Skip to content

v1.14.6

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 May 10:23
· 28 commits to main since this release
v1.14.6
This tag was signed with the committer’s verified signature.
EhabY Ehab Younes
GPG key ID: CA84791080B3A369
Verified
Learn about vigilant mode.
44fe3e0

A patch release focused on security, compatibility, and auth resilience. Security-sensitive settings can no longer be overridden by a workspace's .vscode/settings.json, the extension installs on the latest Cursor stable again, and mTLS or coder.headerCommand users no longer have to log out and back in to recover from a misconfigured setting.

Highlights

Configuration Scope Hardening (SEC-200)

Security-sensitive settings are now marked so a malicious .vscode/settings.json cannot override them. VS Code itself drops workspace and folder values for these settings, closing a path where a workspace could redirect command execution, swap the CLI binary or its source, inject CLI/SSH flags, substitute TLS material, or override identity and credential-storage settings. (#965)

  • "scope": "machine" (per-machine, never synced via Settings Sync) for path-, command-, and network-dependent settings: coder.binarySource, coder.binaryDestination, coder.headerCommand, coder.tlsCertFile, coder.tlsKeyFile, coder.tlsCaFile, coder.tlsAltHost, coder.tlsCertRefreshCommand, coder.proxyLogDirectory, coder.proxyBypass, coder.sshFlags, coder.globalFlags.
  • "scope": "application" (synced across your machines but still not overridable per workspace) for user-wide preferences: coder.defaultUrl, coder.autologin, coder.useKeyring, coder.insecure, coder.disableSignatureVerification, coder.enableDownloads.

This follows VS Code's recommended scope semantics.

Cursor Compatibility Restored

Minimum supported VS Code is back down to 1.105 so the latest Cursor stable (which reports VS Code 1.105.1 to extensions) can install the extension again. engines.vscode is now ^1.105.0 and the CI integration matrix is pinned to 1.105.0. (#975)

mTLS & Header-Command Auth Now Self-Heals

A session suspended by an mTLS cert problem or a misbehaving coder.headerCommand used to stay suspended until you logged out and back in, even after you fixed the setting. That's gone. (#976)

  • Suspended sessions auto-recover the moment auth settings become valid again. No logout/login round-trip needed.
  • A 401 from a mid-flight settings change is retried silently under the new settings and a fresh header-command run, instead of escalating to an interactive prompt.
  • Stale headers don't leak across retries. Keys from a previous header-command run are dropped before the retry.
  • Config-change side-effects fire once after edits settle (200ms idle window), so saving the file character-by-character no longer triggers a burst of reload prompts and reconnects.

Several adjacent races also got tightened up:

  • Logout, deployment switch, or extension dispose during an in-flight auth verify is no longer overwritten when the verify finishes, and no longer leaves stale deployment data in storage.
  • Cross-window login keeps listening when the first token observed from another window is invalid, so a follow-up valid write still resolves the dialog.

Removed

Coder Chat (Experimental) Sidebar

The "Coder Chat (Experimental)" secondary sidebar and its agents experiment gate are gone. Deeplinks that still include chatId continue to open the workspace as before; the parameter is now silently ignored, so existing links keep working. (#975)

Full changelog: v1.14.5...v1.14.6

Assets 3
Loading