Update changelog

Add cookie-suffix flag (#7590 )
Add configurable authorization header to marketplace API calls (#7596 )
2025-12-30 12:26:49 +01:00 · 2025-12-11 16:33:07 -09:00 · 2025-12-11 16:23:09 -09:00 · 2025-12-11 16:02:42 -09:00 · 2025-12-11 16:02:11 -09:00 · 2025-12-02 13:38:27 -09:00
209 changed files with 19567 additions and 12184 deletions
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -1,43 +0,0 @@
 parser: "@typescript-eslint/parser"
 env:
  browser: true
  es6: true # Map, etc.
  jest: true
  node: true
 parserOptions:
  ecmaVersion: 2018
  sourceType: module
 extends:
  - eslint:recommended
  - plugin:@typescript-eslint/recommended
  - plugin:import/recommended
  - plugin:import/typescript
  - plugin:prettier/recommended
  # Prettier should always be last
  # Removes eslint rules that conflict with prettier.
  - prettier
 rules:
  # Sometimes you need to add args to implement a function signature even
  # if they are unused.
  "@typescript-eslint/no-unused-vars": ["error", { "args": "none" }]
  # For overloads.
  no-dupe-class-members: off
  "@typescript-eslint/no-use-before-define": off
  "@typescript-eslint/no-non-null-assertion": off
  "@typescript-eslint/ban-types": off
  "@typescript-eslint/no-var-requires": off
  "@typescript-eslint/explicit-module-boundary-types": off
  "@typescript-eslint/no-explicit-any": off
  "@typescript-eslint/no-extra-semi": off
  eqeqeq: error
  import/order:
    [error, { alphabetize: { order: "asc" }, groups: [["builtin", "external", "internal"], "parent", "sibling"] }]
  no-async-promise-executor: off
 settings:
  import/resolver:
    typescript:
      alwaysTryTypes: true
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -0,0 +1,2 @@
 # Prettier 3.4.2
 9b0340a09276f93c054d705d1b9a5f24cc5dbc97
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -3,3 +3,5 @@
 ci/helm-chart/ @Matthew-Beckett @alexgorbatchev
 docs/install.md @GNUxeava
 src/node/i18n/locales/zh-cn.json @zhaozhiming
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@ -1,6 +1,5 @@
 name: Bug report
 description: File a bug report
 title: "[Bug]: "
 labels: ["bug", "triage"]
 body:
  - type: checkboxes
@ -10,6 +9,7 @@ body:
      options:
        - label: I have searched the existing issues
          required: true
  - type: textarea
    attributes:
      label: OS/Web Information
@ -20,6 +20,8 @@ body:
          - **Remote OS**: Ubuntu
          - **Remote Architecture**: amd64
          - **`code-server --version`**: 4.0.1
        Please do not just put "latest" for the version.
      value: |
        - Web Browser:
        - Local OS:
@ -28,58 +30,94 @@ body:
        - `code-server --version`:
    validations:
      required: true
  - type: textarea
    attributes:
      label: Steps to Reproduce
      description: |
-        1. open code-server
+        Please describe exactly how to reproduce the bug. For example:
-        2. install extension
+        1. Open code-server in Firefox
-        3. run command
+        2. Install extension `foo.bar` from the extensions sidebar
        3. Run command `foo.bar.baz`
      value: |
        1.
        2.
        3.
    validations:
      required: true
  - type: textarea
    attributes:
      label: Expected
      description: What should happen?
    validations:
      required: true
  - type: textarea
    attributes:
      label: Actual
      description: What actually happens?
    validations:
      required: true
  - type: textarea
    id: logs
    attributes:
      label: Logs
-      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `yarn global add code-server`).
