Skip to content

chore(deps): bump github.com/coder/coder/v2 from 2.34.0-rc.0.0.20260701204415-db7f4438b4ad to 2.35.1#390

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/coder/coder/v2-2.35.1
Closed

chore(deps): bump github.com/coder/coder/v2 from 2.34.0-rc.0.0.20260701204415-db7f4438b4ad to 2.35.1#390
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/coder/coder/v2-2.35.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/coder/coder/v2 from 2.34.0-rc.0.0.20260701204415-db7f4438b4ad to 2.35.1.

Release notes

Sourced from github.com/coder/coder/v2's releases.

v2.35.1

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

  • Chat stream silence timeout error renamed (#25973)

    The Agents chat error kind startup_timeout has been renamed to stream_silence_timeout to reflect that the timeout now applies to any gap between provider stream parts, not just first-token startup. Migration: Clients matching on the startup_timeout error kind should update to stream_silence_timeout. This is a minor API-only change; the dashboard handles it automatically.

  • OIDC login rejects non-boolean or absent email_verified (#25713)

    The OIDC callback previously used a Go type assertion for email_verified that silently treated missing or string-typed values (e.g. "false") as verified. The check is now fail-closed: absent claims, unrecognized types, or non-truthy values are treated as unverified and rejected. The fix adds coerceEmailVerified() which handles bool, string ("true"/"false"/"1"/"0" via strconv.ParseBool), float64, json.Number, and integer variants. Migration: The migration is automatic for most of the deployments. However, if the IdP has non-static user IDs, then the admins may need to use the CODER_DANGEROUS_OIDC_SKIP_ISSUER_CHECKS. Please note that it is advised to not use this flag and allow for the automated migration to take care of things.

  • OIDC/GitHub email fallback restricted to first-time linking (#25712)

    findLinkedUser previously fell back to email-based lookup for all logins, not just first-time linking. An attacker who registers the victim's email at the IdP (with a different OIDC subject) could bypass linked_id and match to the victim's account. The fallback now returns no user when an existing user_link has a populated linked_id that differs from the current login. Accounts with empty (legacy, pre-migration) linked_id are unaffected and are backfilled on their next successful login. Migration: The most likely trigger is changing CODER_OIDC_ISSUER_URL (because linked_id is issuer||subject), or two IdP identities sharing one email. Affected users will see a 403 on login. Admins can use the new OIDC link repair CLI (coder exp oidc-link-repair) to re-link accounts. See also CODER_OIDC_INSECURE_EMAIL_FALLBACK for IdP broker scenarios (#26751).

  • HostnameSuffix and SSHConfigOptions validated at startup (#26154)

    Server-side validation has been added for CODER_CONFIGSSH_HOSTNAME_SUFFIX and CODER_SSH_CONFIG_OPTIONS. Invalid values will now cause coderd to exit with an error on startup. Client-side, coder config-ssh will also exit with an error if it detects invalid config. Relevant CLI reference: https://github.com/coder/coder/blob/2778abec4be28ff2f582e1d4b8c1d5adbb6ea1d5/docs/reference/cli/server.md#--ssh-config-options Migration: Review your CODER_CONFIGSSH_HOSTNAME_SUFFIX and CODER_SSH_CONFIG_OPTIONS values before upgrading. If they contain invalid characters or formatting, coderd will fail to start. Fix the values before or during the upgrade.

  • X-Forwarded-Host only trusted from configured proxies (#26204)

    X-Forwarded-Host was previously honored unconditionally for subdomain app routing. This allowed a share=authenticated app to forge the header and route requests to a victim's owner-only app. The header is now only trusted when the socket peer is in CODER_PROXY_TRUSTED_ORIGINS, matching the existing trust model for X-Forwarded-For and X-Forwarded-Proto. Migration: Deployments that rely on reverse proxies rewriting Host and forwarding the original in X-Forwarded-Host must configure CODER_PROXY_TRUSTED_ORIGINS with the proxy addresses. Without this, subdomain app routing will ignore X-Forwarded-Host and fall back to the received Host header.

  • AI provider name collision with settings routes prevented (#26688)

    The AI providers page has moved from /ai/settings/:providerId to /ai/settings/providers/:providerId (and /ai/settings/add to /ai/settings/providers/add). The old routes allowed a provider named models to collide with the static Models page. No backward-compatibility redirects were added because a catch-all redirect would reintroduce the collision. Migration: Update any bookmarked or automated links from /ai/settings/ to /ai/settings/providers/ and from /ai/settings/add to /ai/settings/providers/add.

  • Org membership required for user ACLs (#26852)

    Per-user ACL grants on org-scoped resources (templates, workspaces, chats) previously did not check organization membership. A user explicitly granted access retained it after being removed from the organization. The user-ACL rule now requires is_org_member, matching the existing group-ACL behavior. Migration: Users who have been removed from an organization but still have per-user ACL grants will lose access. Re-add them to the organization if access should be preserved.

  • Interceptions API and request logs view removed (#26213)

    The GET /api/v2/aibridge/interceptions endpoint, the coder aibridge interceptions list CLI command, and the Request Logs frontend page have been removed. These have been replaced by the session-based view. The /models, /clients, and /sessions endpoints remain. Migration: Switch any integrations using the interceptions API to the sessions API (/api/v2/aibridge/sessions). The sessions list page in the dashboard provides equivalent functionality.

  • Agents insights page removed (#26457)

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
github.com/coder/coder/v2 [>= 2.15.0.a, < 2.15.1]
github.com/coder/coder/v2 [>= 2.18.0.a, < 2.18.1]
github.com/coder/coder/v2 [< 2.35, > 2.34.0-rc.0.0.20260624160327-8bf6f4301614]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Note: Dependabot was ignoring updates to this dependency, but since you've updated it yourself we've started tracking it for you again. 🤖

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/coder/coder/v2](https://github.com/coder/coder) from 2.34.0-rc.0.0.20260701204415-db7f4438b4ad to 2.35.1.
- [Release notes](https://github.com/coder/coder/releases)
- [Changelog](https://github.com/coder/coder/blob/main/release.key)
- [Commits](https://github.com/coder/coder/commits/v2.35.1)

---
updated-dependencies:
- dependency-name: github.com/coder/coder/v2
  dependency-version: 2.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 13, 2026
@ethanndickson

Copy link
Copy Markdown
Member

@dependabot ignore this minor version

@dependabot dependabot Bot closed this Jul 13, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you about version 2.35.x again, unless you re-open this PR.

@dependabot
dependabot Bot deleted the dependabot/go_modules/github.com/coder/coder/v2-2.35.1 branch July 13, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant