2026-03-30 00:02:16 +08:00
43 changed files with 879 additions and 515 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -15,6 +15,12 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 # Note: if: success() is used in several jobs -
 # this ensures that it only executes if all previous jobs succeeded.
 # if: steps.cache-node-modules.outputs.cache-hit != 'true'
 # will skip running `npm install` if it successfully fetched from cache
 jobs:
  changes:
    runs-on: ubuntu-latest
@ -25,8 +31,10 @@ jobs:
      docs: ${{ steps.filter.outputs.docs }}
      helm: ${{ steps.filter.outputs.helm }}
    steps:
-      - uses: actions/checkout@v6
+      - name: Checkout repo
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+        uses: actions/checkout@v6
      - name: Check changed files
        uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
@ -90,7 +98,7 @@ jobs:
    if: needs.changes.outputs.helm == 'true'
    steps:
      - uses: actions/checkout@v6
-      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+      - uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - run: helm plugin install https://github.com/instrumenta/helm-kubeval
@ -143,31 +151,26 @@ jobs:
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run test:unit
-      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+      - uses: codecov/codecov-action@v5
        if: success()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
  build:
-    name: linux-x64
+    name: Build code-server
    runs-on: ubuntu-22.04
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      DISABLE_V8_COMPILE_CACHE: 1
      VERSION: 0.0.0
      VSCODE_TARGET: linux-x64
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - run: sudo apt update && sudo apt install -y libkrb5-dev
      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
        with:
          packages: quilt
          version: 1.0
      - uses: actions/checkout@v6
        with:
          submodules: true
      - run: sudo apt update && sudo apt install -y libkrb5-dev
      - uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: quilt
          version: 1.0
      - run: quilt push -a
      - uses: actions/setup-node@v6
        with:
@ -178,43 +181,51 @@ jobs:
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run build
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Get Code's git hash.  When this changes it means the content is
      # different and we need to rebuild.
      - name: Get latest lib/vscode rev
        id: vscode-rev
        run: echo "rev=$(git rev-parse HEAD:./lib/vscode)" >> $GITHUB_OUTPUT
-      # We need to rebuild when we have a new version of Code, when any of the
+      # We need to rebuild when we have a new version of Code, when any of
-      # patches changed, or when the code-server version changes (since it gets
+      # the patches changed, or when the code-server version changes (since
-      # embedded into the code).  Use VSCODE_CACHE_VERSION to force a rebuild.
+      # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
-      - name: Fetch prebuilt linux-x64 Code package from cache
+      # force a rebuild.
      - name: Fetch prebuilt Code package from cache
        id: cache-vscode
        uses: actions/cache@v4
        with:
-          path: lib/vscode-reh-web-linux-x64
+          path: lib/vscode-reh-web-*
-          key: vscode-linux-x64-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
+          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
      - name: Build vscode
        env:
          VERSION: "0.0.0"
        if: steps.cache-vscode.outputs.cache-hit != 'true'
        run: |
          pushd lib/vscode
          npm ci
          popd
          npm run build:vscode
-      # Push up an artifact containing the linux-x64 release.
+      # The release package does not contain any native modules
-      - run: KEEP_MODULES=1 npm run release
+      # and is neutral to architecture/os/libc version.
      - run: npm run release
        if: success()
      # https://github.com/actions/upload-artifact/issues/38
      - run: tar -czf package.tar.gz release
      - uses: actions/upload-artifact@v7
        with:
-          name: linux-x64-package
+          name: npm-package
          path: ./package.tar.gz
  test-e2e:
    name: Run e2e tests
    runs-on: ubuntu-22.04
    needs: [changes, build]
-    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'
+    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
    steps:
      - uses: actions/checkout@v6
      - run: sudo apt update && sudo apt install -y libkrb5-dev
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
@ -223,32 +234,48 @@ jobs:
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - uses: actions/download-artifact@v8
        with:
          name: npm-package
      - run: tar -xzf package.tar.gz
      - run: cd release && npm install --unsafe-perm --omit=dev
      - name: Install Playwright OS dependencies
        run: |
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install
      - uses: actions/download-artifact@v8
        with:
          name: linux-x64-package
      - run: tar -xzf package.tar.gz
      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e
      - uses: actions/upload-artifact@v7
        if: always()
        with:
          name: failed-test-videos
          path: ./test/test-results
      - run: rm -rf ./release ./test/test-results
  test-e2e-proxy:
    name: Run e2e tests behind proxy
    runs-on: ubuntu-22.04
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    needs: [changes, build]
-    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'
+    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
    steps:
      - uses: actions/checkout@v6
      - run: sudo apt update && sudo apt install -y libkrb5-dev
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - uses: actions/download-artifact@v8
        with:
          name: npm-package
      - run: tar -xzf package.tar.gz
      - run: cd release && npm install --unsafe-perm --omit=dev
      - name: Install Playwright OS dependencies
        run: |
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install
      - name: Cache Caddy
        uses: actions/cache@v4
        id: caddy-cache
@ -257,35 +284,18 @@ jobs:
            ~/.cache/caddy
          key: cache-caddy-2.5.2
      - name: Install Caddy
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        if: steps.caddy-cache.outputs.cache-hit != 'true'
        run: |
          gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
          mkdir -p ~/.cache/caddy
          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install Playwright OS dependencies
        run: |
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install
      - uses: actions/download-artifact@v8
        with:
          name: linux-x64-package
      - run: tar -xzf package.tar.gz
      - run: ~/.cache/caddy/caddy start --config ./ci/Caddyfile
      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e:proxy
      - run: ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
        if: always()
      - uses: actions/upload-artifact@v7
        if: always()
        with:
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -6,6 +6,7 @@ on:
  workflow_dispatch:
    inputs:
      version:
        description: The version to publish (include "v", i.e. "v4.9.1").
        type: string
        required: true
@ -22,46 +23,49 @@ concurrency:
 jobs:
  npm:
    runs-on: ubuntu-latest
    env:
      TAG: ${{ inputs.version || github.ref_name }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
      NPM_ENVIRONMENT: "production"
    steps:
-      - name: Set version to tag without leading v
+      - name: Checkout code-server
-        run: |
+        uses: actions/checkout@v6
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-      - uses: actions/checkout@v6
+      - name: Install Node.js
-      - uses: actions/setup-node@v6
+        uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
-      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+      - name: Download npm package from release artifacts
        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
-          tag: ${{ inputs.version || github.ref_name }}
+          tag: ${{ github.event.inputs.version || github.ref_name }}
          fileName: "package.tar.gz"
          out-file-path: "release-npm-package"
-      - run: tar -xzf release-npm-package/package.tar.gz
+      # Strip out the v (v4.9.1 -> 4.9.1).
-      - run: |
+      - name: Get and set VERSION
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+        run: |
-          pushd release
+          TAG="${{ github.event.inputs.version || github.ref_name }}"
-          npm publish --tag latest --access public
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - run: npm run publish:npm
        env:
          VERSION: ${{ env.VERSION }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_ENVIRONMENT: "production"
  aur:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    env:
      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
      TAG: ${{ inputs.version || github.ref_name }}
    steps:
-      - name: Set version to tag without leading v
+      # We need to checkout code-server so we can get the version
-        run: |
+      - name: Checkout code-server
-          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          path: "./code-server"
      - name: Checkout code-server-aur repo
        uses: actions/checkout@v6
@ -81,14 +85,26 @@ jobs:
          git config --global user.name cdrci
          git config --global user.email opensource@coder.com
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Validate package
-        uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
+        uses: heyhusen/archlinux-package-action@v3.0.0
        env:
          VERSION: ${{ env.VERSION }}
        with:
          pkgver: ${{ env.VERSION }}
          updpkgsums: true
          srcinfo: true
      - name: Open PR
        # We need to git push -u otherwise gh will prompt
        # asking where to push the branch.
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          git checkout -b update-version-${{ env.VERSION }}
          git add .
@ -98,40 +114,53 @@ jobs:
  docker:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ github.token }}
      TAG: ${{ inputs.version || github.ref_name }}
    steps:
-      - name: Set version to tag without leading v
+      - name: Checkout code-server
-        run: |
+        uses: actions/checkout@v6
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-      - uses: actions/checkout@v6
+      - name: Set up QEMU
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
+        uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+
      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Download deb artifacts
        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
          fileName: "*.deb"
          out-file-path: "release-packages"
-      - uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+
      - name: Download rpm artifacts
        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
          fileName: "*.rpm"
          out-file-path: "release-packages"
-      - run: npm run publish:docker
+      - name: Publish to Docker
        run: ./ci/steps/docker-buildx-push.sh
        env:
          VERSION: ${{ env.VERSION }}
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -4,6 +4,7 @@ on:
  workflow_dispatch:
    inputs:
      version:
        description: The version to publish (include "v", i.e. "v4.9.1").
        type: string
        required: true
@ -18,9 +19,11 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 jobs:
-  package-linux:
+  package-linux-cross:
-    name: ${{ matrix.vscode_target }}
+    name: ${{ matrix.prefix }}
    runs-on: ubuntu-latest
    timeout-minutes: 15
    needs: npm-version
    container: "python:3.8-slim-buster"
    strategy:
      matrix:
@ -29,17 +32,14 @@ jobs:
            npm_arch: x64
            apt_arch: amd64
            package_arch: amd64
            vscode_target: linux-x64
          - prefix: aarch64-linux-gnu
            npm_arch: arm64
            apt_arch: arm64
            package_arch: arm64
            vscode_target: linux-arm64
          - prefix: arm-linux-gnueabihf
            npm_arch: armv7l
            apt_arch: armhf
            package_arch: armv7l
            vscode_target: linux-armhf
    env:
      AR: ${{ format('{0}-ar', matrix.prefix) }}
@ -51,137 +51,259 @@ jobs:
      LD: ${{ format('{0}-ld', matrix.prefix) }}
      STRIP: ${{ format('{0}-strip', matrix.prefix) }}
      PKG_CONFIG_PATH: ${{ format('/usr/lib/{0}/pkgconfig', matrix.prefix) }}
-      # Set cross-compiler package arch.