+      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `npm install -g code-server`).
      render: shell
  - type: textarea
    attributes:
      label: Screenshot/Video
      description: Please include a screenshot, gif or screen recording of your issue.
    validations:
      required: false
  - type: dropdown
    attributes:
      label: Does this bug reproduce in native VS Code?
      description: If the bug reproduces in native VS Code, submit the issue upstream instead (https://github.com/microsoft/vscode).
      options:
        - Yes, this is also broken in native VS Code
        - No, this works as expected in native VS Code
        - This cannot be tested in native VS Code
        - I did not test native VS Code
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Does this bug reproduce in VS Code web?
      description: If the bug reproduces in VS Code web, submit the issue upstream instead (https://github.com/microsoft/vscode). You can run VS Code web with `code serve-web`.
      options:
        - Yes, this is also broken in VS Code web
        - No, this works as expected in VS Code web
        - This cannot be tested in VS Code web
        - I did not test VS Code web
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Does this bug reproduce in GitHub Codespaces?
      description: If the bug reproduces in GitHub Codespaces, submit the issue upstream instead (https://github.com/microsoft/vscode).
      options:
        - Yes, this is also broken in GitHub Codespaces
        - No, this works as expected in GitHub Codespaces
        - This cannot be tested in GitHub Codespaces
        - I did not test GitHub Codespaces
    validations:
      required: true
  - type: checkboxes
    attributes:
-      label: Does this issue happen in VS Code or GitHub Codespaces?
+      label: Are you accessing code-server over a secure context?
-      description: Please try reproducing this issue in VS Code or GitHub Codespaces
+      description: code-server relies on service workers (which only work in secure contexts) for many features. Double-check that you are using a secure context like HTTPS or localhost.
      options:
-        - label: I cannot reproduce this in VS Code.
+        - label: I am using a secure context.
-          required: true
+          required: false
-        - label: I cannot reproduce this in GitHub Codespaces.
+
          required: true
  - type: checkboxes
    attributes:
      label: Are you accessing code-server over HTTPS?
      description: code-server relies on service workers for many features. Double-check that you are using HTTPS.
      options:
        - label: I am using HTTPS.
          required: true
  - type: textarea
    attributes:
      label: Notes
--- a/.github/ISSUE_TEMPLATE/doc.md
+++ b/.github/ISSUE_TEMPLATE/doc.md
@ -1,9 +1,7 @@
 ---
 name: Documentation improvement
 about: Suggest a documentation improvement
 title: "[Docs]: "
 labels: "docs"
 assignees: "@jsjoeio"
 ---
 ## What is your suggestion?
--- a/.github/ISSUE_TEMPLATE/feature-request.md
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@ -1,9 +1,7 @@
 ---
 name: Feature request
 about: Suggest an idea to improve code-server
 title: "[Feat]: "
 labels: enhancement
 assignees: ""
 ---
 ## What is your suggestion?
--- a/.github/PULL_REQUEST_TEMPLATE/release_template.md
+++ b/.github/PULL_REQUEST_TEMPLATE/release_template.md
@ -1,17 +0,0 @@
 <!-- Note: this variable $CODE_SERVER_VERSION_TO_UPDATE will be set when you run the release-prep.sh script with `yarn release:prep` -->
 This PR is to generate a new release of `code-server` at `$CODE_SERVER_VERSION_TO_UPDATE`
 ## Screenshot
 TODO
 ## TODOs
 Follow "Publishing a release" steps in `ci/README.md`
 <!-- Note some of these steps below are redundant since they're listed in the "Publishing a release" docs -->
 - [ ] update `CHANGELOG.md`
 - [ ] manually run "Draft release" workflow after merging this PR
 - [ ] merge PR opened in [code-server-aur](https://github.com/coder/code-server-aur)
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -0,0 +1,31 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    labels: []
    commit-message:
      prefix: "chore"
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
    labels: []
    ignore:
      # Ignore patch updates for all dependencies
      - dependency-name: "*"
        update-types:
          - version-update:semver-patch
      # Ignore major updates to Node.js types, because they need to
      # correspond to the Node.js engine version
      - dependency-name: "@types/node"
        update-types:
          - version-update:semver-major
--- a/.github/ranger.yml
+++ b/.github/ranger.yml
@ -1,29 +0,0 @@
 # Configuration for the repo ranger bot
 # See docs: https://www.notion.so/Documentation-8d7627bb1f3c42b7b1820e8d6f157a57#9879d1374fab4d1f9c607c230fd5123d
 default:
  close:
    # Default time to wait before closing the label. Can either be a number in milliseconds
    # or a string specified by the `ms` package (https://www.npmjs.com/package/ms)
    delay: "2 days"
    # Default comment to post when an issue is first marked with a closing label
    comment: "⚠️ This issue has been marked $LABEL and will be closed in $DELAY."
