{{ message }}
Releases: coder/coder
Releases · coder/coder
v2.34.4
Immutable
release. Only release title and notes can be modified.
Changelog
Note
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
Bug fixes
- Pin workspace agent API client to intended agent (#26600, ec3ba84) (@ethanndickson)
- Dashboard: Set external auth provider polling status individually (#26313, c1d261c)
- Server: Only send prebuild claim reinit for the claim build (#26644, ea21e3b)
- Server: Let admins change their own workspace sharing role (#26559, 7fdfc7e)
- Dashboard: Add bottom padding to create workspace page (#26431, f770406) (@aslilac)
- fix(aibridge): support Bedrock Opus 4.8 adaptive thinking (#26691, 1c08896) (@ericpaulsen)
- Enterprise: Stop injecting default port into forwarded Host header (#26656, e436efc) (@ssncferreira)
- Dashboard: Keep TemplateVersionEditor file tree in sync (#25068, 19d9274) (@aslilac)
Chores
Compare: v2.34.3...v2.34.4
Container image
docker pull ghcr.io/coder/coder:2.34.4
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
aslilac, ssncferreira, and 2 other contributors
Assets 27
v2.33.10
Immutable
release. Only release title and notes can be modified.
Stable (since June 27, 2026)
Changelog
Bug fixes
- Pin workspace agent API client to intended agent (#26600, 2312b67) (@ethanndickson)
- Dashboard: Set external auth provider polling status individually (#2… (#26604, 4da9e0c)
- Server: Only send prebuild claim reinit for the claim build (#26645, e00791c)
- fix(aibridge): support Bedrock Opus 4.8 adaptive thinking (#26691, c5d9257) (@ericpaulsen)
- Enterprise: Stop injecting default port into forwarded Host header (#26656, 34409d5) (@ssncferreira)
- Dashboard: Keep TemplateVersionEditor file tree in sync (#25068, 59d5253) (@aslilac)
Chores
Compare: v2.33.9...v2.33.10
Container image
docker pull ghcr.io/coder/coder:2.33.10
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
aslilac, ssncferreira, and 2 other contributors
Assets 26
- 1.98 KB
2026-06-27T17:20:22Z - 833 Bytes
2026-06-27T17:20:22Z - 180 MB
2026-06-27T17:20:22Z - 175 MB
2026-06-27T17:20:22Z - 182 MB
2026-06-27T17:20:22Z - 178 MB
2026-06-27T17:20:23Z - 182 MB
2026-06-27T17:20:23Z - 177 MB
2026-06-27T17:20:28Z - 177 MB
2026-06-27T17:20:28Z - 173 MB
2026-06-27T17:20:28Z -
2026-06-27T13:14:14Z -
2026-06-27T13:14:14Z -
2026-06-27T13:14:14Z - Loading
v2.32.9
Immutable
release. Only release title and notes can be modified.
Changelog
Bug fixes
- Pin workspace agent API client to intended agent (#26600, 812549d) (@ethanndickson)
- Enterprise: Stop injecting default port into forwarded Host header (#26656, 000ecc7) (@ssncferreira)
- Dashboard: Keep TemplateVersionEditor file tree in sync (#25068, 784e2c1) (@aslilac)
Chores
Compare: v2.32.8...v2.32.9
Container image
docker pull ghcr.io/coder/coder:2.32.9
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
aslilac, ssncferreira, and ethanndickson
Assets 26
v2.29.19
Immutable
release. Only release title and notes can be modified.
Changelog
Bug fixes
- Skip failing azureidentity test while under investigation (#26545, b76aed9)
- Pin workspace agent API client to intended agent (#26600, f8bdec5) (@ethanndickson)
Compare: v2.29.18...v2.29.19
Container image
docker pull ghcr.io/coder/coder:2.29.19
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
ethanndickson
Assets 26
v2.34.3
Immutable
release. Only release title and notes can be modified.
