Draft: chore(deps): update helm release coder to v2.29.1

This MR contains the following updates:

Package	Update	Change
coder (source)	minor	2.24.3 -> 2.29.1
coder (source)	minor	2.24.0 -> 2.29.1

Complete MR checklist

Assignee

• Followed upgrade instructions outlined in docs/DEVELOPMENT_MAINTENANCE.md
• Update Docs with new/updated steps as needed
• Tested and Validated Changes made with supporting info like logs or screenshots from test pipelines

Add supporting info below

Reviewer only

• Tested and Validated changes

---

Release Notes

coder/coder (coder)

v2.29.1

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Security Update

• Update react to apply patch for CVE-2025-55182 (#​21084) (#​21168, 59cdd7e)

  Coder is not affected. This vulnerability specifically targets implementations using React Server Components. As Coder does not utilize Server Components, there is no exploitable attack surface. We are applying this patch proactively to limit security tooling noise and avoid unnecessary concerns.

Compare: v2.29.0...v2.29.1

Container image

• docker pull ghcr.io/coder/coder:v2.29.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.29.0

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

[!IMPORTANT] This release is also the next Extended Support Release for Coder. For guidance on upgrading from the first ESR, Coder 2.24, see the detailed upgrade notes here.

BREAKING CHANGES

• chore!: allow coder MCP tools to not be injected (#​20713, 04f809f) (@​dannykopping)

  Coder MCP tools were previously automatically injected; this will now need to be explicitly enabled with CODER_AIBRIDGE_INJECT_CODER_MCP_TOOLS=true

• feat(cli)!: enable keyring usage by default (#​20851, 6238a99) (@​zedkipp)

  In order to move away from storing the CLI session token in plain text file, this change begins using the operating system keyring for CLI session token storage by default on Windows and macOS. This will be a breaking change for any users depending on the session token being stored to or read from disk. Users can opt-out and restore file usage via the --use-keyring=false flag.

• refactor!: remove TaskAppID from codersdk.WorkspaceBuild (#​20583, d80b5fc) (@​DanielleMaywood)

  The task_app_id field has been removed from the codersdk.WorkspaceBuild struct and API responses. If your code or integrations rely on WorkspaceBuild.task_app_id to identify the task's associated app, you should migrate to using Task.WorkspaceAppID instead (available on the Task object directly). The deprecated ai_task_sidebar_app_id field remains temporarily but also points to the new location.

Features

Bridge

• Add page for ai-bridge interception logs (#​20331, 3bb7975) (@​jakehwll)
• Add duration to the Request Logs details (#​20756, f559e51) (@​jakehwll)
• Add configurable retention for aibridge (#​20828, 5a7d4f6) (@​dannykopping)
• Expose aibridged metrics (#​20865, c6631e1) (@​dannykopping)

CLI

• Optionally store session token in OS keyring (#​20256, 139dab7) (@​zedkipp)
• Add macOS support for session token keyring storage (#​20613, 5e85663) (@​zedkipp)
• Promote tasks commands from experimental to GA (#​20916, ad8ba4a) (@​mafredri)

Dashboard

• Fix build timeline to include entire stage timings (#​20805, aff2080) (@​Emyrk)
• Associate task icon with workspaces (#​20834, 2a9afc7) (@​ssncferreira)
• Add startup script error alerts to Task Page (#​20820, 8e22cd7) (@​DanielleMaywood)
• Use display name field for tasks (#​20918, 2f399ea) (@​ssncferreira)

Experimental Features

• Add agent unit manager (#​20715, 500c17e) (@​SasSwart)
• Add agent socket API (#​20717, 2840fdc) (@​SasSwart)
• Implement agent socket api, client and cli (#​20758) (#​20976, abe66a3)

MCP Server

• Support workspace name in get workspace tool (#​20474, 77e2521) (@​code-asher)

Server

• Add prebuild invalidation via last_invalidated_at timestamp (#​20582, d004710) (@​mtojek)
• Purge expired api keys in dbpurge (#​20863, cefe07d) (@​Emyrk)
• Add lookup task by name in httpmw.TaskParam (#​20647, 34f6e72) (@​johnstcn)
• Add task prompt modification endpoint (#​20811, 82f525b) (@​DanielleMaywood)

Tasks

• Promote Tasks to GA (#​20923, 02bac71) (@​mafredri)
• Add notification warning alert to Tasks page (#​20900, f8d9a80) (@​ssncferreira)

Bug Fixes

• Fix incorrect rendering of RBAC in Helm chart when workspacePerms=false (#​20569, 30d2fc8) (@​rowansmithau)
• Use correct slog arguments (#​20721, dc21699) (@​spikecurtis)
• Retain searchParams in paginatedInterceptions during filter updates (#​20725, 903c045) (@​jakehwll)
• Send prebuild job notification after job build db commit (#​20693, ca94588) (@​ssncferreira)
• Send all params instead of only touched params (#​20740, 14f0844) (@​jaaydenh)
• Correctly set touched for autofill dynamic parameters (#​20769, 6067aa3) (@​jaaydenh)
• Set codersdk.Task current_state during task initialization (#​20692, 16b8e60) (@​ssncferreira)
• Add cache for terraform installer files (#​20776, 158243d) (@​pawbana)
• Rename AI Governance to AI Bridge (#​20790, 52f8143) (@​jakehwll)
• Wait for build in task status load generator (#​20800, 8ee6e94) (@​spikecurtis)
• Ensure embedded-postgres state is wiped between retries (#​20809, b4cc982) (@​zedkipp)
• Improve http connection pooling for smtp notifications (#​20605, 6d41bfa) (@​kacpersaw)
• Allow agents to be created on dormant workspaces (#​20909, c12303f) (@​DanielleMaywood)
• Ensure we check if the user can actually see ai bridge (#​20964, cd9d3ef)
• Show task display name in task topbar (#​20957) (#​20980, 10e70f8) (@​ssncferreira)
• Pass context with authorization to agentapi (#​21045, c94c470)
• Server: Ensure lifecycle executor has sufficient task permissions (#​20539, 06dbada) (@​DanielleMaywood)
• Server: Gate AI task notifications on agent ready state (#​20690, f2a1a7e) (@​DanielleMaywood)
• Enterprise: Preserve actual error when getting provisioner key details (#​20813, c12bba4) (@​ethanndickson)
• Dashboard: Hide empty tasks list when templates are empty (#​20845, 83966e3) (@​DanielleMaywood)
• Dashboard: Remove erroneous "install Cursor" notification for Cursor Desktop (#​20875, 9c2f94b) (@​AloofBuddha)
• Dashboard: Only show active tasks in waiting for input tab (#​20933) (#​20955, c0a2522)
• Dashboard: Distinguish JB Toolbox from Gateway (#​20830, 426cc98) (@​phorcys420)
• Pass context with authorization to agentapi (#​20959, d22d34e) (@​cstyan)
• Ensure we check if the user can actually see AI Bridge (#​20942, caf711d) (@​jakehwll)
• Only show active tasks in waiting for input tab (#​20933, b7d8918) (@​mafredri)
• Remove defaulting to keyring when --global-config set (#​20943, bbf7b13) (@​zedkipp)
• Remove a sensitive field from an agent log line (#​20968, 1d726c8) (@​SasSwart)

Documentation

• Add OIDC documentation for Microsoft Entra ID user auth (#​20202, 1d1e1f9) (@​PhoenixSheppy)
• Add client configuration section and support matrix for AI Bridge (#​20640, c21b3e4) (@​matifali)
• Reflect steps required to enable coder MCP tool injection (#​20735, c69eb7c) (@​dannykopping)
• Add API key scopes documentation (#​20742, a272843) (@​Emyrk)
• Improve boundary docs (#​20806, a83328c) (@​evgeniy-scherbina)
• Fix ANTHROPIC_BASE_URL example in AI Bridge client docs (#​20853, 3fe29ec) (@​matifali)
• Standardize "AIBridge" to "AI Bridge" in documentation (#​20831, 6364089) (@​matifali)
• Add migration guide for provider version 2.13.0 (#​20426, b6935c3) (@​johnstcn)
• Document key scopes for OpenAI and Anthropic for aibridge (#​20903, 823009d) (@​dannykopping)
• Document bedrock setup process for aibridge (#​20956) (#​20966, dfa25d5)

Performance improvements

• Use a single query for notification target lookups (#​20574, e49c917) (@​ethanndickson)
• Improve performance of metricsAggregator path by reducing memory allocations (#​20724, 658e8c3) (@​cstyan)
• Reduce DB calls to GetWorkspaceByAgentID via caching workspace info (#​20662, b0e8384) (@​cstyan)
• Optimize migration 371 to run faster on large deployments (#​20906, a926157) (@​geokat)
• Add index to improve the GetWorkspaceAgentByInstanceID query performance (#​20936, c87c33f) (@​mykyta-protsenko)
• Database: Limit GetLatestWorkspaceAppStatusByAppID to 1 row (#​20917, 37fc664) (@​mafredri)