 labels:
  duplicate: close
  wontfix: close
  "squash when passing": merge
  "rebase when passing": merge
  "merge when passing": merge
  "new contributor":
    action: comment
    delay: 5s
    message: "Thanks for making your first contribution! :slightly_smiling_face:"
  "upstream:vscode":
    action: close
    delay: 5s
    comment: >
      This issue has been marked as 'upstream:vscode'.
      Please file this upstream: [link to open issue](https://github.com/microsoft/vscode/issues/new/choose)
      This issue will automatically close in $DELAY.
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -19,382 +19,278 @@ concurrency:
 # this ensures that it only executes if all previous jobs succeeded.
 # if: steps.cache-node-modules.outputs.cache-hit != 'true'
-# will skip running `yarn install` if it successfully fetched from cache
+# will skip running `npm install` if it successfully fetched from cache
 jobs:
-  prettier:
+  changes:
    name: Format with Prettier
    runs-on: ubuntu-latest
-    timeout-minutes: 5
+    outputs:
      ci: ${{ steps.filter.outputs.ci }}
      code: ${{ steps.filter.outputs.code }}
      deps: ${{ steps.filter.outputs.deps }}
      docs: ${{ steps.filter.outputs.docs }}
      helm: ${{ steps.filter.outputs.helm }}
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
-
+      - name: Check changed files
-      - name: Run prettier with actionsx/prettier
+        uses: dorny/paths-filter@v3
-        uses: actionsx/prettier@v2
+        id: filter
        with:
-          args: --check --loglevel=warn .
+          filters: |
            ci:
              - ".github/**"
              - "ci/**"
            docs:
              - "docs/**"
              - "README.md"
              - "CHANGELOG.md"
            helm:
              - "ci/helm-chart/**"
            code:
              - "src/**"
              - "test/**"
            deps:
              - "lib/**"
              - "patches/**"
              - "package-lock.json"
              - "test/package-lock.json"
      - id: debug
        run: |
          echo "${{ toJSON(steps.filter )}}"
  prettier:
    name: Run prettier check
    runs-on: ubuntu-22.04
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npx prettier --check .
  doctoc:
    name: Doctoc markdown files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    timeout-minutes: 5
    needs: changes
    if: needs.changes.outputs.docs == 'true'
    steps:
-      - name: Checkout repo
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v3
+      - uses: actions/setup-node@v6
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v26.1
        with:
-          files: |
+          node-version-file: .node-version
-            docs/**
+          cache: npm
-
+          cache-dependency-path: |
-      - name: Install Node.js v16
+            package-lock.json
-        if: steps.changed-files.outputs.any_changed == 'true'
+            test/package-lock.json
-        uses: actions/setup-node@v3
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
-        with:
+      - run: npm run doctoc
          node-version: "16"
          cache: "yarn"
      - name: Install doctoc
        run: yarn global add doctoc@2.2.1
      - name: Run doctoc
        if: steps.changed-files.outputs.any_changed == 'true'
        run: yarn doctoc
  lint-helm:
    name: Lint Helm chart
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    timeout-minutes: 5
    needs: changes
    if: needs.changes.outputs.helm == 'true'
    steps:
-      - name: Checkout repo
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v3
+      - uses: azure/setup-helm@v4
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v26.1
        with:
          files: |
            ci/helm-chart/**
      - name: Install helm
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: azure/setup-helm@v3.4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-
+      - run: helm plugin install https://github.com/instrumenta/helm-kubeval
-      - name: Install helm kubeval plugin
+      - run: helm kubeval ci/helm-chart
        if: steps.changed-files.outputs.any_changed == 'true'
        run: helm plugin install https://github.com/instrumenta/helm-kubeval
      - name: Lint Helm chart
        if: steps.changed-files.outputs.any_changed == 'true'
        run: helm kubeval ci/helm-chart
  lint-ts:
    name: Lint TypeScript files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    timeout-minutes: 5
    needs: changes
    if: needs.changes.outputs.code == 'true'
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run lint:ts
  lint-actions:
    name: Lint GitHub Actions
    runs-on: ubuntu-latest
    needs: changes