+      TARGET_ARCH: ${{ matrix.apt_arch }}
      APT_ARCH: ${{ matrix.apt_arch }}
      # For downloading the right Node.
      npm_config_arch: ${{ matrix.npm_arch }}
-      # Overrides package architecture.
+      PKG_ARCH: ${{ matrix.package_arch }}
      ARCH: ${{ matrix.package_arch }}
      # Not building from source results in an x86_64 argon2, as if
      # npm_config_arch is being ignored.
      npm_config_build_from_source: true
      # Overrides VS Code gulp build target.
      VSCODE_TARGET: ${{ matrix.vscode_target }}
      TAG: ${{ inputs.version || github.ref_name }}
    steps:
-      - name: Install cross-compiler and system dependencies
+      - name: Checkout repo
-        run: |
+        uses: actions/checkout@v6
          sed -i 's/deb\.debian\.org/archive.debian.org/g' /etc/apt/sources.list
          dpkg --add-architecture $APT_ARCH
          apt update && apt install -y --no-install-recommends \
            crossbuild-essential-$APT_ARCH \
            libx11-dev:$APT_ARCH \
            libx11-xcb-dev:$APT_ARCH \
            libxkbfile-dev:$APT_ARCH \
            libsecret-1-dev:$APT_ARCH \
            libkrb5-dev:$APT_ARCH \
            ca-certificates \
            curl wget rsync gettext-base quilt git
      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      - name: Set version to tag without leading v
+      - name: Install Node.js
-        run: |
+        uses: actions/setup-node@v6
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - uses: actions/checkout@v6
        with:
          submodules: true
      - run: quilt push -a
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: npm ci
      - run: npm run build
      - run: npm run build:vscode
-      # Platform-agnostic NPM package.
+      - name: Install cross-compiler and system dependencies
-      - run: npm run release
+        run: |
-        if: ${{ matrix.vscode_target == 'linux-x64' }}
+          sed -i 's/deb\.debian\.org/archive.debian.org/g' /etc/apt/sources.list
-      - run: tar -czf package.tar.gz release
+          dpkg --add-architecture $TARGET_ARCH
-        if: ${{ matrix.vscode_target == 'linux-x64' }}
+          apt update && apt install -y --no-install-recommends \
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+            crossbuild-essential-$TARGET_ARCH \
-        if: ${{ matrix.vscode_target == 'linux-x64' }}
+            libx11-dev:$TARGET_ARCH \
            libx11-xcb-dev:$TARGET_ARCH \
            libxkbfile-dev:$TARGET_ARCH \
            libsecret-1-dev:$TARGET_ARCH \
            libkrb5-dev:$TARGET_ARCH \
            ca-certificates \
            curl wget rsync gettext-base
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      - name: Download npm package
        uses: actions/download-artifact@v8
        with:
-          draft: true
+          name: npm-release-package
-          discussion_category_name: "📣 Announcements"
+
-          files: package.tar.gz
+      - run: tar -xzf package.tar.gz
      - run: npm run release:standalone
      # Platform-specific release.
      - run: KEEP_MODULES=1 npm run release
      - name: Replace node with cross-compile equivalent
        run: |
          node_version=$(node --version)
          wget https://nodejs.org/dist/${node_version}/node-${node_version}-linux-${npm_config_arch}.tar.xz
          tar -xf node-${node_version}-linux-${npm_config_arch}.tar.xz node-${node_version}-linux-${npm_config_arch}/bin/node --strip-components=2
-          mv ./node ./release/lib/node
+          mv ./node ./release-standalone/lib/node
-      - run: npm run package
+      # Strip out the v (v4.9.1 -> 4.9.1).
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - env:
          VERSION: ${{ env.VERSION }}
        run: npm run package $PKG_ARCH
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./release-packages/*
-  package-macos:
+  package-macos-amd64:
-    name: ${{ matrix.vscode_target }}
+    name: x86-64 macOS build
-    runs-on: ${{ matrix.os }}
+    runs-on: macos-15-intel
-    strategy:
+    timeout-minutes: 15
-      matrix:
+    needs: npm-version
        include:
          - os: macos-15-intel
            vscode_target: darwin-x64
          - os: macos-latest
            vscode_target: darwin-arm64
    env:
      VSCODE_TARGET: ${{ matrix.vscode_target }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      TAG: ${{ inputs.version || github.ref_name }}
    steps:
-      # The version of node-gyp we use depends on distutils but it was removed
+      - name: Checkout repo
-      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
+        uses: actions/checkout@v6
      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - run: brew install python-setuptools quilt
      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      - name: Set version to tag without leading v
+      - name: Install Node.js
-        run: |
+        uses: actions/setup-node@v6
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - uses: actions/checkout@v6
        with:
          submodules: true
      - run: quilt push -a
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
-      - run: npm ci
+
-      - run: npm run build
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
-      - run: npm run build:vscode
+
-      - run: KEEP_MODULES=1 npm run release
+      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      # The version of node-gyp we use depends on distutils but it was removed
      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - run: brew install python-setuptools
      - name: Download npm package
        uses: actions/download-artifact@v8
        with:
          name: npm-release-package
      - run: tar -xzf package.tar.gz
      - run: npm run release:standalone
      - run: npm run test:native
-      - run: npm run package
+      # Strip out the v (v4.9.1 -> 4.9.1).
-      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
+      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Build packages with nfpm
        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./release-packages/*
  package-macos-arm64:
    name: arm64 macOS build
    runs-on: macos-latest
    timeout-minutes: 15
    needs: npm-version
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      # The version of node-gyp we use depends on distutils but it was removed
      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - run: brew install python-setuptools
      - name: Download npm package
        uses: actions/download-artifact@v8
        with:
          name: npm-release-package
      - run: tar -xzf package.tar.gz
      - run: npm run release:standalone
      - run: npm run test:native
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Build packages with nfpm
        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./release-packages/*
  npm-package:
    name: Upload npm package
    runs-on: ubuntu-latest
    timeout-minutes: 15
    needs: npm-version
    steps:
      - name: Download npm package
        uses: actions/download-artifact@v8
        with:
          name: npm-release-package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./package.tar.gz
  npm-version:
    name: Modify package.json version
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Download artifacts
        uses: dawidd6/action-download-artifact@v16
        id: download
        with:
          branch: ${{ github.ref }}
          workflow: build.yaml
          workflow_conclusion: completed
          name: npm-package
          check_artifacts: false
          if_no_artifact_found: fail
      - run: tar -xzf package.tar.gz
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Modify version
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          echo "Updating version in root package.json"
          npm version --prefix release "$VERSION"
          echo "Updating version in lib/vscode/product.json"
          tmp=$(mktemp)
          jq ".codeServerVersion = \"$VERSION\"" release/lib/vscode/product.json > "$tmp" && mv "$tmp" release/lib/vscode/product.json
          # Ensure it has the same permissions as before
          chmod 644 release/lib/vscode/product.json
      - run: tar -czf package.tar.gz release
      - name: Upload npm package artifact
        uses: actions/upload-artifact@v7
        with:
          name: npm-release-package
          path: ./package.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -2,6 +2,8 @@
 .cache
 /out*/
 release/
 release-npm-package/
 release-standalone/
 release-packages/
 release-gcp/
 release-images/
--- a/.node-version
+++ b/.node-version
@ -1 +1 @@
-22.22.1
+22.22.0
--- a/.prettierignore
+++ b/.prettierignore
@ -1,4 +1,6 @@
-lib
+lib/vscode
 lib/vscode-reh-web-linux-x64
 release-standalone
 release-packages
 release
 helm-chart
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,39 +22,6 @@ Code v99.99.999
 ## Unreleased
 ## [4.112.0](https://github.com/coder/code-server/releases/tag/v4.112.0) - 2026-03-19
 Code v1.112.0
 ### Changed
 - Update to Code 1.112.0
 ## [4.111.0](https://github.com/coder/code-server/releases/tag/v4.111.0) - 2026-03-11
 Code v1.111.0
 ### Changed
 - Update to Code 1.111.0
 - `--app-name` now affects the error page title.
 ## [4.110.1](https://github.com/coder/code-server/releases/tag/v4.110.1) - 2026-03-10
 Code v1.110.1
 ### Changed
 - Update to Code 1.110.1
 ## [4.110.0](https://github.com/coder/code-server/releases/tag/v4.110.0) - 2026-03-09
 Code v1.110.0
 ### Changed
 - Update to Code 1.110.0
 ## [4.109.5](https://github.com/coder/code-server/releases/tag/v4.109.5) - 2026-03-02
 Code v1.109.5
--- a/ci/README.md
+++ b/ci/README.md
@ -0,0 +1,112 @@
 # ci
 This directory contains scripts used for code-server's continuous integration infrastructure.
 Some of these scripts contain more detailed documentation and options
 in header comments.
 Any file or directory in this subdirectory should be documented here.