Chores

• Graduate aibridge API out of experimental (#​20523, b20fd6f) (@​dannykopping)
• Graduate aibridge cli out of experimental (#​20524, dcfd6d6) (@​dannykopping)
• Add API key ID to interceptions (#​20513, 991831b) (@​pawbana)
• Implement persistent terraform directories (experimental) (#​20563, 9ca5b44) (@​Emyrk)
• Per template opt into cached terraform directories (#​20609, fe3b825) (@​Emyrk)
• Add timing flag context to warn message (#​20772, 86c4948) (@​dannykopping)
• Protect build timings insert for invalid enums (#​20821, a10c5ff) (@​Emyrk)
• Update OIDC scopes to include offline_access (#​20876, a6581c7) (@​rowansmithau)
• Promote tasks to stable from experimental (#​20921, b255827) (@​DanielleMaywood)
• Actually store translated token metadata (#​20929, e340560) (@​dannykopping)

Compare: v2.28.4...v2.29.0

Container image

• docker pull ghcr.io/coder/coder:v2.29.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.6

Compare Source

Stable (since December 09, 2025)

Changelog

Security Update

• Update react to apply patch for CVE-2025-55182 (#​21084) (#​21175, df47153)

  Coder is not affected. This vulnerability specifically targets implementations using React Server Components. As Coder does not utilize Server Components, there is no exploitable attack surface. We are applying this patch proactively to limit security tooling noise and avoid unnecessary concerns.

Compare: v2.28.5...v2.28.6

Container image

• docker pull ghcr.io/coder/coder:v2.28.6

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.5

Compare Source

Stable (since Dec 2, 2025)

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Do not notify marked for deletion for deleted workspaces (#​20937) (#​20945, ed5785f)
• Allow agents to be created on dormant workspaces (#​20909) (#​20912, d81d7ee)

Performance improvements

• Optimize migration 371 to run faster on large deployments (#​20906) (#​21042, 8d18875) (@​geokat)

Compare: v2.28.4...v2.28.5

Container image

• docker pull ghcr.io/coder/coder:v2.28.5

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.4

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

SECURITY FIXES

• Remove a sensitive field from an agent log line (#​20968) (#​20972, e2a4639)

Bug fixes

• Backport dynamic parameters fix #​20740 (#​20777, 8765352)
• Backport fix #​20769 to 2.28 (#​20872, aa5b22c)

Compare: v2.28.3...v2.28.4

Container image

• docker pull ghcr.io/coder/coder:v2.28.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.3

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Upgrade aibridge lib to fix cache issue (#​20730) (#​20734, 7beb95f)

  AI Bridge's injected MCP tools were not being set in a stable sort order. This lead to invalidation of the cache in upstream AI providers' APIs, resulting in more cache writes and therefore higher token spend. Deployments with AI Bridge enabled as well as the oauth2 and mcp-server-http experiments will be affected by this bug, and are highly encouraged to upgrade.

Compare: v2.28.2...v2.28.3

Container image

• docker pull ghcr.io/coder/coder:v2.28.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.2

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Use correct slog arguments (#​20721) (#​20723, 097e085)

Compare: v2.28.1...v2.28.2

Container image

• docker pull ghcr.io/coder/coder:v2.28.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.1

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Chores

• Update Go to 1.24.10 (#​20684) (#​20688, b8ab2d3)

Compare: v2.28.0...v2.28.1

Container image

• docker pull ghcr.io/coder/coder:v2.28.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.28.0

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• Ensure consistent secret token generation and hashing (#​20388, 13ca9ea) (@​Emyrk)

  This change standardizes how Coder hashes secret tokens by switching OAuth2 tokens from salted userpassword. Hash to the same SHA256 hashing method used for API keys, improving consistency across all secret token types. This is a breaking change because existing OAuth2 tokens will no longer validate correctly after the update, but the impact is limited to OAuth2 functionality which is only available in dev builds and experimental features.

• Removed TaskAppID field from WorkspaceBuild API response in favor of new task data model (#​20583, 7a97ebe) (@​DanielleMaywood)

  This change removes the task_app_id field from the WorkspaceBuild API response, which was a temporary field that stored the task's workspace app ID directly in the workspace build object. Clients that were consuming this field from the API will need to instead fetch this information from the new dedicated Task data model via the Task API endpoints.

• AI Bridge is now stable - removed experimental flag and moved from /api/experimental/aibridge/* to /api/v2/aibridge/* (#​20544, a119fe2) (@​dannykopping)

  Removes the experimental flag for AI Bridge and promotes it to Stable. Update URL routes to /api/v2/aibridge/* for continued use of AI Bridge.

Features

Bridge

• Add AWS Bedrock support (#​20507, d18441d) (@​dannykopping)
• AI Bridge API endpoints are now stable and no longer experimental (#​20523, 95f45b3) (@​dannykopping)

CLI

• Add filtering by initiator to provisioner job listing in the CLI (#​20137, d17dd5d) (@​SasSwart)
• Add cli command scaletest dynamic-parameters (#​20034, 65335bc) (@​spikecurtis)
• Add provisioner tags to dynamic-parameters scaletest (#​20435, 0f342ec) (@​spikecurtis)
• Add scoped token support to CLI (#​19985, cadf135) (@​ThomasK33)
• CLI: Prompt for missing required template variables on template creation (#​19973, bb58844) (@​rafrdz)
• CLI: Warn user if setting autostart on workspace with template-level autostart (#​20454, fb9d8e3) (@​mtojek)
• CLI: Add dynamic completions for ssh command (#​20171, 9780d02) (@​matifali)
• AI Bridge CLI commands are now stable and no longer experimental (#​20524, f5f17f9) (@​dannykopping)

Dashboard

• Add remove task button into the tasks list (#​20036, f23a6a1) (@​BrunoQuaresma)
• Add workspace status on tasks (#​20037, 6b61c8a) (@​BrunoQuaresma)
• Select template version for tasks (#​20146, 840afb2) (@​BrunoQuaresma)
• Include latest build id in task responses (#​20181, 23a44d1) (@​BrunoQuaresma)
• Skip deprecated:false in templates search bar (#​20274, 8ac5453) (@​mtojek)
• Underline links in announcement banner for better visibility (#​20166, 5119db3) (@​app/blink-so)
• Improve template version select ux (#​20347, a6461ab) (@​BrunoQuaresma)
• Add copy on ctrl/command+shift+c and selection to web terminal (#​20129, cbaa97c) (@​code-asher)
• Add terminal in the task page (#​20396, aa689cb) (@​BrunoQuaresma)
• Add support buttons (#​20339, f2a4105) (@​mtojek)
• Add copyparty icon (#​20440, 8daf4f3) (@​DevelopmentCats)
• Dashboard: Make TaskPrompt PromptTextarea read-only when submitting (#​20363, f6526b7) (@​johnstcn)
• Added AI Governance page to view AI Bridge request interception logs (#​20331, f5909e5) (@​jakehwll)

Experimental Features

• Add allow_list to resource-scoped API tokens (#​19964, ed90ecf) (@​ThomasK33)
• Add allow list to API keys (#​19972, f684831) (@​ThomasK33)

MCP Server

• Add task create, list, status, and delete MCP tools (#​19901, ebcfae2) (@​code-asher)
• Add list_apps MCP tool (#​19952, 94c76b9) (@​code-asher)
• Add task send and logs MCP tools (#​20230, 41de4ad) (@​code-asher)

Server

• Add backoff to workspace agent polling (#​20157, e8f0e3e) (@​rafrdz)
• Mount pprof and metrics to /api/v2/debug for admins (#​20353, 0652b18) (@​deansheather)
• Implement oauth2 RFC 7009 token revocation endpoint (#​20362, 4bd7c7b) (@​Emyrk)
• Add an organization member permission level (#​19953, 4f7b279) (@​aslilac)
• Server: Add tasks rbac object (#​20234, 299a54a) (@​mafredri)
• Server: Implement task to app linking (#​20237, a8f87c2) (@​mafredri)
• Server: Add audit resource for tasks (#​20301, 408b09a) (@​mafredri)
• Server: Notify on task completion/failure (#​20327, 0faee8e) (@​johnstcn)
• Server: Add owner-related fields to tasks_with_status view (#​20471, 659f89e) (@​johnstcn)