    if: needs.changes.outputs.ci == 'true'
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Check workflow files
        run: |
          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.9
          ./actionlint -color -shellcheck= -ignore "softprops/action-gh-release"
        shell: bash
  test-unit:
    name: Run unit tests
    runs-on: ubuntu-22.04
    timeout-minutes: 5
    needs: changes
    if: needs.changes.outputs.code == 'true'
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
-          fetch-depth: 2
+          node-version-file: .node-version
-
+          cache: npm
-      - name: Get changed files
+          cache-dependency-path: |
-        id: changed-files
+            package-lock.json
-        uses: tj-actions/changed-files@v26.1
+            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run test:unit
      - uses: codecov/codecov-action@v5
        if: success()
        with:
-          files: |
+          token: ${{ secrets.CODECOV_TOKEN }}
            **/*.ts
            **/*.js
          files_ignore: |
            lib/vscode/**
      - name: Install Node.js v16
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: actions/setup-node@v3
        with:
          node-version: "16"
      - name: Fetch dependencies from cache
        if: steps.changed-files.outputs.any_changed == 'true'
        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Install dependencies
        if: steps.changed-files.outputs.any_changed == 'true' && steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
      - name: Lint TypeScript files
        if: steps.changed-files.outputs.any_changed == 'true'
        run: yarn lint:ts
  build:
    name: Build code-server
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
-    timeout-minutes: 30
+    timeout-minutes: 70
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      DISABLE_V8_COMPILE_CACHE: 1
    steps:
-      - name: Checkout repo
+      - uses: actions/checkout@v6
        uses: actions/checkout@v3
        with:
          submodules: true
-
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - name: Install quilt
+      - uses: awalsh128/cache-apt-pkgs-action@latest
        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
          packages: quilt
          version: 1.0
-
+      - run: quilt push -a
-      - name: Patch Code
+      - uses: actions/setup-node@v6
        run: quilt push -a
      - name: Install Node.js v16
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version-file: .node-version
-
+          cache: npm
-      - name: Fetch dependencies from cache
+          cache-dependency-path: |
-        id: cache-node-modules
+            package-lock.json
-        uses: actions/cache@v3
+            test/package-lock.json
-        with:
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
-          path: "**/node_modules"
+      - run: npm run build
-          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+        env:
-          restore-keys: |
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
            yarn-build-
      - name: Install dependencies
        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: yarn --frozen-lockfile
      - name: Build code-server
        run: yarn build
      # Get Code's git hash.  When this changes it means the content is
      # different and we need to rebuild.
      - name: Get latest lib/vscode rev
        id: vscode-rev
-        run: echo "::set-output name=rev::$(git rev-parse HEAD:./lib/vscode)"
+        run: echo "rev=$(git rev-parse HEAD:./lib/vscode)" >> $GITHUB_OUTPUT
      - name: Get version
        id: version
        run: echo "::set-output name=version::$(jq -r .version package.json)"
      # We need to rebuild when we have a new version of Code, when any of
      # the patches changed, or when the code-server version changes (since
      # it gets embedded into the code).  Use VSCODE_CACHE_VERSION to
      # force a rebuild.
      - name: Fetch prebuilt Code package from cache
        id: cache-vscode
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: lib/vscode-reh-web-*
-          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ steps.version.outputs.version }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
+          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
      - name: Build vscode
        env:
          VERSION: "0.0.0"
        if: steps.cache-vscode.outputs.cache-hit != 'true'
-        run: yarn build:vscode
+        run: |
-
+          pushd lib/vscode
-      # Our code imports code from VS Code's `out` directory meaning VS Code
+          npm ci
-      # must be built before running these tests.