 - [./ci/lib.sh](./lib.sh)
  - Contains code duplicated across these scripts.
 ## dev
 This directory contains scripts used for the development of code-server.
 - [./ci/dev/image](./dev/image)
  - See [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md) for docs on the development container.
 - [./ci/dev/fmt.sh](./dev/fmt.sh) (`npm run fmt`)
  - Runs formatters.
 - [./ci/dev/lint.sh](./dev/lint.sh) (`npm run lint`)
  - Runs linters.
 - [./ci/dev/test-unit.sh](./dev/test-unit.sh) (`npm run test:unit`)
  - Runs unit tests.
 - [./ci/dev/test-e2e.sh](./dev/test-e2e.sh) (`npm run test:e2e`)
  - Runs end-to-end tests.
 - [./ci/dev/watch.ts](./dev/watch.ts) (`npm run watch`)
  - Starts a process to build and launch code-server and restart on any code changes.
  - Example usage in [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md).
 - [./ci/dev/gen_icons.sh](./dev/gen_icons.sh) (`npm run icons`)
  - Generates the various icons from a single `.svg` favicon in
    `src/browser/media/favicon.svg`.
  - Requires [imagemagick](https://imagemagick.org/index.php)
 ## build
 This directory contains the scripts used to build and release code-server.
 You can disable minification by setting `MINIFY=`.
 - [./ci/build/build-code-server.sh](./build/build-code-server.sh) (`npm run build`)
  - Builds code-server into `./out` and bundles the frontend into `./dist`.
 - [./ci/build/build-vscode.sh](./build/build-vscode.sh) (`npm run build:vscode`)
  - Builds vscode into `./lib/vscode/out-vscode`.
 - [./ci/build/build-release.sh](./build/build-release.sh) (`npm run release`)
  - Bundles the output of the above two scripts into a single node module at `./release`.
 - [./ci/build/clean.sh](./build/clean.sh) (`npm run clean`)
  - Removes all build artifacts.
  - Useful to do a clean build.
 - [./ci/build/code-server.sh](./build/code-server.sh)
  - Copied into standalone releases to run code-server with the bundled node binary.
 - [./ci/build/test-standalone-release.sh](./build/test-standalone-release.sh) (`npm run test:standalone-release`)
  - Ensures code-server in the `./release-standalone` directory works by installing an extension.
 - [./ci/build/build-packages.sh](./build/build-packages.sh) (`npm run package`)
  - Packages `./release-standalone` into a `.tar.gz` archive in `./release-packages`.
  - If on linux, [nfpm](https://github.com/goreleaser/nfpm) is used to generate `.deb` and `.rpm`.
 - [./ci/build/nfpm.yaml](./build/nfpm.yaml)
  - Used to configure [nfpm](https://github.com/goreleaser/nfpm) to generate `.deb` and `.rpm`.
 - [./ci/build/code-server-nfpm.sh](./build/code-server-nfpm.sh)
  - Entrypoint script for code-server for `.deb` and `.rpm`.
 - [./ci/build/code-server.service](./build/code-server.service)
  - systemd user service packaged into the `.deb` and `.rpm`.
 - [./ci/build/release-github-draft.sh](./build/release-github-draft.sh) (`npm run release:github-draft`)
  - Uses [gh](https://github.com/cli/cli) to create a draft release with a template description.
 - [./ci/build/release-github-assets.sh](./build/release-github-assets.sh) (`npm run release:github-assets`)
  - Downloads the release-package artifacts for the current commit from CI.
  - Uses [gh](https://github.com/cli/cli) to upload the artifacts to the release
    specified in `package.json`.
 - [./ci/build/npm-postinstall.sh](./build/npm-postinstall.sh)
  - Post install script for the npm package.
  - Bundled by`npm run release`.
 ## release-image
 This directory contains the release docker container image.
 - [./ci/steps/build-docker-buildx-push.sh](./steps/docker-buildx-push.sh)
  - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them.
  - Assumes debian releases are ready in `./release-packages`.
 ## images
 This directory contains the images for CI.
 ## steps
 This directory contains the scripts used in CI.
 Helps avoid clobbering the CI configuration.
 - [./steps/fmt.sh](./steps/fmt.sh)
  - Runs `npm run fmt`.
 - [./steps/lint.sh](./steps/lint.sh)
  - Runs `npm run lint`.
 - [./steps/test-unit.sh](./steps/test-unit.sh)
  - Runs `npm run test:unit`.
 - [./steps/test-integration.sh](./steps/test-integration.sh)
  - Runs `npm run test:integration`.
 - [./steps/test-e2e.sh](./steps/test-e2e.sh)
  - Runs `npm run test:e2e`.
 - [./steps/release.sh](./steps/release.sh)
  - Runs the release process.
  - Generates the npm package at `./release`.
 - [./steps/release-packages.sh](./steps/release-packages.sh)
  - Takes the output of the previous script and generates a standalone release and
    release packages into `./release-packages`.
 - [./steps/publish-npm.sh](./steps/publish-npm.sh)
  - Grabs the `npm-package` release artifact for the current commit and publishes it on npm.
 - [./steps/docker-buildx-push.sh](./steps/docker-buildx-push.sh)
  - Builds the docker image and then pushes it.
 - [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh)
  - Loads all images in `./release-images` and then builds and pushes a multi architecture
    docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and
    `codercom/code-server:latest`.
--- a/ci/build/build-packages.sh
+++ b/ci/build/build-packages.sh
@ -1,18 +1,21 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Given a release found in $RELEASE_PATH, generate a deb, rpm, and tarball each
+# Given a platform-specific release found in ./release-standalone, generate an
-# named after $ARCH (derived from uname -m but can be overridden for
+# compressed archives and bundles (as appropriate for the platform) named after
-# cross-compilation) and $OS (derived from uname and cannot be overridden) and
+# the platform's architecture and OS and place them in ./release-packages and
-# place them in ./release-packages and ./release-gcp.
+# ./release-gcp.
 main() {
  cd "$(dirname "${0}")/../.."
  source ./ci/lib.sh
  source ./ci/build/build-lib.sh
-  VERSION=$(jq -r .version "$RELEASE_PATH/package.json")
+  # Allow us to override architecture
-  export VERSION # for nfpm to use
+  # we use this for our Linux ARM64 cross compile builds
  if [ "$#" -eq 1 ] && [ "$1" ]; then
    ARCH=$1
  fi
  mkdir -p release-packages
@ -26,9 +29,9 @@ main() {
 release_archive() {
  local release_name="code-server-$VERSION-$OS-$ARCH"
  if [[ $OS == "linux" ]]; then
-    tar -czf "release-packages/$release_name.tar.gz" --owner=0 --group=0 --transform "s/^\.\/$RELEASE_PATH/$release_name/" "$RELEASE_PATH"
+    tar -czf "release-packages/$release_name.tar.gz" --owner=0 --group=0 --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone
  else
-    tar -czf "release-packages/$release_name.tar.gz" -s "/^$RELEASE_PATH/$release_name/" "$RELEASE_PATH"
+    tar -czf "release-packages/$release_name.tar.gz" -s "/^release-standalone/$release_name/" release-standalone
  fi
  echo "done (release-packages/$release_name)"
@ -49,13 +52,15 @@ release_nfpm() {
  export NFPM_ARCH
-  NFPM_ARCH="$(get_nfpm_arch deb "$ARCH")"
+  PKG_FORMAT="deb"
  NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
  nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"
  echo "Building deb"
  echo "$nfpm_config" | head --lines=4
  nfpm pkg -f <(echo "$nfpm_config") --target "release-packages/code-server_${VERSION}_${NFPM_ARCH}.deb"
-  NFPM_ARCH="$(get_nfpm_arch rpm "$ARCH")"
+  PKG_FORMAT="rpm"
  NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
  nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"
  echo "Building rpm"
  echo "$nfpm_config" | head --lines=4
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@ -4,16 +4,13 @@ set -euo pipefail
 # Once both code-server and VS Code have been built, use this script to copy
 # them into a single directory (./release), prepare the package.json and
 # product.json, and add shrinkwraps.  This results in a generic NPM package that
-# we can publish to NPM.
+# we published to NPM and also use to compile platform-specific packages.