Tasks

• Add remove task button into the tasks list (#​20036, f23a6a1) (@​BrunoQuaresma)
• Add workspace status on tasks (#​20037, 6b61c8a) (@​BrunoQuaresma)
• Add task create, list, status, and delete MCP tools (#​19901, ebcfae2) (@​code-asher)
• Select template version for tasks (#​20146, 840afb2) (@​BrunoQuaresma)
• Include latest build id in task responses (#​20181, 23a44d1) (@​BrunoQuaresma)
• Add task send and logs MCP tools (#​20230, 41de4ad) (@​code-asher)
• Add terminal in the task page (#​20396, aa689cb) (@​BrunoQuaresma)
• Dashboard: Make TaskPrompt PromptTextarea read-only when submitting (#​20363, f6526b7) (@​johnstcn)
• Server: Implement task to app linking (#​20237, a8f87c2) (@​mafredri)
• Server: Add audit resource for tasks (#​20301, 408b09a) (@​mafredri)
• Server: Notify on task completion/failure (#​20327, 0faee8e) (@​johnstcn)
• Server: Add owner-related fields to tasks_with_status view (#​20471, 659f89e) (@​johnstcn)
• Database: Add task status and status view (#​20235, 952c69f) (@​mafredri)
• Database: Add ListTasks query (#​20282, 9f22937) (@​johnstcn)
• Server: Add telemetry for database Tasks (#​20279, dc6e50d) (@​johnstcn)
• Tasks are now automatically deleted when their associated workspace is deleted (#​20585, 73dedcc) (@​johnstcn)
• Disable task notifications by default (#​20518, a1e7e10) (@​DanielleMaywood)

Templates

• Cancel pending prebuilds from non-active template versions (#​20387, f6e86c6) (@​ssncferreira)
• Provisioner: Warn when .terraform.lock.hcl is modified during init (#​20451, 40e1784) (@​mtojek)
• Improved prebuild membership reconciliation performance (#​20555, 7e8fcb4) (@​ssncferreira)
• Canceled pending prebuilds are now automatically deleted (#​20554, c3e3bb5) (@​ssncferreira)
• Add a dependency management graph for agents (#​20208, 6c62136) (@​SasSwart)

Bug fixes

• Check permission to update username (#​20139, d93629b) (@​mtojek)
• Add heartbeat to keep dynamic params websocket open (#​20026, c517aab) (@​rafrdz)
• Only show error once when failing to update org member roles (#​20155, 2ec9be2) (@​aslilac)
• Adjust workspace claims to be initiated by users (#​20179, 544f155) (@​SasSwart)
• Allow unhanger to unhang dormant workspaces (#​20229, 8942b50) (@​deansheather)
• Set default values for RevokeURL property in external auth configs (#​20270, 847058c) (@​pawbana)
• Add default value for RevokeURL property in external auth config for GitHub (#​20272, 152103b) (@​pawbana)
• Keep button in loading state after start request is made (#​20294, 24dddd5) (@​BrunoQuaresma)
• Select the correct version when template changes (#​20293, 9861931) (@​BrunoQuaresma)
• Avoid connection logging crashes in agent (#​20307, 6c99d5e) (@​deansheather)
• Use the selected version to check external auth (#​20316, 91d4f8b) (@​BrunoQuaresma)
• Clear prompt after task creation (#​20344, 09a41f3) (@​BrunoQuaresma)
• Use AvatarData in OAuth2AppsSettings (#​20342, a833b7a) (@​BrunoQuaresma)
• Improve options table reading (#​20341, 838fbc1) (@​BrunoQuaresma)
• Introduce dedicated queries for workspaces and workspace agents metrics (#​19786, 141ef23) (@​cstyan)
• Normalize oauth2 scope parsing (#​20359, 251f787) (@​ThomasK33)
• Retry embedded postgres port allocation (#​20371, e73f9d3) (@​zedkipp)
• Renumber api key allow list migration (#​20457, c6e551f) (@​ThomasK33)
• Fix URL parameter for task (#​20463, cd0a284) (@​BrunoQuaresma)
• Initialize pseudo console with default size for SSH sessions (#​20472, b890930) (@​fioan89)
• CLI: Use correct task status in list/status output (#​20453, e8e31dc) (@​mafredri)
• Server: Correct the name of the unmarshall error variable (#​20150, 039fa89) (@​yyefimov)
• Server: Prevent task working notification for first app status (#​20313, ade3fce) (@​johnstcn)
• Server: Support string type for oidc response's expires_in json property (#​20152, 1c8ee5c) (@​yyefimov)
• Database: Ensure task name uniqueness (#​20236, 5dc57da) (@​mafredri)
• Database: Add missing columns to tasks with status (#​20311, 82945cf) (@​mafredri)
• Database: Use transaction for workspace builder (#​20506, c3cbd97) (@​mafredri)
• Server: Pipe through task id and prompt (#​20408, 5a31c59) (@​DanielleMaywood)
• devcontainers: check if ssh folder exists in post_create (#​19987, 8274251) (@​mafredri)
• Provisioner: Use sidebar app id instead of app id (#​20246, 5d66f1f) (@​DanielleMaywood)
• Dashboard: Disable task prompt submit button when prompt empty (#​20357, a1fa5c8) (@​DanielleMaywood)
• Dashboard: Preserve file path when building template version (#​20481, ed3d6fa) (@​breadface)
• Dashboard: Fix react state violation in filetree create/update utils (#​20483, 40fc337) (@​DanielleMaywood)
• Fixed issue where workspace builds could be created on deleted workspaces (#​20586, 3801701) (@​johnstcn)
• Fixed Helm chart bug where RBAC resources were incorrectly rendered when workspacePerms=false (#​20569, e909a99) (@​rowansmithau)
• Fixed task link generation in workspace app status by adding task_id to workspace view (#​20551, 1ebc217) (@​johnstcn)
• Fixed incorrect audit log links for task resources (#​20547, 566146a) (@​johnstcn)
• Fixed lifecycle executor permissions to properly handle task workspaces during autostart/autostop (#​20539, 6cb618c) (@​DanielleMaywood)
• Fixed bug where preset selector would disappear when switching between templates (#​20514, 45af387) (@​DanielleMaywood)

Documentation

• Fix link to Grafana dashboard example for AI Bridge (#​20205, 037e6f0) (@​matifali)
• Add documentation for upcoming Agent Boundary feature (#​20099, 7973615) (@​jcjiang)
• Add troubleshooting steps for prebuilt workspaces (#​20231, 06db587) (@​SasSwart)
• Add warning around macOS install (#​20253, 2e45236) (@​david-fraley)
• Create WIP 10k scale doc (#​20213, ccf0b34) (@​spikecurtis)
• Add base URLs and authentication section to AI Bridge (#​20404, 823b14a) (@​matifali)
• Edit Boundary documentation to reflect current functionality (#​20403, da31a4b) (@​jcjiang)
• Document location property for support links (#​20445, 9061493) (@​mtojek)
• Add comprehensive Web Terminal documentation (#​20458, c301a0d) (@​mtojek)
• Add description of dynamic parameters test (#​20488, e720afa) (@​spikecurtis)
• Update coder_token_lifetime description to include units and examples (#​20516, cf93c34) (@​david-fraley)
• Update notifications documentation to include task events (#​20190, 6b72ef8) (@​ssncferreira)
• Add documentation for exp CLI commands (#​20019, fa82f84) (@​johnstcn)
• Add external provisioner configuration for prebuilds (#​20305, 09e2daf) (@​ssncferreira)
• Improve prebuild provisioners section (#​20321, 104aa19) (@​ssncferreira)
• Update numbered lists to be consistent (#​20350, ef51e7d) (@​matifali)
• Fix 'prebuilds' system user typo (#​20356, 14e8002) (@​ssncferreira)
• Add missing provisionerd metrics to docs (#​20358, c1f8465) (@​ssncferreira)
• Add bridge documentation for early access (#​20188, d0f434b) (@​stirby)
• Add Audit Log purge advice (#​20052, d63bb2c) (@​dannykopping)
• Updated AI Bridge documentation to reflect stable status (#​20521, d102f06) (@​dannykopping)

Code refactoring

• Add wildcard scope entries for API key scopes (#​20032, b60ae0a) (@​ThomasK33)

Compare: v2.27.2...v2.28.0

Container image

• docker pull ghcr.io/coder/coder:v2.28.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.9

Compare Source

Stable (since December 09, 2025)

Changelog

Security Update

• Update react to apply patch for CVE-2025-55182 (#​21084) (#(21176, 1276135)

  Coder is not affected. This vulnerability specifically targets implementations using React Server Components. As Coder does not utilize Server Components, there is no exploitable attack surface. We are applying this patch proactively to limit security tooling noise and avoid unnecessary concerns.

Compare: v2.27.8...v2.27.9

Container image

• docker pull ghcr.io/coder/coder:v2.27.9

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.8

Compare Source

Stable (since December 01, 2025)

Changelog

Bug fixes

• Do not notify marked for deletion for deleted workspaces (#​20937) (#​20944, 5ed27e7)
• Allow agents to be created on dormant workspaces (#​20909) (#​20911, 42f06c8)

Performance improvements

• Optimize migration 371 to run faster on large deployments (#​20906) (#​21041, 5098e02) (@​geokat)

Compare: v2.27.7...v2.27.8

Container image

• docker pull ghcr.io/coder/coder:v2.27.8

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.7

Compare Source

Stable (since November 27, 2025)

Changelog

SECURITY FIXES

• Remove a sensitive field from an agent log line (#​20968) (#​20971, 06c6abb)

Bug fixes

• Backport fix #​20740 to 2.27 (#​20778, bef0766)
• Backport fix #​20769 to 2.27 (#​20871, db0f0aa)

Compare: v2.27.6...v2.27.7

Container image

• docker pull ghcr.io/coder/coder:v2.27.7

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.6

Compare Source

Stable (since November 12, 2025)

Changelog

Chores

• Upgrade aibridge lib to fix cache issue (#​20731, 41eed1d)

  AI Bridge's injected MCP tools were not being set in a stable sort order. This lead to invalidation of the cache in upstream AI providers' APIs, resulting in more cache writes and therefore higher token spend. Deployments with AI Bridge enabled as well as the oauth2 and mcp-server-http experiments will be affected by this bug, and are highly encouraged to upgrade.

Compare: v2.27.5...v2.27.6

Container image

• docker pull ghcr.io/coder/coder:v2.27.6

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.5

Compare Source

Stable (since November 11, 2025)

Changelog

Bug fixes

• Use correct slog arguments (#​20721) (#​20722, 2cbb862)

Compare: v2.27.4...v2.27.5

Container image

• docker pull ghcr.io/coder/coder:v2.27.5

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.4

Compare Source

Stable (since November 10, 2025)

Changelog

Chores

• Update Go to 1.24.10 (#​20684) (#​20689, 483f4d5)

Compare: v2.27.3...v2.27.4

Container image

• docker pull ghcr.io/coder/coder:v2.27.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.3

Compare Source

Stable (since October 16, 2025)

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Fix incorrect rendering of RBAC in Helm chart when workspacePerm… (#​20596, 800dd9c)

  Fixed incorrect rendering of Kubernetes RBAC resources in Helm chart when workspacePerms=false. Previously, Role and RoleBinding resources were still created for workspace namespaces even when workspace permissions were explicitly disabled, potentially granting unintended permissions.

Compare: v2.27.2...v2.27.3

Container image

• docker pull ghcr.io/coder/coder:v2.27.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.2

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Initialize pseudo console with default size for SSH sessions [2.27] (#​20490, 035ad33)

  Fixed an issue where SSH connections to Windows workspaces would fail with an invalid parameter error when clients (like JetBrains Toolbox) force PTY allocation without providing terminal dimensions. The pseudo console now initializes with a default size instead of 0x0, which Windows doesn't accept.

Compare: v2.27.1...v2.27.2

Container image

• docker pull ghcr.io/coder/coder:v2.27.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.1

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Server: Truncate task prompt to 160 characters in notifications (#​20147) (#​20153, b2d6a18) (@​johnstcn)

  Certain coder stat commands were failing on more complex Cgroup environments. This patch addresses that failure, and other complex setups.

Chores

• Upgrade coder/clistat to v1.1.1 (#​20322) (#​20325, 230b55b)

Compare: v2.27.0...v2.27.1

Container image

• docker pull ghcr.io/coder/coder:v2.27.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.27.0

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• Use client IP when creating connection logs for workspace proxied app accesses (#​19788, 6a9b896) (@​ethanndickson)

  The presence of the ip field on codersdk.ConnectionLog cannot be guaranteed, and so the field has been made optional. It may be omitted on API responses.

• Server: Only show task status for current build (#​19966, eb55f0a) (@​johnstcn)

  Renames the TaskStateCompleted constant to TaskStateComplete to align with the tense used in WorkspaceAppStatusStateComplete, requiring any code referencing the constant to be updated.

• Rename prompt field to input for task creation (#​19982, eb74732) (@​DanielleMaywood)

  Renames the CreateTaskRequest.Prompt to CreateTaskRequest.Input to align with language used in our CLI and elsewhere in the codebase.

Features

AI Bridge

AI Bridge, the self-hosted LLM proxy for auditing LLM tools and adoption is now in Early access, get started with our setup guide.

• Add aibridgedserver pkg (#​19902, 615585d) (@​dannykopping)
• Add aibridged package (#​19797, fc9bff7) (@​dannykopping)
• Initialize aibridged & mount API handler (#​19798, 0a79817) (@​dannykopping)
• Add endpoint to list aibridge interceptions (#​19929, 0a6ba5d) (@​pawbana)

MCP Server

New tools added to the Coder MCP Server in Beta.

• Add coder_workspace_read_file MCP tool (#​19562, 4bf63b4) (@​code-asher)
• Add tooltip field to workspace app that renders as markdown (#​19651, e53bc24) (@​rafrdz)
• Add coder_workspace_write_file MCP tool (#​19591, d5a02d5) (@​code-asher)
• Add configs for external auth MCP usage + tool allow/denylist (#​19794, 348a2e0) (@​dannykopping)
• Add coder_workspace_edit_file MCP tool (#​19629, 30330ab) (@​code-asher)
• Add coder_workspace_ls MCP tool (#​19652, be7aa58) (@​code-asher)
• Add coder_workspace_port_forward MCP tool (#​19863, 7f56212) (@​code-asher)
• Aibridged mcp handling (#​19911, 6971f61) (@​dannykopping)

Tasks

v2.27.0 introduces the Tasks API (in beta) for integrating background agents into your ecosystem. Read more in our documentation and blog posts.

• Don't redirect to task page when it is created (#​19919, 6d0943a) (@​BrunoQuaresma)
• Add sidebar to task page (#​19944, 2df9c5b) (@​BrunoQuaresma)
• Redesign tasks page to match AI tools (#​19962, 89339f6) (@​BrunoQuaresma)
• Add notification for task status (#​19965, fdb0267) (@​ssncferreira)
• Delete task from sidebar (#​20023, e96d69b) (@​BrunoQuaresma)
• Minor prompt redesign (#​20045, f009ebd) (@​BrunoQuaresma)
• CLI: Add coder exp task delete (#​19644, 3470632) (@​mafredri)
• CLI: Add quiet flag to task create (#​19701, f94abfc) (@​DanielleMaywood)
• CLI: Add optional --name arg to 'exp task create' (#​19939, 78b1ec9) (@​johnstcn)
• CLI: Add exp task send (#​19922, 252f430) (@​DanielleMaywood)
• CLI: Add formatting options to coder whoami (#​19970, 930bbaf) (@​johnstcn)
• CLI: Improve exp task status --watch (#​19969, 82bebc7) (@​johnstcn)
• CLI: Add exp task logs (#​19915, b7e0b2a) (@​DanielleMaywood)
• CLI: Add more information to coder whoami (#​19971, 0a840e4) (@​johnstcn)
• CLI: Add ability to create tasks for other users (#​20012, abdea72) (@​johnstcn)
• CLI: Add workspace-updates scaletest command (#​19905, 0be9221) (@​ethanndickson)

Workspace sharing

Shared workspaces are in the early stages of development and not ready for public testing; we're looking forward to sharing the work when it's available. If you have requests for shared workspaces, please leave feedback in our Github Discussions.

• Add sharing add command to the CLI (#​19576, 909acbc) (@​brettkolodny)
• Add sharing show command to the CLI (#​19707, 065c7c3) (@​brettkolodny)
• Add sharing remove command to the CLI (#​19767, 8d5c566) (@​brettkolodny)
• Add --shared-with-me flag to coder list command (#​19948, 647101b) (@​brettkolodny)

Core

• Add user filter to templates page to filter by template author (#​19561, 95dccf3) (@​rafrdz)
• Add default workspace name to Template Embed form (#​19688, 5c1a708) (@​mtojek)
• Add workspaces/acl [delete] endpoint (#​19772, 854f3c0) (@​brettkolodny)
• Add helm var to support RBAC for deploying workspaces in extra namespaces (#​19517, 6238937) (@​rowansmithau)
• Add shared_with_group: and shared_with_user: filters to /workspaces endpoint (#​19875, 38ca987) (@​brettkolodny)
• Show warning in AppLink if hostname is long enough to break port forwarding (#​19506, 6c01a77) (@​aqandrew)
• Add prebuild timing metrics to Prometheus (#​19503, 0ab345c) (@​ssncferreira)
• Replace the jetbrains-gateway module with the jetbrains toolbox (#​19583, b61a5d7) (@​app/blink-so)
• Support custom notifications (#​19751, eec6c8c) (@​ssncferreira)
• Ensure OAuth2 refresh tokens outlive access tokens (#​19769, 088d149) (@​ThomasK33)
• Scope allow_list to include resource_type (#​19748, 679179f) (@​Emyrk)
• Add best effort attempt to revoke oauth access token in external auth provider (#​19775, 439b041) (@​pawbana)
• Implement API key scopes database migration (#​19861, fb0ce38) (@​ThomasK33)
• Add lint check for API key scope enum completeness (#​19862, acc0890) (@​ThomasK33)
• Generate RBAC scope name constants (#​19896, adb7521) (@​ThomasK33)
• Add scaletest Runner for dynamicparameters load gen (#​19890, 289f021) (@​spikecurtis)
• Add public RBAC scope catalog for user-requestable permissions (#​19913, 47c92ad) (@​ThomasK33)
• Add external API key scopes (#​19916, 4bda395) (@​ThomasK33)
• Add multi-scope support to API keys (#​19917, d0db9ec) (@​ThomasK33)
• Publish RBAC scopes in OAuth2 metadata endpoints (#​19942, 05537c1) (@​ThomasK33)
• Remove agent name from app URLs (#​19750, d29a524) (@​rafrdz)
• Implement composite API key scopes for workspaces and templates (#​19945, 79126ab) (@​ThomasK33)
• Server: Add tasks delete endpoint (#​19638, e5ac640) (@​mafredri)
• Server: Allow specifying a name for a task (#​19745, f3b152b) (@​DanielleMaywood)
• Server: Add experimental tasks send endpoint (#​19941, 5317d30) (@​mafredri)
• Server: Add experimental tasks logs endpoint (#​19958, 0bac5a4) (@​mafredri)
• Server: Add ability to search org members by user_id, is_system, github_user_id (#​20048, ff930ad) (@​johnstcn)
• Dashboard: Display warning messages when wildcard is not configured (#​19660, 7c8f8f4) (@​kacpersaw)
• Dashboard: Display warnings in tasks page when wildcard is not configured (#​19780, 0601cc8) (@​kacpersaw)
• Dashboard: Allow starting task workspace from task page (#​19790, b71d671) (@​DanielleMaywood)
• Dashboard: Add custom notification settings (#​19938, da467ba) (@​ssncferreira)
• Dashboard: Add task notifications to user settings (#​20006, 7bddd80) (@​ssncferreira)
• Enterprise: Allow system users to be added to groups (#​19518, 4e9ee80) (@​SasSwart)

Bug fixes

• Don't show prebuild workspaces as tasks (#​19572, abc946c) (@​BrunoQuaresma)
• Suppress license expiry warning if a new license covers the gap (#​19601, 605dad8) (@​deansheather)
• Limit the scope of the template average build time query to the last 100 (#​19648, 4fab14b) (@​cstyan)
• Expire token for prebuilds user when regenerating session token (#​19667, 06cbb28) (@​johnstcn)
• Show popup on successful template build (#​19674, d415964) (@​mtojek)
• Change enqueue error to debug log level (#​19686, 04dfda8) (@​spikecurtis)
• Pin pg_dump version when generating schema (#​19696, 1b4ce09) (@​ethanndickson)
• Prevent new workspace page from scrolling past the bottom of the screen (#​19705, a78d65c) (@​brettkolodny)
• Support path parameters in OAuth2 metadata endpoints (#​19729, 2701d55) (@​ThomasK33)
• Add xmlns attribute to amazon-q.svg for proper rendering (#​19738, d7d69d1) (@​app/blink-so)
• Add support for spaces in search & enable searching by display name in templates (#​19552, 1677a30) (@​rafrdz)
• Prevent unruly stacking contexts from breaking scrolling (#​19785, 8e79dbb) (@​aslilac)
• Trim whitespace from API tokens (#​19814, d238480) (@​ThomasK33)
• Scroll item list into view when opening MultiSelectCombobox (#​19806, 8ff4ba0) (@​aslilac)
• Correct MCP tools' input schemas (#​19825, 18b0aca) (@​dannykopping)
• Use filepath to construct mcp test write path (#​19808, c31768d) (@​code-asher)
• Fix TestCloserStack_Timeout to wait for all asyncClosers (#​19837, 4fc0093) (@​spikecurtis)
• Update bitnami to use legacy image (#​19891, 738dbc6) (@​david-fraley)
• Update bitnami image (#​19892, 40ffb79) (@​david-fraley)
• Add retry logic to OAuth2 metadata tests to avoid race conditions (#​19813, 6fb4cc6) (@​ThomasK33)
• Make app tabs scrollable (#​19881, e7d648f) (@​BrunoQuaresma)
• Use unique cookies for workspace proxies (#​19930, 42dd544) (@​deansheather)
• Force task to be created with latest version (#​19923, 5ff503b) (@​BrunoQuaresma)
• Handle chat app not found for Tasks (#​19947, c2d5143) (@​BrunoQuaresma)
• Fix for template dormancy hour/day toggle (#​19884, aaa5071) (@​rowansmithau)
• Add tasks link to sidebar logo (#​20038, b8370c2) (@​BrunoQuaresma)
• CLI: Enhance error handling for multiple agents in SSH command (#​19943, c8742ba) (@​kacpersaw)
• CLI: Only implicitly read from stdin if the directory flag is unset (#​19681, f867a9d) (@​ethanndickson)
• Server: Filter out non-task workspaces in api.tasksList (#​19559, dbc6c98) (@​johnstcn)
• Server: Ignore sub agents when converting a task to workspace (#​19624, 75b38f1) (@​DanielleMaywood)
• Server: Fix logic for reporting prebuilt workspace duration metric (#​19641, 353f5de) (@​ssncferreira)
• Server: Ensure a newly created task can be fetched (#​19670, 12bce12) (@​DanielleMaywood)
• Server: Add audit log on creating a new session key (#​19672, bd6e91e) (@​johnstcn)
• Server: Ensure agent WebSocket conn is cleaned up (#​19711, e12b621) (@​DanielleMaywood)
• Server: Add blocking GetProvisionerJobByIDWithLock for workspace build cancellation (#​19737, 776231d) (@​kacpersaw)
• Server: Fix parsing of response format in tasks send (#​19960, 653101e) (@​mafredri)
• Server: Increase task notification dedupe bypass timestamp to 1 minute (#​20043, 6e4d903) (@​johnstcn)
• Server: Workaround lack of coder_ai_task resource on stop transition (#​19560, bd139f3) (@​johnstcn)
• Server: Ensure generated name is within 32 byte limit (#​19612, 347ab5b) (@​DanielleMaywood)
• Documentation: Add missing div to fix formatting (#​20047, fe189b9) (@​david-fraley)
• Dashboard: Show available logs consistently on template creation page (#​19832, f5fac29) (@​aslilac)
• Dashboard: Update useAgentLogs to make it more testable and add more tests (#​19126, 759746c) (@​Parkreiner)
• Dashboard: Revamp UI for batch-updating workspaces (#​18895, 8a6852f) (@​Parkreiner)
• Dashboard: Resolve circular dependency between WorkspacesPage components (#​19895, d464360) (@​BrunoQuaresma)

Documentation

• Replace offline deployments terminology to air-gapped (#​19625, 02ecf32) (@​app/blink-so)
• Update Tailscale DERP fleet usage phrasing (#​19653, 2030907) (@​hugodutka)
• Reorganize Coder Desktop docs (#​18871, 8f72538) (@​matifali)
• Add guidelines about MR size (#​19700, d25ff6c) (@​spikecurtis)
• Fix typo in Coder Desktop Guide (#​19742, f402ec9) (@​david-fraley)
• Update Get Started Page to Include Tasks (#​19752, 1e2b66f) (@​david-fraley)
• Remove beta references from dynamic parameters (#​19714, c9a877a) (@​app/blink-so)
• Fix formatting issues (#​19831, cda8593) (@​david-fraley)
• Update Tasks Template Code (#​19770, ea71808) (@​david-fraley)
• Clarify offline CLI installation instructions (#​19914, d2da835) (@​matifali)
• Add next steps to coder desktop guide (#​19975, 659f237) (@​ethanndickson)
• Add Tasks Core Principles Page (#​19878, 95aa16d) (@​david-fraley)
• Orient install page towards enterprise and community members (#​20041, 7481ada) (@​david-fraley)
• update Claude Code version in docs (#​20049, bf2cfdd) (@​david-fraley)
• Document automatic task naming (#​19614, 8d6a322) (@​johnstcn)
• Add docs for external workspaces (#​19437, 33509f2) (@​kacpersaw)
• Add wildcard access url documentation page (#​19713, f9f0ebb) (@​kacpersaw)

Performance improvements

• Reduce impact of GetPrebuildMetrics on database (#​19694, 0ec9df3) (@​cstyan)
• Database: Optimize GetAPIKeysLastUsedAfter (#​19725, 21402c7) (@​mafredri)
• Enterprise: Remove expensive GetWorkspaces query from entitlements (#​19747, 3074547) (@​kacpersaw)

