|
| Owner        |    |    |       |
| UserAdmin    |    |    |       |
| OrgAdmin     |    |    |       |
| OrgUserAdmin |    |    |       |

Internal discussion:
https://codercom.slack.com/archives/C096PFVBZKN/p1779392747885359

## Audit logs
Audit logs will be addressed in a follow-up PR.
 2026-05-29 10:08:25 -04:00
Thomas Kosiewski 9448624d2d feat(site): add Opus 4.8 known model (#25839) 2026-05-29 15:27:24 +02:00
Danny Kopping 110210d7c9 fix(coderd): block ai provider env key drift (#25849) 
Previously, `SeedAIProvidersFromEnv` only hashed provider-level fields,
so env var key changes were silently ignored once a provider already
existed in the database.

Include bearer keys and Bedrock credentials in the canonical drift hash,
and cover multi-key, multi-provider cases so restarts now fail loudly
when the configured credentials no longer match what is stored.

When changing a key, you'll now see this in the server startup logs:

```
2026-05-29 12:29:02.674 [info]  api: Encountered an error running "coder server", see "coder server --help" for more information
2026-05-29 12:29:02.674 [info]  api: error: create coder API:
2026-05-29 12:29:02.674 [info]  api: github.com/coder/coder/v2/cli.(*RootCmd).Server.func2
2026-05-29 12:29:02.674 [info]  api: /home/coder/coder/cli/server.go:1015
2026-05-29 12:29:02.674 [info]  api: - seed ai providers from env:
2026-05-29 12:29:02.674 [info]  api: github.com/coder/coder/v2/enterprise/cli.(*RootCmd).Server.func1
2026-05-29 12:29:02.674 [info]  api: /home/coder/coder/enterprise/cli/server.go:187
2026-05-29 12:29:02.674 [info]  api: - execute transaction:
2026-05-29 12:29:02.674 [info]  api: github.com/coder/coder/v2/coderd/database.(*sqlQuerier).runTx
2026-05-29 12:29:02.674 [info]  api: /home/coder/coder/coderd/database/db.go:212
---> 2026-05-29 12:29:02.674 [info]  api: - AI provider "vercel" already exists in the database and differs from the current environment configuration; update the provider through the API or remove the CODER_AIBRIDGE_* env vars to stop seeding it:
2026-05-29 12:29:02.674 [info]  api: github.com/coder/coder/v2/coderd.SeedAIProvidersFromEnv.func1
2026-05-29 12:29:02.674 [info]  api: /home/coder/coder/coderd/ai_providers_migrate.go:139
2026-05-29 12:29:02.674 [info]  api: slogjson: failed to write entry: io: read/write on closed pipe
2026-05-29 12:29:02.700 [info]  dlv: Stop reason: exited
2026-05-29 12:29:02.825 [info]  site:  ELIFECYCLE  Command failed.
error: running command "develop": server did not become ready in 1m0s:
    main.waitForHealthy
        /home/coder/coder/scripts/develop/main.go:877
  - context canceled
```

_This PR was generated with Coder Agents._
 2026-05-29 13:14:55 +00:00
Cian Johnston d0a51da0a9 feat: classify provider_disabled 503 as non-retryable (#25800) 
Builds on top of https://github.com/coder/coder/pull/25794

Adds a new `provider_disabled` error classification in `chatd` with the
corresponding plumbing to classify it as non-retryable. Also adds a
story for how this particular error kind is displayed in the UI.
 2026-05-29 13:14:04 +01:00
Danielle Maywood 4144eb3c4f fix(site/src/pages/AgentsPage): avoid stale live tail spacing (#25846) 2026-05-29 12:55:16 +01:00
Mathias Fredriksson 60f0bfe94c fix: update tailscale fork to fix goroutine leak in TestRun (#25838) 
Update the coder/tailscale fork to include the fix for goroutine leaks
in measureHTTPLatency. The function creates an http.Transport per DERP
probe for a single HTTP request but did not disable keep-alives,
causing readLoop/writeLoop goroutines to persist after the function
returns. These were detected by goleak in support/TestRun.

The fork fix sets DisableKeepAlives: true on the transport.

Closes PLAT-289
 2026-05-29 11:15:21 +00:00
Susana Ferreira 7b903cad73 fix: track credential hint across key failover attempts in aibridge (#25735) 
## Problem

Centralized requests recorded *the first available key from the pool at
`CreateInterceptor` time* as `credential_hint`, so the interception
could be persisted in the database with a hint that didn't match the key
that actually served the request. The fix consists in storing, at
end-of-interception, the hint of the key that succeeded, or the last
attempted key if all keys are unavailable.

## Changes

- Add `Key.Hint()` and update `credential_hint` on every failover
attempt so it reflects the actually-used key.
- Stop pre-populating `credential_hint` at `CreateInterceptor`.
Centralized starts empty and is updated by the key failover loop.
- Persist the final hint via `RecordInterceptionEnded`; SQL updates
`credential_hint` only when `credential_kind = 'centralized'` so BYOK
keeps its start-time value.
- Log the actually-used hint on interception end/failure; start log uses
a `<keypool-pending>` placeholder for centralized.

> [!NOTE]
> Initially generated by Claude Opus 4.7, modified and reviewed by
@ssncferreira
 2026-05-29 12:01:37 +01:00
Sas Swart a586b7e5e0 feat: add boundary_log rbac resource (#24810) 
RFC: [Bridge ↔ Boundaries Correlation
RFC](https://www.notion.so/coderhq/Gateway-and-Firewall-Correlation-RFC-31ad579be592803aa8b3d48348ccdde9)

Register a dedicated `boundary_log` RBAC resource type with `create`,
`read`, and `delete` actions, replacing the placeholder
`rbac.ResourceAuditLog` and `rbac.ResourceSystem` references previously
used in the dbauthz layer.

Create is granted at user-level so workspace agents can only write logs
owned by their workspace owner, preventing cross-workspace log
fabrication. Delete is restricted to `DBPurge` only; no human role
(including owner) can delete boundary logs.

| Subject | Create (own) | Create (other) | Read (all) | Delete |
|---|---|---|---|---|
| Workspace agent | yes | no | no | no |
| Owner (site admin) | yes (via member) | no | yes | no |
| Auditor | no | no | yes | no |
| DBPurge | no | no | no | yes |

### Changes

- **RBAC policy & resource definition**: add `boundary_log` to
`policy.go` and generate `ResourceBoundaryLog` object, scope constants,
and codersdk/TypeScript types.
- **dbauthz authorization**: replace all
`ResourceAuditLog`/`ResourceSystem` placeholders with
`ResourceBoundaryLog`. `InsertBoundaryLog` and `InsertBoundarySession`
derive the workspace owner from the agent and authorize with
`.WithOwner()` for user-scoped create.
- **Role assignments:**
- **Owner (site):** read only. Excluded from `allPermsExcept` wildcard;
create is inherited from member at user-level.
- **Member (user-level):** create. User-scoped so agents can only write
logs they own.
  - **Auditor (site):** read.
- `boundary_log` is excluded from org-admin, org-member, and
org-service-account `allPermsExcept` calls for consistency with
`ResourceBoundaryUsage`.
- **System subjects:**
- **DB Purge** (`SubjectTypeDBPurge`): delete. The only subject that can
remove boundary logs.
- **Workspace agent scope**: `ResourceBoundaryLog` with wildcard ID in
the agent scope allow-list (necessary for creation since no pre-existing
ID exists). User-level role scoping prevents deployment-wide access.
- **DB migration** (`000510_boundary_log_scopes`): add `boundary_log:*`,
`boundary_log:create`, `boundary_log:delete`, `boundary_log:read` enum
values to `api_key_scope`.
- **Test coverage**: `BoundaryLogCreate` (user-scoped, only matching
owner succeeds), `BoundaryLogDelete` (all human roles denied),
`BoundaryLogRead` (owner + auditor). dbauthz mock tests set up workspace
agent lookups for owner derivation.
- **Generated docs**: update OpenAPI specs, API reference docs, and
frontend type definitions.

---------

Co-authored-by: Muhammad Danish <mdanishkhdev@gmail.com>
Co-authored-by: Coder Agents <coder-agents-review[bot]@users.noreply.github.com>
 2026-05-29 12:50:39 +02:00
Danielle Maywood 88060b846e style(site): use lightbulb icon for thinking (#25844) 2026-05-29 11:35:05 +01:00