 # MINIFY controls whether minified VS Code is bundled. It must match the value
 # used when VS Code was built.
 MINIFY="${MINIFY-true}"
 # node_modules are not copied by default.  Set KEEP_MODULES=1 to copy them.
 # Note these modules will be for the platform that built them, making the result
 # no longer generic (it can still be published though as the modules will be
 # ignored when pushing).
 KEEP_MODULES="${KEEP_MODULES-0}"
 main() {
@ -34,30 +31,6 @@ main() {
  rsync ./docs/README.md "$RELEASE_PATH"
  rsync LICENSE "$RELEASE_PATH"
  rsync ./lib/vscode/ThirdPartyNotices.txt "$RELEASE_PATH"
  if [ "$KEEP_MODULES" = 1 ]; then
    # Copy Node.  Package managers may shim their own "node" wrapper into the
    # PATH, so run node and ask it for its true path.
    local node_path
    node_path="$(node -p process.execPath)"
    rsync "$node_path" "$RELEASE_PATH/lib/node"
    chmod 755 "$RELEASE_PATH/lib/node"
    # Copy the code-server launcher.
    mkdir -p "$RELEASE_PATH/bin"
    rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
    chmod 755 "$RELEASE_PATH/bin/code-server"
    # Delete the extra bin scripts.
    rm "$RELEASE_PATH/lib/vscode/bin/remote-cli/code-darwin.sh"
    rm "$RELEASE_PATH/lib/vscode/bin/remote-cli/code-linux.sh"
    rm "$RELEASE_PATH/lib/vscode/bin/helpers/browser-darwin.sh"
    rm "$RELEASE_PATH/lib/vscode/bin/helpers/browser-linux.sh"
    if [ "$OS" != windows ] ; then
      rm "$RELEASE_PATH/lib/vscode/bin/remote-cli/code.cmd"
      rm "$RELEASE_PATH/lib/vscode/bin/helpers/browser.cmd"
    fi
  fi
 }
 bundle_code_server() {
@ -75,7 +48,6 @@ bundle_code_server() {
  jq --slurp '(.[0] | del(.scripts,.jest,.devDependencies)) * .[1]' package.json <(
    cat << EOF
  {
    "version": "$(jq -r .codeServerVersion "./lib/vscode-reh-web-$VSCODE_TARGET/product.json")",
    "commit": "$(git rev-parse HEAD)",
    "scripts": {
      "postinstall": "sh ./postinstall.sh"
@ -113,7 +85,7 @@ bundle_vscode() {
    rsync_opts+=(--exclude node_modules)
  fi
-  rsync "${rsync_opts[@]}" "./lib/vscode-reh-web-$VSCODE_TARGET/" "$VSCODE_OUT_PATH"
+  rsync "${rsync_opts[@]}" ./lib/vscode-reh-web-*/ "$VSCODE_OUT_PATH"
  # Merge the package.json for the web/remote server so we can include
  # dependencies, since we want to ship this via NPM.
--- a/ci/build/build-standalone-release.sh
+++ b/ci/build/build-standalone-release.sh
@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Once we have an NPM package, use this script to copy it to a separate
 # directory (./release-standalone) and install the dependencies.  This new
 # directory can then be packaged as a platform-specific release.
 main() {
  cd "$(dirname "${0}")/../.."
  source ./ci/lib.sh
  rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone"
  RELEASE_PATH+=-standalone
  # Package managers may shim their own "node" wrapper into the PATH, so run
  # node and ask it for its true path.
  local node_path
  node_path="$(node -p process.execPath)"
  mkdir -p "$RELEASE_PATH/bin"
  mkdir -p "$RELEASE_PATH/lib"
  rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
  rsync "$node_path" "$RELEASE_PATH/lib/node"
  chmod 755 "$RELEASE_PATH/lib/node"
  pushd "$RELEASE_PATH"
  npm install --unsafe-perm --omit=dev
  # Code deletes some files from the extension node_modules directory which
  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
  # on these broken symlinks so clean them up.
  rm -fr "./lib/vscode/extensions/node_modules/.bin"
  popd
 }
 main "$@"
--- a/ci/build/build-vscode.sh
+++ b/ci/build/build-vscode.sh
@ -6,32 +6,33 @@ set -euo pipefail
 # MINIFY controls whether a minified version of vscode is built.
 MINIFY=${MINIFY-true}
-fix-bin-script() {
+delete-bin-script() {
-  local script="lib/vscode-reh-web-$VSCODE_TARGET/bin/$1"
+  rm -f "lib/vscode-reh-web-linux-x64/bin/$1"
-  sed -i.bak "s/@@VERSION@@/$(vscode_version)/g" "$script"
+}
-  sed -i.bak "s/@@COMMIT@@/$BUILD_SOURCEVERSION/g" "$script"
+
-  sed -i.bak "s/@@APPNAME@@/code-server/g" "$script"
+copy-bin-script() {
  local script="$1"
  local dest="lib/vscode-reh-web-linux-x64/bin/$script"
  cp "lib/vscode/resources/server/bin/$script" "$dest"
  sed -i.bak "s/@@VERSION@@/$(vscode_version)/g" "$dest"
  sed -i.bak "s/@@COMMIT@@/$BUILD_SOURCEVERSION/g" "$dest"
  sed -i.bak "s/@@APPNAME@@/code-server/g" "$dest"
  # Fix Node path on Darwin and Linux.
  # We do not want expansion here; this text should make it to the file as-is.
  # shellcheck disable=SC2016
-  sed -i.bak 's/^ROOT=\(.*\)$/VSROOT=\1\nROOT="$(dirname "$(dirname "$VSROOT")")"/g' "$script"
+  sed -i.bak 's/^ROOT=\(.*\)$/VSROOT=\1\nROOT="$(dirname "$(dirname "$VSROOT")")"/g' "$dest"
-  sed -i.bak 's/ROOT\/out/VSROOT\/out/g' "$script"
+  sed -i.bak 's/ROOT\/out/VSROOT\/out/g' "$dest"
  # We do not want expansion here; this text should make it to the file as-is.
  # shellcheck disable=SC2016
-  sed -i.bak 's/$ROOT\/node/${NODE_EXEC_PATH:-$ROOT\/lib\/node}/g' "$script"
+  sed -i.bak 's/$ROOT\/node/${NODE_EXEC_PATH:-$ROOT\/lib\/node}/g' "$dest"
  # Fix Node path on Windows.
-  sed -i.bak 's/^set ROOT_DIR=\(.*\)$/set ROOT_DIR=%~dp0..\\..\\..\\..\r\nset VSROOT_DIR=\1/g' "$script"
+  sed -i.bak 's/^set ROOT_DIR=\(.*\)$/set ROOT_DIR=%~dp0..\\..\\..\\..\r\nset VSROOT_DIR=\1/g' "$dest"
-  sed -i.bak 's/%ROOT_DIR%\\out/%VSROOT_DIR%\\out/g' "$script"
+  sed -i.bak 's/%ROOT_DIR%\\out/%VSROOT_DIR%\\out/g' "$dest"
-  chmod +x "$script"
+  chmod +x "$dest"
-  rm "$script.bak"
+  rm "$dest.bak"
 }
 copy-bin-script() {
  cp "lib/vscode/resources/server/bin/$1" "lib/vscode-reh-web-$VSCODE_TARGET/bin/$1"
  fix-bin-script "$1"
 }
 main() {
@ -107,8 +108,13 @@ main() {
 EOF
  ) > product.json
-  npm run gulp core-ci
+  # Any platform here works since we will do our own packaging.  We have to do
-  npm run gulp "vscode-reh-web-$VSCODE_TARGET${MINIFY:+-min}-ci"
+  # this because we have an NPM package that could be installed on any platform.
  # The correct platform dependencies and scripts will be installed as part of
  # the post-install during `npm install` or when building a standalone release.
  node --max-old-space-size=16384 --optimize-for-size \
       ./node_modules/gulp/bin/gulp.js \
       "vscode-reh-web-linux-x64${MINIFY:+-min}"
  # Reset so if you develop after building you will not be stuck with the wrong
  # commit (the dev client will use `oss-dev` but the dev server will still use
@ -117,7 +123,7 @@ EOF
  popd
-  pushd "lib/vscode-reh-web-$VSCODE_TARGET"
+  pushd lib/vscode-reh-web-linux-x64
  # Make sure Code took the version we set in the environment variable.  Not
  # having a version will break display languages.
  if ! jq -e .commit product.json; then
@ -126,28 +132,15 @@ EOF
  fi
  popd
  # Set vars and fix paths.
  case $OS in
    windows)
      fix-bin-script remote-cli/code.cmd
      fix-bin-script helpers/browser.cmd
      ;;
    *)
      fix-bin-script remote-cli/code-server
      fix-bin-script helpers/browser.sh
      ;;
  esac
  # Include bin scripts for other platforms so we can use the right one in the
  # NPM post-install.
  # These provide a `code-server` command in the integrated terminal to open
  # files in the current instance.
  delete-bin-script remote-cli/code-server
  copy-bin-script remote-cli/code-darwin.sh
  copy-bin-script remote-cli/code-linux.sh
  copy-bin-script remote-cli/code.cmd
  # These provide a way for terminal applications to open browser windows.
  delete-bin-script helpers/browser.sh
  copy-bin-script helpers/browser-darwin.sh
  copy-bin-script helpers/browser-linux.sh
  copy-bin-script helpers/browser.cmd
--- a/ci/build/nfpm.yaml
+++ b/ci/build/nfpm.yaml
@ -21,5 +21,5 @@ contents:
  - src: ./ci/build/code-server-user.service
    dst: /usr/lib/systemd/user/code-server.service
-  - src: ./release/*
+  - src: ./release-standalone/*
    dst: /usr/lib/code-server
--- a/ci/build/npm-postinstall.sh
+++ b/ci/build/npm-postinstall.sh
@ -23,6 +23,17 @@ symlink() {
  esac
 }
 # VS Code bundles some modules into an asar which is an archive format that
 # works like tar. It then seems to get unpacked into node_modules.asar.
 #
 # I don't know why they do this but all the dependencies they bundle already
 # exist in node_modules so just symlink it. We have to do this since not only
 # Code itself but also extensions will look specifically in this directory for
 # files (like the ripgrep binary or the oniguruma wasm).
 symlink_asar() {
  symlink node_modules node_modules.asar
 }
 # Make a symlink at bin/$1/$3 pointing to the platform-specific version of the
 # script in $2.  The extension of the link will be .cmd for Windows otherwise it
 # will be whatever is in $4 (or no extension if $4 is not set).
@ -134,6 +145,7 @@ vscode_install() {
    return 1
  fi
  symlink_asar
  symlink_bin_script remote-cli code code-server
  symlink_bin_script helpers browser browser .sh
--- a/ci/dev/test-integration.sh
+++ b/ci/dev/test-integration.sh
@ -2,13 +2,13 @@
 set -euo pipefail
 help() {
-  echo >&2 "  You can build the release with 'KEEP_MODULES=1 npm run release'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
  echo >&2 "  Or you can pass in a custom path."