Chores

• Pin dependencies in Dockerfiles (#​19587, 252f7d4) (@​sreya)
• Pin devcontainer-cli for .devcontainer config (#​19594, 0f1fc88) (@​sreya)
• Set more explicit guards for serving bin files (#​19597, be40b8c) (@​sreya)
• Upgrade our tailscale fork to address CVE (#​19634, 71ea919) (@​spikecurtis)
• Update coder/preview to v1.0.4 (#​19640, f571730) (@​Emyrk)
• Refactor instance identity to be a SessionTokenProvider (#​19566, 1354d84) (@​spikecurtis)
• Refactor CLI agent auth tests as unit tests (#​19609, 18945a7) (@​spikecurtis)
• Update rego policy to respect user and organisation scopes (#​19741, d527f91) (@​Emyrk)
• Add backed reader, writer and pipe implementation (#​19147, 4c98dec) (@​ibetitsmike)
• Add aibridge configs & experiment (#​19793, 8487216) (@​dannykopping)
• Add aibridge database resources & define RBAC policies (#​19796, 422bba4) (@​dannykopping)
• Upgrade to react 19 (#​19829, 8db82d2) (@​aslilac)
• Upgrade Node.js from 20.19.4 to 22.19.0 and update dependencies (#​19870, 4d8dc22) (@​ThomasK33)
• Add tasks sidebar component (#​19926, 7baaa16) (@​BrunoQuaresma)
• Add CLI command to list aibridge interceptions (#​19935, 65f2895) (@​pawbana)
• CLI: Re-order CLI create command (#​19658, a2a758d) (@​DanielleMaywood)
• Dashboard: Add rustdesk icon (#​19888, f39cf30) (@​BenraouaneSoufiane)

Compare: v2.26.1...v2.27.0

Container image

• docker pull ghcr.io/coder/coder:v2.27.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.6

Compare Source

Changelog

BUG FIXES

• purge expired api keys in dbpurge (#​20863) #​21040

Compare: v2.26.5...v2.26.6

Container image

• docker pull ghcr.io/coder/coder:v2.26.6

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.5

Compare Source

Changelog

SECURITY FIXES

• Remove a sensitive field from an agent log line (#​20968) (#​20970, a75205a)

Compare: v2.26.4...v2.26.5

Container image

• docker pull ghcr.io/coder/coder:v2.26.5

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.4

Compare Source

Changelog

Chores

• Update Go to 1.24.10 (#​20684) (#​20707, 41dfbc7)

Compare: v2.26.3...v2.26.4

Container image

• docker pull ghcr.io/coder/coder:v2.26.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.3

Compare Source

Stable (since October 28, 2025)

Changelog

Bug fixes

• Initialize pseudo console with default size for SSH sessions [2.26] (#​20491, ee8e8cb)

Compare: v2.26.2...v2.26.3

Container image

• docker pull ghcr.io/coder/coder:v2.26.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.2

Compare Source

Changelog

Bug fixes

• Avoid connection logging crashes in agent [2.26] (#​20306, 03440f6)

Chores

• Upgrade coder/clistat to v1.1.1 (#​20322) (#​20324, 4793806)

Compare: v2.26.1...v2.26.2

Container image

• docker pull ghcr.io/coder/coder:v2.26.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.1

Compare Source

Stable (since October 7, 2025)

Changelog

Bug fixes

• Server: Ensure agent WebSocket conn is cleaned up (#​19711, 7afe6c8) (@​DanielleMaywood)
• pin pg_dump version when generating schema (#​19696, c0f1b9d) (@​ethanndickson)
• Remove expensive GetWorkspaces query from entitlements (#​19747, 5369204) (@​kacpersaw)

Compare: v2.26.0...v2.26.1

Container image

• docker pull ghcr.io/coder/coder:v2.26.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.26.0

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

KNOWN ISSUES

• You may see higher numbers of "API Key Created" entries in the audit logs. This is expected due to fixing an audit logging omission (#​19672).
• Jetbrains users may experience inflated API key creation. This will be fixed in a future patch to the Jetbrains plugin version.

BREAKING CHANGES

• Support empty or default fields when updating templates (#​19256, aab2ccd) (@​rafrdz)

  Breaking change to the Coder Go SDK. Field types in codersdk.UpdateTemplateMeta for Icon, Description, and DisplayName changed from string to *string. Consumers must pass pointers and handle nil checks. Code that assigns/reads plain strings will no longer compile without updates.

• fix(coderd/prometheusmetrics)!: filter deleted wsbuilds to reduce db load (#​19197, 1b66495) (@​mafredri)

  Breaking change to coderd_api_workspace_latest_build Prometheus metric. The coderd_api_workspace_latest_build Prometheus metric no longer includes builds belonging to deleted workspaces, as such, this metric will show fewer statuses.

Security Fixes

• Expire token for prebuilds user when regenerating session token (#​19667) (#​19668, ec66090) (@​johnstcn)

  ⚠️ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#​19672) (#​19684, a79adb1) (@​johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Features

• Validate presets on template import to prevent publishing an unusable template (#​18844, f256a23) (@​SasSwart)
• Allow bypassing current CORS magic based on template config (#​18706, ffbfaf2) (@​cstyan)
• Add MCP tools for ChatGPT. ChatGPT can now create Coder workspaces. (#​19102, 79cd80e) (@​hugodutka)
• Add prebuild timing metrics to Prometheus (#​19503, 0ab345c) (@​ssncferreira)
• Add author filter command to template filtering (#​19202, 5b80c47) (@​Emyrk)
• Implement rich multi-selector for multi-select in the CLI (#​19201, a7fac30) (@​mtojek)
• Add Sourcegraph Amp logo sourced from presskit (#​19421, 7bcbb83) (@​DevelopmentCats)
• Claim prebuilds based on workspace parameters instead of preset ID to improve prebuilds usability (#​19279, f9a6adc) (@​SasSwart)
• 📥 External workspaces is now in Early Access. Read more in our external workspaces documentation.
  • CLI: Add enterprise external-workspaces CLI command (#​19287, 7b1dcd9) (@​kacpersaw)
  • Server: Add has_external_agent flag to template_versions and workspace_builds (#​19285, 5e4aa79) (@​kacpersaw)
  • Server: Add support for external agents to API's and provisioner (#​19286, 9edceef) (@​kacpersaw)
  • Dashboard: Add support for external agents in the UI and extend CodeExample (#​19288, 7f72067) (@​kacpersaw)
• ☑️ Coder Tasks UI improvements:
  • Show workspace build and startup script logs during tasks creation (#​19413, 8aafbcb) (@​BrunoQuaresma)

    Improved tasks creation UI:

  • Filter tasks that are waiting for user input (#​19377, d77c3d0) (@​BrunoQuaresma)
  • Display the number of idle tasks in the navbar (#​19471, cde5b62) (@​BrunoQuaresma)

    Improved visibility when tasks are waiting for user input.

• Show workspace health error alert above agents in workspace page for better visibility (#​19400, 9a872f9) (@​aqandrew)
• CLI: Add filtering options to provisioners list CLI command (#​19378, ad5e678) (@​rafrdz)
• CLI: Prevent coder schedule command on prebuilt workspaces (#​19259, 92d505c) (@​ssncferreira)
• CLI: Add coder exp tasks list command (#​19496, 836324e) (@​mafredri)
• CLI: Add exp task create command (#​19492, 63c1325) (@​DanielleMaywood)
• CLI: Implement exp task status command (#​19533, 5baaf27) (@​johnstcn)
• Server: Generate task names based on their prompt (#​19335, 6553771) (@​DanielleMaywood)
• Server: Add tasks /list and /get endpoints (#​19468, 427b23f) (@​mafredri)
• Add workspace-sharing experiment (#​19106, ed62ddc) (@​aslilac)

  We're testing out shared workspaces in an early and unstable experiment. If you are interested or have feedback please join the discussion in our Github.

Bug fixes

• Use system context for querying workspaces when deleting users to prevent deletion of users with workspaces(#​19211, 99d75cc) (@​ethanndickson)
• Upgrade Go to 1.24.6 to fix race in lib/pq queries (#​19214, 91780db) (@​spikecurtis)
• Prevent horizontal form section info from overlapping form fields (#​19189, b8851f0) (@​aqandrew)
• Upload the slim binaries from the build directory to the GCS bucket (#​19281, 5d42b18) (@​jdomeracki-coder)
• Generalize password invalid message (#​19307, b8c9192) (@​aqandrew)
• Prevent activity bump for prebuilt workspaces (#​19263, 560cf84) (@​ssncferreira)
• Set prebuilds lifecycle parameters on creation and claim (#​19252, 8567ecb) (@​ssncferreira)
• Disallow lifecycle endpoints for prebuilt workspaces (#​19264, 734299d) (@​ssncferreira)

  The two MRs above ensure a user's scheduling settings are correctly applied when claiming a prebuilt workspace.

• Correct scrolling overflow behavior for workspace history (#​19340, 5b5fbbe) (@​brettkolodny)
• Ensure deployment banner is always on the bottom (#​19361, 362c78a) (@​brettkolodny)
• Don't create autostart workspace builds with no available provisioners (#​19067, 6c902a7) (@​cstyan)
• Exclude prebuilt workspaces from template-level lifecycle updates (#​19265, d79a779) (@​ssncferreira)
• Fix jetbrains toolbox connection tracking (#​19348, dd867bd) (@​f0ssel)
• Support oidc group allowlist in oss (#​19430, 5b1e809) (@​rafrdz)
• Redirect users to /login if their oauth token is invalid (#​19429, ee789da) (@​brettkolodny)
• Add database constraint to enforce minimum username length (#​19453, bcdade7) (@​cstyan)
• Support 'me' as the username for template author (#​19204, 3024bde) (@​Emyrk)
• Fix workspaces pagination (#​19448, 54440af) (@​BrunoQuaresma)

  Users were previously unable to page through workspaces if they owned many (hundreds). This has been resolved.