Changelog
Note
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
Features
- Implement package and cli tool for repairing oidc links (#26418, 404ecb1)
- Deployment flag to auto handle changed oidc providers (#26419, 1e4aabb)
Bug fixes
- Dashboard: Allow Bedrock IAM-role setup (#26400, 33c5b8b)
- Server: Honor fixed lifetime for CLI API tokens (#26376, bcb3057)
- Backfill legacy Bedrock AI provider rows and stale model config strings (#26155, da215b3)
- fix(scripts/check_emdash.sh): skip emdash check when no diff base is available (#26490, 81654c6)
Documentation
Chores
Compare: v2.34.2...v2.34.3
Container image
docker pull ghcr.io/coder/coder:2.34.3
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
v2.33.9
Immutable
release. Only release title and notes can be modified.
Stable (since June 17, 2026)
Changelog
Features
- Implement package and cli tool for repairing oidc links (#26418, d18ee68)
- Deployment flag to auto handle changed oidc providers (#26419, 08cf114)
Bug fixes
- Server: Honor fixed lifetime for CLI API tokens (#26376, e330564)
- fix(scripts/check_emdash.sh): skip emdash check when no diff base is available (#26491, 2e43114)
Documentation
Chores
Compare: v2.33.8...v2.33.9
Container image
docker pull ghcr.io/coder/coder:2.33.9
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
v2.32.8
Immutable
release. Only release title and notes can be modified.
Changelog
Features
- Implement package and cli tool for repairing oidc links (#26418, b2c5b6f)
- Deployment flag to auto handle changed oidc providers (#26419, 858ac4a)
Bug fixes
- Server: Honor fixed lifetime for CLI API tokens (#26376, c59465f)
- Server: Retry transient refresh failures with backoff (backport #25686 to 2.32) (#26162, b770638)
Chores
Compare: v2.32.7...v2.32.8
Container image
docker pull ghcr.io/coder/coder:2.32.8
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
v2.29.18
Immutable
release. Only release title and notes can be modified.
Changelog
Features
Bug fixes
- Enterprise: Check user is active in aibridge auth (#26173, 2d2ee9b)
- Server: Honor fixed lifetime for CLI API tokens (#26376, fd1be86)
Tests
Chores
Compare: v2.29.17...v2.29.18
Container image
docker pull ghcr.io/coder/coder:2.29.18
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
v2.29.17 [SECURITY]
Important
Security hardening release.
This patch addresses vulnerabilities responsibly disclosed to Coder by Anthropic's Project Glasswing under their coordinated vulnerability disclosure program.
We strongly recommend upgrading.
See the Security patches section below for the fixed issues and their advisories.
Changelog
BREAKING CHANGES
- Only trust x-forwarded-host from configured trusted proxies (#26204, 77896ddd9d) (@geokat) (GHSA-5g4w-3vw9-478w)
- fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ed7e9240fc) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
- fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 3db810caeb) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
- fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, 320e549fe8) (GHSA-mcqq-fqgf-rxwm)
Security patches
- Server: Verify workspace owner matches app username (#26085, e01d3f401d) (GHSA-5wg6-jmq2-53pw)
- Reject oversized and invalid zip uploads (#25877, 069f6cf5f6) (GHSA-2mg2-p7r7-g27f)
- Escape agent log HTML (#25808, a51dbcfc02) (GHSA-7qw2-f75v-62f7)
- Agent: Prevent command injection in shell execer (#26235, 4aa84f2e6a) (@zedkipp) (GHSA-359v-rvmf-m3g9)
- Server: Prevent user-admin from resetting owner password (#25709, 833eaf8a9d) (GHSA-29xf-69gq-m9jx)
- Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 6f5ff1bb33) (GHSA-f962-qm93-mj4c)
- Validate agent-supplied AllowedIPs in coordinator (backport #26144) (#26295, 9181b84440) (GHSA-wrq8-fcv5-8hvp)
- Server: Prevent cross-tenant workspace app rebinding (#26103, c05b4d94e6) (@dylanhuff-at-coder) (GHSA-9rjw-3gwp-f59v)
- CLI: Prevent session token exfiltration via external app URLs (#26146, 2044599fff) (@zedkipp) (GHSA-v54h-cp2w-9x4g)
- Clamp template port sharing level in SubAgentAPI (#26061, c1889d0cbd) (GHSA-x9qq-2qh5-8rxf)
- Server: Use a random value for a simulated hash for built-in users (#26205, 0951f90b5e) (GHSA-8fxq-53rx-ph5f)
- Server: Require update permission to recreate devcontainers (#25812, 18ded827b1) (GHSA-jqj2-x4c5-jfxm)
- Dashboard: Escape appearance values in HTML output (#25804, 77253bfc55) (GHSA-h58c-xccx-75m3)
Compare: v2.29.16...v2.29.17
Container image
docker pull ghcr.io/coder/coder:2.29.17
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
geokat, zedkipp, and dylanhuff-at-coder
Assets 25
v2.34.2 [SECURITY]
Important
Security hardening release.