  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 # Make sure a code-server release works. You can pass in the path otherwise it
-# will look for $RELEASE_PATH in the current directory.
+# will look for release-standalone in the current directory.
 #
 # This is to make sure we don't have Node version errors or any other
 # compilation-related errors.
@ -17,7 +17,7 @@ main() {
  source ./ci/lib.sh
-  local path="$RELEASE_PATH/bin/code-server"
+  local path="$RELEASE_PATH-standalone/bin/code-server"
  if [[ ! ${CODE_SERVER_PATH-} ]]; then
    echo "Set CODE_SERVER_PATH to test another build of code-server"
  else
--- a/ci/dev/test-native.sh
+++ b/ci/dev/test-native.sh
@ -2,13 +2,13 @@
 set -euo pipefail
 help() {
-  echo >&2 "  You can build the release with 'KEEP_MODULES=1 npm run release'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
  echo >&2 "  Or you can pass in a custom path."
  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 # Make sure a code-server release works. You can pass in the path otherwise it
-# will look for $RELEASE_PATH in the current directory.
+# will look for release-standalone in the current directory.
 #
 # This is to make sure we don't have Node version errors or any other
 # compilation-related errors.
@ -17,7 +17,7 @@ main() {
  source ./ci/lib.sh
-  local path="$RELEASE_PATH/bin/code-server"
+  local path="$RELEASE_PATH-standalone/bin/code-server"
  if [[ ! ${CODE_SERVER_PATH-} ]]; then
    echo "Set CODE_SERVER_PATH to test another build of code-server"
  else
--- a/ci/lib.sh
+++ b/ci/lib.sh
@ -44,42 +44,11 @@ rsync() {
  command rsync -a --del "$@"
 }
-if [[ ! ${ARCH-} ]]; then
+ARCH="$(arch)"
-  ARCH=$(arch)
+export ARCH
-  export ARCH
+OS=$(os)
-fi
+export OS
 if [[ ! ${OS-} ]]; then
  OS=$(os)
  export OS
 fi
 # RELEASE_PATH is the destination directory for the release from the root.
 # Defaults to release
-if [[ ! ${RELEASE_PATH-} ]]; then
+RELEASE_PATH="${RELEASE_PATH-release}"
  RELEASE_PATH="release"
  export RELEASE_PATH
 fi
 nodeOS() {
  osname=$OS
  case $osname in
    macos) osname=darwin ;;
    windows) osname=win32 ;;
  esac
  echo "$osname"
 }
 nodeArch() {
  cpu=$ARCH
  case $cpu in
    amd64) cpu=x64 ;;
  esac
  echo "$cpu"
 }
 # See gulpfile.reh.ts for available targets.
 if [[ ! ${VSCODE_TARGET-} ]]; then
  VSCODE_TARGET="$(nodeOS)-$(nodeArch)"
  export VSCODE_TARGET
 fi
--- a/ci/release-image/Dockerfile
+++ b/ci/release-image/Dockerfile
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:experimental
-ARG BASE=debian:13
+ARG BASE=debian:12
 FROM scratch AS packages
 COPY release-packages/code-server*.deb /tmp/
--- a/ci/release-image/docker-bake.hcl
+++ b/ci/release-image/docker-bake.hcl
@ -16,7 +16,6 @@ variable "GITHUB_REGISTRY" {
 group "default" {
    targets = [
        "code-server-debian-13",
        "code-server-debian-12",
        "code-server-ubuntu-focal",
        "code-server-ubuntu-noble",
@ -49,24 +48,13 @@ function "gen_tags_for_docker_and_ghcr" {
    )
 }
-target "code-server-debian-13" {
+target "code-server-debian-12" {
    dockerfile = "ci/release-image/Dockerfile"
    tags = concat(
        gen_tags_for_docker_and_ghcr(""),
        gen_tags_for_docker_and_ghcr("debian"),
        gen_tags_for_docker_and_ghcr("trixie"),
    )
    platforms = ["linux/amd64", "linux/arm64"]
 }
 target "code-server-debian-12" {
    dockerfile = "ci/release-image/Dockerfile"
    tags = concat(
        gen_tags_for_docker_and_ghcr("bookworm"),
    )
    args = {
        BASE = "debian:12"
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
--- a/ci/steps/brew-bump.sh
+++ b/ci/steps/brew-bump.sh
@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 set -euo pipefail
 main() {
  # Only sourcing this so we get access to $VERSION
  source ./ci/lib.sh
  source ./ci/steps/steps-lib.sh
  echo "Checking environment variables"
  # We need VERSION to bump the brew formula
  if ! is_env_var_set "VERSION"; then
    echo "VERSION is not set"
    exit 1
  fi
  # We need HOMEBREW_GITHUB_API_TOKEN to push up commits
  if ! is_env_var_set "HOMEBREW_GITHUB_API_TOKEN"; then
    echo "HOMEBREW_GITHUB_API_TOKEN is not set"
    exit 1
  fi
  # Find the docs for bump-formula-pr here
  # https://github.com/Homebrew/brew/blob/master/Library/Homebrew/dev-cmd/bump-formula-pr.rb#L18
  local output
  if ! output=$(brew bump-formula-pr --version="${VERSION}" code-server --no-browse --no-audit --message="PR opened by @${GITHUB_ACTOR}" 2>&1); then
    if [[ $output == *"Duplicate PRs should not be opened"* ]]; then
      echo "$VERSION is already submitted"
      exit 0
    else
      echo "$output"
      exit 1
    fi
  fi
 }
 main "$@"
--- a/ci/steps/publish-npm.sh
+++ b/ci/steps/publish-npm.sh
@ -0,0 +1,149 @@
 #!/usr/bin/env bash
 set -euo pipefail
 main() {
  cd "$(dirname "$0")/../.."
  source ./ci/lib.sh
  source ./ci/steps/steps-lib.sh
  ## Authentication tokens
  # Needed to publish on NPM
  if ! is_env_var_set "NPM_TOKEN"; then
    echo "NPM_TOKEN is not set. Cannot publish to npm without credentials."
    exit 1
  fi
  ## Publishing Information
  # All the variables below are used to determine how we should publish
  # the npm package. We also use this information for bumping the version.
  # This is because npm won't publish your package unless it's a new version.
  # i.e. for development, we bump the version to <current version>-<pr number>-<commit sha>
  # example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
  # We use this to grab the PR_NUMBER
  if ! is_env_var_set "GITHUB_REF"; then
    echo "GITHUB_REF is not set. Are you running this locally? We rely on values provided by GitHub."
    exit 1
  fi
  # We use this when setting NPM_VERSION
  if ! is_env_var_set "GITHUB_SHA"; then
    echo "GITHUB_SHA is not set. Are you running this locally? We rely on values provided by GitHub."
    exit 1
  fi
  # We use this to determine the NPM_ENVIRONMENT
  if ! is_env_var_set "GITHUB_EVENT_NAME"; then
    echo "GITHUB_EVENT_NAME is not set. Are you running this locally? We rely on values provided by GitHub."
    exit 1
  fi
  # Check that we're using at least v7 of npm CLI
  if ! command -v jq &> /dev/null; then
    echo "Couldn't find jq"
    echo "We need this in order to modify the package.json for dev builds."
    exit 1
  fi
  # This allows us to publish to npm in CI workflows
  if [[ ${CI-} ]]; then
    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
  fi
  ## Environment
  # This string is used to determine how we should tag the npm release.
  # Environment can be one of three choices:
  # "development" - this means we tag with the PR number, allowing
  # a developer to install this version with `npm install code-server@<pr-number>`
  # "staging" - this means we tag with `beta`, allowing
  # a developer to install this version with `npm install code-server@beta`
  # "production" - this means we tag with `latest` (default), allowing
  # a developer to install this version with `npm install code-server@latest`
  if ! is_env_var_set "NPM_ENVIRONMENT"; then
    echo "NPM_ENVIRONMENT is not set."
    echo "Determining in script based on GITHUB environment variables."