• CLI: Display workspace created at time instead of current time (#​19553, c19f430) (@​DanielleMaywood)
• CLI: Attach org option to task create (#​19554, 8083d9d) (@​johnstcn)
• Enterprise: Update external agent instructions in CLI (#​19411, c429020) (@​kacpersaw)
• Dashboard: Remove redundant alt text to prevent duplicated accessible names (#​19087, 44d9356) (@​ssncferreira)
• Dashboard: Ensure notification settings page follows RBAC correctly (#​19097, a185d3a) (@​DanielleMaywood)
• Dashboard: Display tasks link when no templates contain an AI task (#​19184, cc609cb) (@​DanielleMaywood)
• Dashboard: Hide "Show parent apps" when no running or starting devcontainers (#​19200, 1c70d32) (@​DanielleMaywood)
• Dashboard: Fix render crash when no embedded apps are defined for task (#​19215, ffbd583) (@​DanielleMaywood)
• Dashboard: Add preset combobox to dynamic parameters page (#​19100, 96e32d6) (@​ssncferreira)
• Provisioner: Workaround lack of coder_ai_task resource on stop transition (#​19560, bd139f3) (@​johnstcn)
• Server: Filter out non-task workspaces in api.tasksList (#​19559, dbc6c98) (@​johnstcn)

Documentation

• Add code-server vs VSCode Web comparison table (#​19104, 428ec35) (@​EdwardAngert)
• Document how to start a remote MCP Coder server (#​19150, a02d1c1) (@​hugodutka)
• Add OAuth2 provider experimental feature documentation (#​19165, 247efc0) (@​ThomasK33)
• Update status of Coder Desktop + corporate VPN issue (#​19350, 1ffc5a0) (@​ethanndickson)
• Add generative AI contribution guidelines (#​19427, a19dfa9) (@​Emyrk)
• Add dev containers and scheduling to prebuilt workspaces known issues (#​18816, 49f32d1) (@​EdwardAngert)
• Add Google OIDC provider-specific guide (#​19309, ea7025b) (@​DevelopmentCats)

Performance improvements

• Don't call GetUserByID unnecessarily for Agents metrics loops (#​19395, 014a2d5) (@​cstyan)
• Speed up GetTailnetTunnelPeerBindings query (#​19444, 229d051) (@​spikecurtis)

Chores

• Update to node 20.19.4 (#​19188, 5c88d93) (@​aslilac)
• Update coder/preview to v1.0.4 (#​19205, a2e8aa9) (@​Emyrk)
• Upgrade to pnpm 10 (#​19327, 2180d17) (@​aslilac)
• Update terraform to 1.13.0 (#​19509, 9b7d41d) (@​app/blink-so)
• Helm: Make coder pprof endpoint available externally (#​19185, 4ba9382) (@​Emyrk)

Compare: v2.25.1...v2.26.0

Container image

• docker pull ghcr.io/coder/coder:v2.26.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.25.3

Compare Source

Stable (since October 01, 2025)

Changelog

Bug fixes

• Server: Ensure agent WebSocket conn is cleaned up (#​19711, 7afe6c8) (@​DanielleMaywood)
• Stop reading closed channel for /watch devcontainers endpoint (#​19373) (@​DanielleMaywood)

Compare: v2.25.2...v2.25.3

Container image

• docker pull ghcr.io/coder/coder:v2.25.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.25.2

Compare Source

Stable (since September 04, 2025)

Changelog

Security Fixes

• Expire token for prebuilds user when regenerating session token (#​19667) (#​19668, ec66090) (@​johnstcn)

  ⚠️ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#​19672) (#​19684, a79adb1) (@​johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Bug Fixes

• Fix GCP service accounts (#​19312) (#​19315, d324cf7) (@​ethanndickson)

Compare: v2.25.1...v2.25.2

Container image

• docker pull ghcr.io/coder/coder:v2.25.2

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.25.1

Compare Source

Stable (since September 02, 2025)

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Upgrade to 1.24.6 to fix race in lib/pq queries (#​19214) (#​19218, 079328d)

  ⚠️ Resolves CVE-2025-47907, details can be found here in golang/go. Additionally, see our blog about this vulnerability.

Compare: v2.25.0...v2.25.1

Container image

• docker pull ghcr.io/coder/coder:v2.25.1

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.25.0

Compare Source

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• Route connection logs to Connection log instead of Audit log (#​18340, 08e17a0) (@​ethanndickson)

  Connections to workspaces (via SSH, workspace apps, or browser port-forwarding) will no longer create entries in the audit log. Those events will now be included in the 'Connection Log'. Please see the 'Connection Log' page in the dashboard, and the Connection Log documentation for details. Those with permission to view the Audit Log will also be able to view the Connection Log. The new Connection Log has the same licensing restrictions as the Audit Log, and requires a Premium Coder deployment.

• Delete old connection events from audit log (#​18735, f42de9f) (@​ethanndickson)

  With new connection events appearing in the Connection Log, connection events older than 90 days will now be deleted from the Audit Log. If you require this legacy data, we recommend querying it from the REST API or making a backup of the database/these events before upgrading your Coder deployment. Please see the MR for details on what exactly will be deleted. Note: There are currently no plans to delete connection events from the Connection Log.

• Add ability to cancel pending workspace build (#​18713, 8202514) (@​kacpersaw)

  CancelWorkspaceBuild method in codersdk now accepts an optional request parameter.

• Use devcontainer ID when rebuilding a devcontainer (#​18604, f2d229e) (@​DanielleMaywood)

  Minor breaking change for workspaces enabled by our devcontainer integration. Allows rebuilding a devcontainer without a valid devcontainer ID.

• CLI: Add CLI support for creating workspace with presets (#​18912, b975d6d) (@​ssncferreira)

  This breaking change impacts the coder create CLI command only for templates which contain presets.

  It introduces a --preset flag to the create command, which modifies the behavior when no preset is explicitly provided:

  • If the template includes presets and a default preset, the default will be automatically applied. The user will be notified, but not prompted.
  • If the template includes presets without a default, the user will be prompted to choose a preset.

  This breaks existing workflows for templates with presets that:

  • Expect the create command to proceed without applying a preset
  • Rely on non-interactive scripts or automated workflows, which will now fail or hang due to unexpected prompts

Features

• Dynamic Parameters is now generally available:

  

  • Remove beta labels for dynamic parameters (#​18976, d7b1253) (@​jaaydenh)
  • Allow new immutable parameters for existing workspaces (#​18579, e396b06) (@​Emyrk)
  • Allow masking workspace parameter inputs (#​18595, 0b82f41) (@​aslilac)
  • Support dynamic parameters on create template request (#​18636, 4072d22) (@​Emyrk)
  • Display descriptions in multi-select component (#​18730, 61b6562) (@​jaaydenh)
  • Add search to parameter dropdowns (#​18729, 52c4b61) (@​aslilac)
  • Include template variables in dynamic parameter rendering (#​18819, aedc019) (@​Emyrk)
  • Improve workspace upgrade flow when template parameters change (#​18917, 19afeda) (@​aslilac)
  • Make dynamic parameters opt-in by default for new templates (#​19006, 1320b8d) (@​jaaydenh)
• Coder may now be used as an OAuth2 provider (experimental):
  • Add authorization server metadata endpoint, PKCE support (#​18548, 6f2834f) (@​ThomasK33)
  • Add RFC 8707 resource indicators, audience validation (#​18575, f0c9c4d) (@​ThomasK33)
  • Add protected resource metadata endpoint for RFC 9728 (#​18643, 33bbf18) (@​ThomasK33)
  • Implement OAuth2 dynamic client registration (RFC 7591/7592) (#​18645, 74e1d5c) (@​ThomasK33)
  • Add experimental OAuth2 provider functionality (#​18692, 1555154) (@​ThomasK33)
  • Implement RFC 6750 Bearer token authentication (#​18644, 09c5055) (@​ThomasK33)
  • Add RFC 9728 OAuth2 resource metadata support (#​18920, 071383b) (@​ThomasK33)
• The external Coder MCP server is now available as an experiment:

  Use any agent to create coder workspaces.