This patch addresses vulnerabilities responsibly disclosed to Coder by Anthropic's Project Glasswing under their coordinated vulnerability disclosure program.
We strongly recommend upgrading.
See the Security patches section below for the fixed issues and their advisories.
Changelog
Note
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.
BREAKING CHANGES
- fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ffe764531a) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
- fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, fb52711371) (GHSA-mcqq-fqgf-rxwm)
- fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 120b37a09d) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
Security patches
- Escape agent log HTML (#25808, bf5a2205e9) (GHSA-7qw2-f75v-62f7)
- Escape appearance values in HTML output (#25804, aba08538bb) (GHSA-h58c-xccx-75m3)
- Clamp template port sharing level in SubAgentAPI (#26061, b78ec312ed) (GHSA-x9qq-2qh5-8rxf)
- Use a random value for a simulated hash for built-in users (#26205, 6879532f9d) (GHSA-8fxq-53rx-ph5f)
- Require update permission to recreate devcontainers (#25812, e822677bd2) (GHSA-jqj2-x4c5-jfxm)
- Server: Verify workspace owner matches app username (#26085, 3019613cd5) (GHSA-5wg6-jmq2-53pw)
- Always verify TLS on aibridgeproxyd upstream transport (#26131, 6293c89895) (GHSA-84rm-42xw-mx52)
- Check user user is active in aibridge auth (#26173, 943b04f663) (GHSA-wqxv-w64v-5wh6)
- Add max bytes request limit to aibridge (#26164, 9fc2550fe1) (GHSA-f5vp-w269-392g)
- Server: Prevent user-admin from resetting owner password (#25709, f15a934eec) (GHSA-29xf-69gq-m9jx)
- Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 531ef5ecb3) (GHSA-f962-qm93-mj4c)
- Reject oversized and invalid zip uploads (#25877, 430ba84ada) (GHSA-2mg2-p7r7-g27f)
- Server: Prevent cross-tenant workspace app rebinding (#26103, e4a765754a) (GHSA-9rjw-3gwp-f59v)
- Agent: Prevent command injection in shell execer (#26235, b949480248) (GHSA-359v-rvmf-m3g9)
- Validate agent-supplied AllowedIPs in coordinator (#26144, c3e7e94a90) (GHSA-wrq8-fcv5-8hvp)
- Only trust x-forwarded-host from configured trusted proxies (#2… (#26296, 3c46473d53) (GHSA-5g4w-3vw9-478w)
- Prevent session token exfiltration via external app URLs (#26146, d7774e5c4c) (GHSA-v54h-cp2w-9x4g)
Features
- Cli: add support for supplying ephemeral parameters at workspac… (#26280, bd5666a46e)
Bug fixes
- Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, f3839ebaa9)
- Server: Suppress AI Governance seat-count error for not-entitled licenses (#26276, 6419f535dd)
- Preserve gemini thought signatures (#25933, 9595e6cc73)
- Allow lifecycle code path to retry failed stop jobs (#26278, 05e50d10f4)
Chores
- Bump Go to 1.26.4 on release/2.34 (#26265, fad8efd4b0)
Compare: v2.34.1...v2.34.2
Container image
docker pull ghcr.io/coder/coder:2.34.2
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.