    if [[ "$GITHUB_EVENT_NAME" == 'push' && "$GITHUB_REF" == 'refs/heads/main' ]]; then
      NPM_ENVIRONMENT="staging"
    else
      NPM_ENVIRONMENT="development"
    fi
  fi
  # NOTE@jsjoeio - this script assumes we have the artifact downloaded on disk
  # That happens in CI as a step before we run this.
  # https://github.com/actions/upload-artifact/issues/38
  tar -xzf release-npm-package/package.tar.gz
  # We use this to set the name of the package in the
  # package.json
  PACKAGE_NAME="code-server"
  # NOTES:@jsjoeio
  # We only need to run npm version for "development" and "staging".
  # This is because our release:prep script automatically bumps the version
  # in the package.json and we commit it as part of the release PR.
  if [[ "$NPM_ENVIRONMENT" == "production" ]]; then
    NPM_VERSION="$VERSION"
    # This means the npm version will be published as "stable"
    # and installed when a user runs `npm install code-server`
    NPM_TAG="latest"
  else
    COMMIT_SHA="$GITHUB_SHA"
    if [[ "$NPM_ENVIRONMENT" == "staging" ]]; then
      NPM_VERSION="$VERSION-beta-$COMMIT_SHA"
      # This means the npm version will be tagged with "beta"
      # and installed when a user runs `npm install code-server@beta`
      NPM_TAG="beta"
      PACKAGE_NAME="@coder/code-server-pr"
    fi
    if [[ "$NPM_ENVIRONMENT" == "development" ]]; then
      # Source: https://github.com/actions/checkout/issues/58#issuecomment-614041550
      PR_NUMBER=$(echo "$GITHUB_REF" | awk 'BEGIN { FS = "/" } ; { print $3 }')
      NPM_VERSION="$VERSION-$PR_NUMBER-$COMMIT_SHA"
      PACKAGE_NAME="@coder/code-server-pr"
      # This means the npm version will be tagged with "<pr number>"
      # and installed when a user runs `npm install code-server@<pr number>`
      NPM_TAG="$PR_NUMBER"
    fi
    echo "- tag: $NPM_TAG"
    echo "- version: $NPM_VERSION"
    echo "- package name: $PACKAGE_NAME"
    echo "- npm environment: $NPM_ENVIRONMENT"
    # We modify the version in the package.json
    # to be the current version + the PR number + commit SHA
    # or we use current version + beta + commit SHA
    # Example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
    # Example: "version": "4.0.1-beta-ad7b23cfe6ffd72914e34781ef7721b129a23040"
    pushd release
    npm version "$NPM_VERSION"
    # Use the development package name
    # This is so we don't clutter the code-server versions on npm
    # with development versions.
    # jq can't edit in place so we must store in memory and echo
    local contents
    contents="$(jq ".name |= \"$PACKAGE_NAME\"" package.json)"
    echo "${contents}" > package.json
    popd
  fi
  # We need to make sure we haven't already published the version.
  # If we get error, continue with script because we want to publish
  # If version is valid, we check if we're publishing the same one
  local hasVersion
  if hasVersion=$(npm view "$PACKAGE_NAME@$NPM_VERSION" version 2> /dev/null) && [[ $hasVersion == "$NPM_VERSION" ]]; then
    echo "$NPM_VERSION is already published under $PACKAGE_NAME"
    return
  fi
  # Since the dev builds are scoped to @coder
  # We pass --access public to ensure npm knows it's not private.
  cd release
  npm publish --tag "$NPM_TAG" --access public
 }
 main "$@"
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@ -9,6 +9,7 @@
  - [Version updates to Code](#version-updates-to-code)
  - [Patching Code](#patching-code)
  - [Build](#build)
    - [Creating a Standalone Release](#creating-a-standalone-release)
  - [Troubleshooting](#troubleshooting)
    - [I see "Forbidden access" when I load code-server in the browser](#i-see-forbidden-access-when-i-load-code-server-in-the-browser)
    - ["Can only have one anonymous define call per script"](#can-only-have-one-anonymous-define-call-per-script)
@ -121,7 +122,7 @@ commits first if you are doing this).
 ### Build
-You can build a full production release as follows:
+You can build a full production as follows:
 ```shell
 git submodule update --init
@ -129,32 +130,26 @@ quilt push -a
 npm install
 npm run build
 VERSION=0.0.0 npm run build:vscode
-KEEP_MODULES=1 npm run release
+npm run release
 ```
-You can omit `KEEP_MODULES` if you intend to use this in a platform-agnostic way
+This does not keep `node_modules`. If you want them to be kept, use
-(like for publishing to NPM), but since the VS Code build process does
+`KEEP_MODULES=1 npm run release`
 post-processing deletion of the modules, it is recommended to keep the modules
 when possible, since if you install them later you will have more than is
 required. `KEEP_MODULES` will also bundle Node and the code-server entry script.
 Run your build:
 ```shell
 ./release/bin/code-server
 ```
 Or if you omitted `KEEP_MODULES`:
 ```shell
 cd release
-npm install --omit=dev
+npm install --omit=dev # Skip if you used KEEP_MODULES=1
 # Runs the built JavaScript with Node.
 node .
 ```
-Then, to package the release:
+Then, to build the release package:
 ```shell
 npm run release:standalone
 npm run test:integration
 npm run package
 ```
@ -163,6 +158,22 @@ npm run package
 > If you need your builds to support older distros, run the build commands
 > inside a Docker container with all the build requirements installed.
 #### Creating a Standalone Release
 Part of the build process involves creating standalone releases. At the time of
 writing, we do this for the following platforms/architectures:
 - Linux amd64 (.tar.gz, .deb, and .rpm)
 - Linux arm64 (.tar.gz, .deb, and .rpm)
 - Linux arm7l (.tar.gz)
 - Linux armhf.deb
 - Linux armhf.rpm
 - macOS arm64.tar.gz
 Currently, these are compiled in CI using the `npm run release:standalone`
 command in the `release.yaml` workflow. We then upload them to the draft release
 and distribute via GitHub Releases.
 ### Troubleshooting
 #### I see "Forbidden access" when I load code-server in the browser
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -22,7 +22,6 @@
 - [How do I debug issues with code-server?](#how-do-i-debug-issues-with-code-server)
 - [What is the healthz endpoint?](#what-is-the-healthz-endpoint)
 - [What is the heartbeat file?](#what-is-the-heartbeat-file)
 - [How do I change the reconnection grace time?](#how-do-i-change-the-reconnection-grace-time)
 - [How do I change the password?](#how-do-i-change-the-password)
 - [Can I store my password hashed?](#can-i-store-my-password-hashed)
 - [Is multi-tenancy possible?](#is-multi-tenancy-possible)
@ -327,16 +326,6 @@ If you want to shutdown code-server if there hasn't been an active connection
 after a predetermined amount of time, you can use the --idle-timeout-seconds flag
 or set an `CODE_SERVER_IDLE_TIMEOUT_SECONDS` environment variable.
 ## How do I change the reconnection grace time?
 Pass `--reconnection-grace-time <seconds>` to `code-server`, set
 `CODE_SERVER_RECONNECTION_GRACE_TIME=<seconds>`, or add
 `reconnection-grace-time: <seconds>` to
 `~/.config/code-server/config.yaml`.
 The default is `10800` (3 hours). If a client stays disconnected longer than
 this, it must reload the window.
 ## How do I change the password?
 Edit the `password` field in the code-server config file at
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@ -7,6 +7,7 @@
    - [Release Candidates](#release-candidates)
    - [AUR](#aur)
    - [Docker](#docker)
    - [Homebrew](#homebrew)
    - [nixpkgs](#nixpkgs)
    - [npm](#npm)
 - [Testing](#testing)
@ -26,18 +27,20 @@ Most of the work is keeping on top of issues and discussions.
 1. Check that the changelog lists all the important changes.
 2. Make sure the changelog entry lists the current version of VS Code.
-3. Go to GitHub Actions > Draft release > Run workflow on the commit you want to
+3. Update the changelog with the release date.
-   release. For the version we match VS Code's minor and patch version. The
+4. Go to GitHub Actions > Draft release > Run workflow on the commit you want to
   release. Make sure CI has finished the build workflow on that commit or this
   will fail. For the version we match VS Code's minor and patch version. The
   patch number may become temporarily out of sync if we need to put out a
   patch, but if we make our own minor change then we will not release it until
   the next minor VS Code release.
-4. CI will build an NPM package and platform-specific packages, and upload those
+5. CI will automatically grab the build artifact on that commit (which is why CI
-   to a draft release.
+   has to have completed), inject the provided version into the `package.json`,
-5. Update the resulting draft release with the changelog contents.
+   put together platform-specific packages, and upload those packages to a draft
-6. Publish the draft release after validating it.
+   release.
-7. Update the changelog with the release date and bump the Helm chart version
+6. Update the resulting draft release with the changelog contents.
-   once the Docker images have published.
+7. Publish the draft release after validating it.
-8. Merge the PR submitted to coder/code-server-aur repo.
+8. Bump the Helm chart version once the Docker images have published.
 #### Release Candidates
@ -52,34 +55,38 @@ full-blown release. To do this follow the same steps as above but:
 #### AUR
-We publish to AUR as a package
+We publish to AUR as a package [here](https://aur.archlinux.org/packages/code-server/). This process is manual and can be done by following the steps in [this repo](https://github.com/coder/code-server-aur).
 [here](https://aur.archlinux.org/packages/code-server/). This process is manual
 and can be done by following the steps in [this
 repo](https://github.com/coder/code-server-aur).
 #### Docker
-We publish code-server as a Docker image
+We publish code-server as a Docker image [here](https://hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.
 [here](https://hub.docker.com/r/codercom/code-server), tagging it both with the
 version and latest.
 This is currently automated with the release process.
 #### Homebrew
 We publish code-server on Homebrew [here](https://github.com/Homebrew/homebrew-core/blob/master/Formula/code-server.rb).
 This is currently automated with the release process (but may fail occasionally). If it does, run this locally:
 ```shell
 # Replace VERSION with version
 brew bump-formula-pr --version="${VERSION}" code-server --no-browse --no-audit
 ```
 #### nixpkgs
 We publish code-server in nixpkgs but it must be updated manually.
 #### npm
-We publish code-server as a npm package
+We publish code-server as a npm package [here](https://www.npmjs.com/package/code-server/v/latest).
 [here](https://www.npmjs.com/package/code-server/v/latest).
 This is currently automated with the release process.
 ## Testing
-Our testing structure is laid out under our [Contributing
+Our testing structure is laid out under our [Contributing docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#test).
 docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#test).