  • Implement MCP HTTP server endpoint with authentication (#​18670, 494dccc) (@​ThomasK33)
  • Add MCP HTTP server experiment and improve experiment middleware (#​18712, 7fbb3ce) (@​ThomasK33)
  • Add workspace SSH execution tool for AI SDK (#​18924, 326c024) (@​ThomasK33)
  • SDK: Add MCP workspace bash background parameter (#​19034, b666d52) (@​hugodutka)
• Added new connection logs as a separate entity from audit logs

  

  • Dashboard: Add connection log page (#​18708, b5260d5) (@​ethanndickson)
  • Add connectionlogs API (#​18628, 7a339a1) (@​ethanndickson)
• Improvements to Coder Tasks:

  

  • Add task link in the workspace page when it is running a task (#​18591, 2d44add) (@​BrunoQuaresma)
  • Redirect to the task page after creation (#​18626, 29ef3a8) (@​BrunoQuaresma)
  • Make task panels resizable (#​18590, 8eebb4f) (@​BrunoQuaresma)
  • Add preset selector in TasksPage (#​19012, 9a05a8a) (@​johnstcn)
• Improvements to our Devcontainers integration:
  • Agent: Automaticall detect dev containers (#​18950, f41275e) (@​DanielleMaywood)
  • Agent: Allow auto start for discovered containers (#​19040, 66cf90c) (@​DanielleMaywood)
  • CLI: Improve devcontainer support for coder show (#​18793, 5f50dcc) (@​mafredri)
  • CLI: Replace open vscode container with devcontainer subagent (#​18765, 6c4db7a) (@​mafredri)
  • Install dotfiles if present (#​18606, 872aef3) (@​mafredri)
• Administrators can now track usage of agentic AI workspaces:

  Premium licensed customers have a default of 800 agentic workspaces per user. This limit will likely never be hit.

  • Add managed_agent_limit licensing feature (#​18876, 183a6eb) (@​deansheather)
  • Add managed ai usage consumption to license view (#​18934, 36d2e01) (@​ibetitsmike)
• Allow users to pause prebuilt workspace reconciliation (#​18700, 01163ea) (@​SasSwart)
• Use parameter preview engine to compute workspace tags from terraform (#​18720, a099a8a) (@​Emyrk)
• Add publishing of helm charts to ghcr registry (#​18316, 10c1e36) (@​a1994sc)
• Automatically reconnect the terminal (#​18796, 5a8a19b) (@​BrunoQuaresma)
• Publish CLI binaries and detached signatures to releases.coder.com (#​18874, e4d3453) (@​jdomeracki-coder)
• Add managed agent license limit checks (#​18937, 9a6dd73) (@​deansheather)
• Extend workspace build reasons to track connection types (#​18827, 482463c) (@​kacpersaw)
• Add View Source button for template administrators in workspace creation (#​18951, 28789d7) (@​app/blink-so)
• Add timeout support to workspace bash tool (#​19035, 398e80f) (@​ThomasK33)
• Support icon and description in preset (#​18977, 0672bf5) (@​ssncferreira)
• Support shift+enter in terminal (#​19021, 558e25d) (@​code-asher)
• CLI: Add CLI support for listing presets (#​18910, 931b97c) (@​ssncferreira)
• CLI: Support description in create and presets list CLI commands (#​19079, 4e7331a) (@​ssncferreira)
• Helm: Add pod-level securityContext support for certificate mounting (#​19041, faac753) (@​ausbru87)
• Dashboard: Support icon and description in preset (#​19063, 71738f6) (@​ssncferreira)

Bug fixes

• Hide the preset parameter visibility switch when it has no effect (#​18574, 634144f) (@​SasSwart)
• Pin Nix version to 2.28.4 to avoid JSON type error (#​18612, 1b1d091) (@​ThomasK33)
• Cap max X11 forwarding ports and evict old (#​18561, 9e1cf16) (@​spikecurtis)
• Use memmap file system for TestServer_X11 (#​18562, 6bebfd0) (@​spikecurtis)
• Use default preset when creating a workspace for task (#​18623, 6d305df) (@​BrunoQuaresma)
• Use only template version ID to create task workspace (#​18642, 4095330) (@​BrunoQuaresma)
• Display error message when delete workspace fails (#​18654, ad67733) (@​jaaydenh)
• Use client preferred URL for the default DERP (#​18911, a1b87a6) (@​deansheather)
• Prioritise human-initiated builds over prebuilds in provisioner queue (#​18933, c4b69bb) (@​johnstcn)
• Debounce parameter slider to avoid laggy behavior (#​18980, dd2fb89) (@​jaaydenh)
• Avoid duplicating logs on Coder Connect Windows (#​19052, 2a430ab) (@​deansheather)
• Sanitize app status summary to resolve confusing errors in coder tasks (#​19075, 812d72c) (@​johnstcn)
• Agent: Delay containerAPI init to ensure startup scripts run before (#​18630, 7e99fb7) (@​mafredri)
• Agent: Fix script filtering for devcontainers (#​18635, 8ee2668) (@​mafredri)
• Agent: Disable dev container integration inside sub agents (#​18781, 0118e75) (@​DanielleMaywood)
• Agent: Stop logging empty lines (#​18605, 98c77fe) (@​DanielleMaywood)
• Agent: Respect ignore files (#​19016, 25d70ce) (@​DanielleMaywood)
• CLI: Calculate coder ping max correctly (#​18734, 7500aa4) (@​ethanndickson)
• fix(.devcontainer): add home volume and fix code-server and filebrowser (#​18648, d814fdf) (@​mafredri)
• Dashboard: Update vscode.dev container button URLs (#​18696, 8b6d70b) (@​mafredri)
• Dashboard: Only attempt to watch containers when agent connected (#​18873, 089f960) (@​DanielleMaywood)
• Dashboard: Exclude workspace schedule settings for prebuilt workspaces (#​18826, dad033e) (@​ssncferreira)
• Dashboard: Only attempt to watch when dev containers enabled (#​18892, bfb9aa4) (@​DanielleMaywood)
• Dashboard: Speed up state syncs and validate input for debounce hook logic (#​18877, f47efc6) (@​Parkreiner)

Performance Optimization

• Optimize GetPrebuiltWorkspaces query (#​18717, 0367dba) (@​johnstcn)
• Database: Optimize AuditLogs queries (#​18600, 695de6e) (@​kacpersaw)
• Database: Optimize GetRunningPrebuiltWorkspaces (#​18588, 258a839) (@​johnstcn)
• Populate connectionlog count using a separate query (#​18629, 7c077d3) (@​ethanndickson)
• Replace original GetPrebuiltWorkspaces with optimized version (#​18832, 198d50d) (@​johnstcn)
• CLI: Increase reconciliation interval to 1 minute (#​18690, dbfbef6) (@​johnstcn)
• Dashboard: Reduce fetch interval on workspaces page (#​18725, 1195f31) (@​johnstcn)

Documentation

• Add Coder Desktop to remote desktop docs (#​18326, fb0e7a2) (@​matifali)
• Add warning about prebuilds incompatibility with certain features (#​18689, 57a6d59) (@​ssncferreira)
• Add section about how to disable path based apps to security best practices (#​18419, ab254ad) (@​EdwardAngert)
• Mention Windsurf module in Windsurf documentation (#​18715, 91aa583) (@​app/blink-so)
• Add comprehensive development documentation for claude (#​18646, 4dcf0c3) (@​ThomasK33)
• Simplify PostgreSQL K8s setup guide by using 'postgresql' as release name (#​18754, 39ed0c3) (@​app/blink-so)
• Add note about incompatible immutable parameters behavior to parameters doc (#​18814, 78af5e0) (@​EdwardAngert)
• Document known issue with MacOS coder desktop behind VPN (#​18855, 7cf3263) (@​EdwardAngert)
• Add connection logs page covering the new location (#​18739, 6b17aee) (@​ethanndickson)
• Improve audit logs documentation copy (#​18807, de4a270) (@​ethanndickson)
• Add cloud-specific database instance recommendations (#​18862, 87e5365) (@​app/blink-so)
• Update port forwarding docs to include Coder Desktop (#​18870, ca6b5e3) (@​matifali)
• Add documentation for contributing community modules and community templates (#​18820, 6746e16) (@​DevelopmentCats)
• Remove dbmem references from documentation files for claude context (#​18861, 0d3b770) (@​ThomasK33)
• Add suggestions to the tasks docs (#​18766, 1e715e2) (@​hugodutka)
• Update tasks docs (#​18659, b26c9e2) (@​bpmct)

Compare: v2.24.2...v2.25.0

Container image

• docker pull ghcr.io/coder/coder:v2.25.0

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

v2.24.4

Compare Source

Stable (since September 04, 2025)

Changelog

Security Fixes

• Expire token for prebuilds user when regenerating session token (#​19667) (#​19668, ec66090) (@​johnstcn)

  ⚠️ Fixes an issue allowing previously authenticated users to claim prebuilt workspaces created from templates using the coder-login module. Read more in our GHSA for this vulnerability.

• Server: Add audit log on creating a new session key (#​19672) (#​19684, a79adb1) (@​johnstcn)

  Adds an audit log entry when an API key is created via coder login.

Compare: v2.24.3...v2.24.4

Container image

• docker pull ghcr.io/coder/coder:v2.24.4

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this MR, check this box

---

This MR was automatically generated by Renovate Bot.

Upgrade Notices

(Include any relevant notes about upgrades here or write "N/A" if there are none)