+          popd
-      # TODO: Move to its own step?
+          npm run build:vscode
      - name: Run code-server unit tests
        run: yarn test:unit
        if: success()
      - name: Upload coverage report to Codecov
        uses: codecov/codecov-action@v3
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
        if: success()
      # The release package does not contain any native modules
      # and is neutral to architecture/os/libc version.
-      - name: Create release package
+      - run: npm run release
        run: yarn release
        if: success()
      # https://github.com/actions/upload-artifact/issues/38
-      - name: Compress release package
+      - run: tar -czf package.tar.gz release
-        run: tar -czf package.tar.gz release
+      - uses: actions/upload-artifact@v4
      - name: Upload npm package artifact
        uses: actions/upload-artifact@v3
        with:
          name: npm-package
          path: ./package.tar.gz
  npm:
    name: Publish npm package
    # the npm-package gets uploaded as an artifact in Build
    # so we need that to complete before this runs
    needs: build
    # This environment "npm" requires someone from
    # coder/code-server-reviewers to approve the PR before this job runs.
    environment: npm
    # Only run if PR comes from base repo or event is not a PR
    # Reason: forks cannot access secrets and this will always fail
    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Download artifact
        uses: actions/download-artifact@v3
        id: download
        with:
          name: "npm-package"
          path: release-npm-package
      - name: Run ./ci/steps/publish-npm.sh
        run: yarn publish:npm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          # NOTE@jsjoeio
          # NPM_ENVIRONMENT intentionally not set here.
          # Instead, itis determined in publish-npm.sh script
          # using GITHUB environment variables
      - name: Comment npm information
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          GITHUB_TOKEN: ${{ github.token }}
          header: npm-dev-build
          message: |
            ✨ code-server dev build published to npm for PR #${{ github.event.number }}!
            * _Last publish status_: success
            * _Commit_: ${{ github.event.pull_request.head.sha }}
            To install in a local project, run:
            ```shell-session
            npm install @coder/code-server-pr@${{ github.event.number }}
            ```
            To install globally, run:
            ```shell-session
            npm install -g @coder/code-server-pr@${{ github.event.number }}
            ```
  test-e2e:
    name: Run e2e tests
-    needs: build
+    runs-on: ubuntu-22.04
-    runs-on: ubuntu-latest
+    timeout-minutes: 25
-    timeout-minutes: 15
+    needs: [changes, build]
    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
    steps:
-      - name: Checkout repo
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v3
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
-
+      - uses: actions/setup-node@v6
      - name: Install Node.js v16
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version-file: .node-version
-
+          cache: npm
-      - name: Fetch dependencies from cache
+          cache-dependency-path: |
-        id: cache-node-modules
+            package-lock.json
-        uses: actions/cache@v3
+            test/package-lock.json
-        with:
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
-          path: "**/node_modules"
+      - uses: actions/download-artifact@v5
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Download npm package
        uses: actions/download-artifact@v3
        with:
          name: npm-package
-
+      - run: tar -xzf package.tar.gz
-      - name: Decompress npm package
+      - run: cd release && npm install --unsafe-perm --omit=dev
        run: tar -xzf package.tar.gz
      - name: Install release package dependencies
        run: cd release && yarn install
      - name: Install dependencies
        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
      - name: Install Playwright OS dependencies
        run: |
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install
-
+      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e
-      - name: Run end-to-end tests
+      - uses: actions/upload-artifact@v4
        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e --global-timeout 840000
      - name: Upload test artifacts
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: failed-test-videos