 If you're ever looking to add more tests, here are a few ways to get started:
--- a/lib/vscode
+++ b/lib/vscode
@ -1 +1 @@
-Subproject commit cfbea10c5ffb233ea9177d34726e6056e89913dc
+Subproject commit 07ff9d6178ede9a1bd12ad3399074d726ebe6e43
--- a/package-lock.json
+++ b/package-lock.json
@ -18,7 +18,7 @@
        "express": "^5.0.1",
        "http-proxy": "^1.18.1",
        "httpolyglot": "^0.1.2",
-        "i18next": "^25.8.3",
+        "i18next": "^25.3.0",
        "js-yaml": "^4.1.0",
        "limiter": "^2.1.0",
        "pem": "^1.14.8",
@ -3095,9 +3095,9 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.4.2",
+      "version": "3.3.4",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.4.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "integrity": "sha512-3+mMldrTAPdta5kjX2G2J7iX4zxtnwpdA8Tr2ZSjkyPSanvbZAcy6flmtnXbEybHrDcU9641lxrMfFuUxVz9vA==",
      "dev": true,
      "license": "ISC"
    },
--- a/package.json
+++ b/package.json
@ -14,6 +14,7 @@
    "build:vscode": "./ci/build/build-vscode.sh",
    "doctoc": "./ci/dev/doctoc.sh",
    "release": "./ci/build/build-release.sh",
    "release:standalone": "./ci/build/build-standalone-release.sh",
    "release:prep": "./ci/build/release-prep.sh",
    "test:e2e": "VSCODE_IPC_HOOK_CLI= ./ci/dev/test-e2e.sh",
    "test:e2e:proxy": "USE_PROXY=1 ./ci/dev/test-e2e.sh",
--- a/patches/clipboard.diff
+++ b/patches/clipboard.diff
@ -78,7 +78,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
-@@ -143,6 +143,7 @@ export interface NativeParsedArgs {
+@@ -139,6 +139,7 @@ export interface NativeParsedArgs {
 	'disable-chromium-sandbox'?: boolean;
 	sandbox?: boolean;
 	'enable-coi'?: boolean;
@ -90,7 +90,7 @@ Index: code-server/lib/vscode/src/vs/platform/environment/node/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/node/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/node/argv.ts
-@@ -115,6 +115,7 @@ export const OPTIONS: OptionDescriptions
+@@ -106,6 +106,7 @@ export const OPTIONS: OptionDescriptions
 	'user-data-dir': { type: 'string', cat: 'o', args: 'dir', description: localize('userDataDir', "Specifies the directory that user data is kept in. Can be used to open multiple distinct instances of Code.") },
 	'profile': { type: 'string', 'cat': 'o', args: 'profileName', description: localize('profileName', "Opens the provided folder or workspace with the given profile and associates the profile with the workspace. If the profile does not exist, a new empty one is created.") },
 	'help': { type: 'boolean', cat: 'o', alias: 'h', description: localize('help', "Print usage.") },
--- a/patches/display-language.diff
+++ b/patches/display-language.diff
@ -18,7 +18,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 import { ProtocolConstants } from '../../base/parts/ipc/common/ipc.net.js';
 import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
 import { ConfigurationService } from '../../platform/configuration/common/configurationService.js';
-@@ -297,6 +297,9 @@ export async function setupServerService
+@@ -277,6 +277,9 @@ export async function setupServerService
 		socketServer.registerChannel('mcpManagement', new McpManagementChannel(mcpManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority)));
@ -198,7 +198,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -116,6 +117,7 @@ export interface ServerParsedArgs {
+@@ -113,6 +114,7 @@ export interface ServerParsedArgs {
 	'disable-file-downloads'?: boolean;
 	'disable-file-uploads'?: boolean;
 	'disable-getting-started-override'?: boolean,
--- a/patches/external-file-actions.diff
+++ b/patches/external-file-actions.diff
@ -99,7 +99,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -110,6 +112,8 @@ export interface ServerParsedArgs {
+@@ -107,6 +109,8 @@ export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
 	'auth'?: string;
@ -230,7 +230,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFi
 import { IRemoteAgentService } from '../../remote/common/remoteAgentService.js';
 import { IContextKeyService, IContextKey, RawContextKey } from '../../../../platform/contextkey/common/contextkey.js';
 import { equalsIgnoreCase, format, startsWithIgnoreCase } from '../../../../base/common/strings.js';
-@@ -152,7 +152,7 @@ export class SimpleFileDialog extends Di
+@@ -144,7 +144,7 @@ export class SimpleFileDialog extends Di
 		@IFileDialogService private readonly fileDialogService: IFileDialogService,
 		@IModelService private readonly modelService: IModelService,
 		@ILanguageService private readonly languageService: ILanguageService,
@ -239,7 +239,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFi
 		@IRemoteAgentService private readonly remoteAgentService: IRemoteAgentService,
 		@IPathService protected readonly pathService: IPathService,
 		@IKeybindingService private readonly keybindingService: IKeybindingService,
-@@ -362,21 +362,23 @@ export class SimpleFileDialog extends Di
+@@ -322,21 +322,23 @@ export class SimpleFileDialog extends Di
 			this.filePickBox.placeholder = nls.localize('remoteFileDialog.placeholder', "Folder path");
 			this.filePickBox.ok = true;
 			this.filePickBox.okLabel = typeof this.options.openLabel === 'string' ? this.options.openLabel : this.options.openLabel?.withoutMnemonic;
--- a/patches/fix-build.diff
+++ b/patches/fix-build.diff
@ -0,0 +1,38 @@
 Fix protected field error
 The mangler is reporting this error:
 WARN: 'setEditorVisible' from lib/vscode/src/vs/workbench/browser/parts/editor/editorPane.ts:160 became PUBLIC because of: lib/vscode/src/vs/workbench/contrib/chat/browser/chatDebug/chatDebugEditor.ts:304
 ERROR: Protected fields have been made PUBLIC. This hurts minification and is therefore not allowed. Review the WARN messages further above
 No idea how VS Code is dealing with this in their own builds.
 Additionally, in CI the build keeps getting terminated, possibly from running
 out of memory (there is no error message, it simply says it was canceled).
 Index: code-server/lib/vscode/src/vs/workbench/contrib/chat/browser/chatDebug/chatDebugEditor.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/chat/browser/chatDebug/chatDebugEditor.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/chat/browser/chatDebug/chatDebugEditor.ts
@@ -299,7 +299,7 @@ export class ChatDebugEditor extends Edi
 		}
 	}
 -	override setEditorVisible(visible: boolean): void {
 +	protected override setEditorVisible(visible: boolean): void {
 		super.setEditorVisible(visible);
 		if (visible) {
 			this.telemetryService.publicLog2<{}, ChatDebugPanelOpenedClassification>('chatDebugPanelOpened');
 Index: code-server/lib/vscode/build/lib/mangle/index.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/lib/mangle/index.ts
 +++ code-server/lib/vscode/build/lib/mangle/index.ts
@@ -430,7 +430,7 @@ export class Mangler {
 		this.config = config;
 		this.renameWorkerPool = workerpool.pool(path.join(import.meta.dirname, 'renameWorker.ts'), {
 -			maxWorkers: 4,
 +			maxWorkers: 2,
 			minWorkers: 'max'
 		});
 	}
--- a/patches/getting-started.diff
+++ b/patches/getting-started.diff
@ -189,7 +189,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -114,6 +115,7 @@ export interface ServerParsedArgs {
+@@ -111,6 +112,7 @@ export interface ServerParsedArgs {
 	'auth'?: string;
 	'disable-file-downloads'?: boolean;
 	'disable-file-uploads'?: boolean;
--- a/patches/logout.diff
+++ b/patches/logout.diff
@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -108,6 +109,7 @@ export const serverOptions: OptionDescri
+@@ -105,6 +106,7 @@ export const serverOptions: OptionDescri
 export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
--- a/patches/proposed-api.diff
+++ b/patches/proposed-api.diff
@ -17,7 +17,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extens
 -	if (!extension.enabledApiProposals) {
 -		return false;
 -	}
-	return true;// extension.enabledApiProposals.includes(proposal);
+-	return extension.enabledApiProposals.includes(proposal);
 +	return true
 }
--- a/patches/series
+++ b/patches/series
@ -22,3 +22,4 @@ clipboard.diff
 display-language.diff
 trusted-domains.diff
 signature-verification.diff
 fix-build.diff
--- a/patches/sourcemaps.diff
+++ b/patches/sourcemaps.diff
@ -10,7 +10,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.ts
 +++ code-server/lib/vscode/build/gulpfile.reh.ts
-@@ -263,8 +263,7 @@ function packageTask(type: string, platf
+@@ -262,8 +262,7 @@ function packageTask(type: string, platf
 	return () => {
 		const src = gulp.src(sourceFolderName + '/**', { base: '.' })
 			.pipe(rename(function (path) { path.dirname = path.dirname!.replace(new RegExp('^' + sourceFolderName), 'out'); }))
@ -20,7 +20,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 		const workspaceExtensionPoints = ['debuggers', 'jsonValidation'];
 		const isUIExtension = (manifest: { extensionKind?: string; main?: string; contributes?: Record<string, unknown> }) => {
-@@ -304,9 +303,9 @@ function packageTask(type: string, platf
+@@ -303,9 +302,9 @@ function packageTask(type: string, platf
 			.map(name => `.build/extensions/${name}/**`);
 		const extensions = gulp.src(extensionPaths, { base: '.build', dot: true });
@ -32,7 +32,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.ts
 		let version = packageJson.version;
 		const quality = (product as typeof product & { quality?: string }).quality;
-@@ -501,7 +500,7 @@ function tweakProductForServerWeb(produc
+@@ -492,7 +491,7 @@ function tweakProductForServerWeb(produc
 	const minifyTask = task.define(`minify-vscode-${type}`, task.series(
 		bundleTask,
 		util.rimraf(`out-vscode-${type}-min`),
--- a/patches/telemetry.diff
+++ b/patches/telemetry.diff
@ -28,7 +28,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 import { NullPolicyService } from '../../platform/policy/common/policy.js';
 import { OneDataSystemAppender } from '../../platform/telemetry/node/1dsAppender.js';
 import { LoggerService } from '../../platform/log/node/loggerService.js';
-@@ -172,11 +174,23 @@ export async function setupServerService
+@@ -169,11 +171,23 @@ export async function setupServerService
 	const requestService = new RequestService('remote', configurationService, environmentService, logService);
 	services.set(IRequestService, requestService);
--- a/patches/trusted-domains.diff
+++ b/patches/trusted-domains.diff
@ -12,7 +12,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -118,6 +119,7 @@ export interface ServerParsedArgs {
+@@ -115,6 +116,7 @@ export interface ServerParsedArgs {
 	'disable-file-uploads'?: boolean;
 	'disable-getting-started-override'?: boolean,
 	'locale'?: string
--- a/patches/update-check.diff
+++ b/patches/update-check.diff
@ -101,7 +101,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 	readonly version: string;
 	readonly date?: string;
-@@ -115,6 +116,7 @@ export interface IProductConfiguration {
+@@ -114,6 +115,7 @@ export interface IProductConfiguration {
 		readonly resourceUrlTemplate: string;
 		readonly nlsBaseUrl: string;
 		readonly accessSKUs?: string[];
@ -134,7 +134,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 	/* ----- server setup ----- */
-@@ -104,6 +106,8 @@ export const serverOptions: OptionDescri
+@@ -101,6 +103,8 @@ export const serverOptions: OptionDescri
 };
 export interface ServerParsedArgs {
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@ -52,7 +52,6 @@ export interface UserProvidedCodeArgs {
  "disable-workspace-trust"?: boolean
  "disable-getting-started-override"?: boolean
  "disable-proxy"?: boolean
  "reconnection-grace-time"?: string
  "session-socket"?: string
  "cookie-suffix"?: string
  "link-protection-trusted-domains"?: string[]
@ -316,12 +315,6 @@ export const options: Options<Required<UserProvidedArgs>> = {
    type: "number",
    description: "Timeout in seconds to wait before shutting down when idle.",
  },
  "reconnection-grace-time": {
    type: "string",
    description:
      "Override the reconnection grace time in seconds. Clients who disconnect for longer than this duration will need to \n" +
      "reload the window. Defaults to 10800 (3 hours).",
  },
 }
 export const optionDescriptions = (opts: Partial<Options<Required<UserProvidedArgs>>> = options): string[] => {
@ -639,10 +632,6 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
    args["github-auth"] = process.env.GITHUB_TOKEN
  }
  if (process.env.CODE_SERVER_RECONNECTION_GRACE_TIME) {
    args["reconnection-grace-time"] = process.env.CODE_SERVER_RECONNECTION_GRACE_TIME
  }
  if (process.env.CODE_SERVER_IDLE_TIMEOUT_SECONDS) {
    if (isNaN(Number(process.env.CODE_SERVER_IDLE_TIMEOUT_SECONDS))) {
      logger.info("CODE_SERVER_IDLE_TIMEOUT_SECONDS must be a number")
--- a/src/node/http.ts
+++ b/src/node/http.ts
@ -351,25 +351,6 @@ export function ensureOrigin(req: express.Request, _?: express.Response, next?:
  }
 }
 /**
 * Return true if the origin matches any trusted origin.  Entries are matched
 * as exact strings, the special wildcard `"*"`, or `*.example.com`-style
 * domain wildcards (same as --proxy-domain).
 */
 export function isTrustedOrigin(origin: string, trustedOrigins: string[]): boolean {
  return trustedOrigins.some((trusted) => {
    if (trusted === "*" || trusted === origin) {
      return true
    }
    // *.example.com style: match origin if it is the domain or a subdomain
    if (trusted.startsWith("*.")) {
      const domain = trusted.slice(2).toLowerCase()
      return origin === domain || origin.endsWith("." + domain)
    }
    return false
  })
 }
 /**
 * Authenticate the request origin against the host.  Throw if invalid.
 */
@ -389,7 +370,7 @@ export function authenticateOrigin(req: express.Request): void {
  }
  const trustedOrigins = req.args["trusted-origins"] || []
-  if (isTrustedOrigin(origin, trustedOrigins)) {
+  if (trustedOrigins.includes(origin) || trustedOrigins.includes("*")) {
    return
  }
--- a/test/unit/node/cli.test.ts
+++ b/test/unit/node/cli.test.ts
@ -48,7 +48,6 @@ describe("parser", () => {
    delete process.env.PASSWORD
    delete process.env.CS_DISABLE_FILE_DOWNLOADS
    delete process.env.CS_DISABLE_GETTING_STARTED_OVERRIDE
    delete process.env.CODE_SERVER_RECONNECTION_GRACE_TIME
    delete process.env.VSCODE_PROXY_URI
    delete process.env.CS_DISABLE_PROXY
    console.log = jest.fn()
@ -116,8 +115,6 @@ describe("parser", () => {
          ["--session-socket", "/tmp/override-code-server-ipc-socket"],
          ["--reconnection-grace-time", "86400"],
          ["--host", "0.0.0.0"],
          "4",
          "--",
@ -154,7 +151,6 @@ describe("parser", () => {
      version: true,
      "bind-addr": "192.169.0.1:8080",
      "session-socket": "/tmp/override-code-server-ipc-socket",
      "reconnection-grace-time": "86400",
      "abs-proxy-base-path": "/codeserver/app1",
      "skip-auth-preflight": true,
    })
@ -461,19 +457,6 @@ describe("parser", () => {
    })
  })
  it("should use env var CODE_SERVER_RECONNECTION_GRACE_TIME for reconnection grace time", async () => {
    process.env.CODE_SERVER_RECONNECTION_GRACE_TIME = "86400"
    const args = parse([])
    expect(args).toEqual({})
    const defaultArgs = await setDefaults(args)
    expect(defaultArgs).toEqual({
      ...defaults,
      "reconnection-grace-time": "86400",
    })
    delete process.env.CODE_SERVER_RECONNECTION_GRACE_TIME
  })
  it("should error if password passed in", () => {
    expect(() => parse(["--password", "supersecret123"])).toThrowError(
      "--password can only be set in the config file or passed in via $PASSWORD",
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@ -19,30 +19,6 @@ describe("http", () => {
    expect(http.relativeRoot("/foo/bar/")).toStrictEqual("./../..")
  })
  describe("isTrustedOrigin", () => {
    it("should match exact origins", () => {
      expect(http.isTrustedOrigin("localhost:8080", ["localhost:8080"])).toBe(true)
      expect(http.isTrustedOrigin("example.com", ["example.com"])).toBe(true)
      expect(http.isTrustedOrigin("example.com", ["other.com"])).toBe(false)
    })
    it("should match the wildcard *", () => {
      expect(http.isTrustedOrigin("anything.example.com", ["*"])).toBe(true)
      expect(http.isTrustedOrigin("localhost:8080", ["*"])).toBe(true)
    })
    it("should match *.example.com wildcard (same style as --proxy-domain)", () => {
      expect(http.isTrustedOrigin("sub.example.com", ["*.example.com"])).toBe(true)
      expect(http.isTrustedOrigin("example.com", ["*.example.com"])).toBe(true)
      expect(http.isTrustedOrigin("evil.com", ["*.example.com"])).toBe(false)
      expect(http.isTrustedOrigin("example.com.evil.com", ["*.example.com"])).toBe(false)
    })
    it("should return false for an empty trusted origins list", () => {
      expect(http.isTrustedOrigin("example.com", [])).toBe(false)
    })
  })
  describe("origin", () => {
    ;[
      {
@ -78,22 +54,6 @@ describe("http", () => {
        host: "localhost:8080",
        expected: "malformed", // Parsing fails completely.
      },
      {
        origin: "http://sub.example.com",
        host: "other.com",
        trustedOrigins: ["*.example.com"],
      },
      {
        origin: "http://evil.com",
        host: "other.com",
        trustedOrigins: ["*.example.com"],
        expected: "does not match",
      },
      {
        origin: "http://sub.example.com",
        host: "other.com",
        trustedOrigins: ["*"],
      },
    ].forEach((test) => {
      ;[
        ["host", test.host],
@ -110,9 +70,7 @@ describe("http", () => {
              origin: test.origin,
              [key]: value,
            },
-            args: {
+            args: {},
              "trusted-origins": (test as { trustedOrigins?: string[] }).trustedOrigins,
            },
          })
          if (typeof test.expected === "string") {
            expect(() => http.authenticateOrigin(req)).toThrow(test.expected)
		`@ -1 +1 @@`
			`Subproject commit cfbea10c5ffb233ea9177d34726e6056e89913dc`				`Subproject commit 07ff9d6178ede9a1bd12ad3399074d726ebe6e43`