          path: ./test/test-results
-
+      - run: rm -rf ./release ./test/test-results
      - name: Remove release packages and test artifacts
        run: rm -rf ./release ./test/test-results
  test-e2e-proxy:
    name: Run e2e tests behind proxy
-    needs: build
+    runs-on: ubuntu-22.04
    runs-on: ubuntu-latest
    timeout-minutes: 25
    needs: [changes, build]
    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
    steps:
-      - name: Checkout repo
+      - uses: actions/checkout@v6
-        uses: actions/checkout@v3
+      - run: sudo apt update && sudo apt install -y libkrb5-dev
-
+      - uses: actions/setup-node@v6
      - name: Install Node.js v16
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version-file: .node-version
-
+          cache: npm
-      - name: Fetch dependencies from cache
+          cache-dependency-path: |
-        id: cache-node-modules
+            package-lock.json
-        uses: actions/cache@v3
+            test/package-lock.json
-        with:
+      - run: SKIP_SUBMODULE_DEPS=1 npm ci
-          path: "**/node_modules"
+      - uses: actions/download-artifact@v5
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Download npm package
        uses: actions/download-artifact@v3
        with:
          name: npm-package
-
+      - run: tar -xzf package.tar.gz
-      - name: Decompress npm package
+      - run: cd release && npm install --unsafe-perm --omit=dev
        run: tar -xzf package.tar.gz
      - name: Install release package dependencies
        run: cd release && yarn install
      - name: Install dependencies
        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
      - name: Install Playwright OS dependencies
        run: |
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install
      - name: Cache Caddy
-        uses: actions/cache@v2
+        uses: actions/cache@v4
        id: caddy-cache
        with:
          path: |
            ~/.cache/caddy
          key: cache-caddy-2.5.2
      - name: Install Caddy
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -403,23 +299,13 @@ jobs:
          gh release download v2.5.2 --repo caddyserver/caddy --pattern "caddy_2.5.2_linux_amd64.tar.gz"
          mkdir -p ~/.cache/caddy
          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy
-
+      - run: ~/.cache/caddy/caddy start --config ./ci/Caddyfile
-      - name: Start Caddy
+      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e:proxy
-        run: sudo ~/.cache/caddy/caddy start --config ./ci/Caddyfile
+      - run: ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
      - name: Run end-to-end tests
        run: CODE_SERVER_TEST_ENTRY=./release yarn test:e2e:proxy --global-timeout 840000
      - name: Stop Caddy
        if: always()
        run: sudo ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
-      - name: Upload test artifacts
+      - uses: actions/upload-artifact@v4
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: failed-test-videos-proxy
          path: ./test/test-results
      - name: Remove release packages and test artifacts
        run: rm -rf ./release ./test/test-results
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@ -1,46 +0,0 @@
 name: Docs preview
 on:
  pull_request:
    branches:
      - main
    paths:
      - "docs/**"
 permissions:
  actions: none
  checks: none
  contents: read
  deployments: none
  issues: none
  packages: none
  pull-requests: write
  repository-projects: none
  security-events: none
  statuses: none
 jobs:
  preview:
    name: Docs preview
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - name: Set outputs
        id: vars
        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
      - name: Comment Credentials
        uses: marocchino/sticky-pull-request-comment@v2
        # Only run if PR comes from base repo
        # Reason: forks cannot access secrets and this will always fail
        if: github.event.pull_request.head.repo.full_name == github.repository
        with:
          GITHUB_TOKEN: ${{ github.token }}
          header: codercom-preview-docs
          message: |
            ✨ code-server docs for PR #${{ github.event.number }} is ready! It will be updated on every commit.
            * _Host_: https://coder.com/docs/code-server/${{ steps.vars.outputs.sha_short }}
            * _Last deploy status_: success
            * _Commit_: ${{ github.event.pull_request.head.sha }}
            * _Workflow status_: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
--- a/.github/workflows/installer.yaml
+++ b/.github/workflows/installer.yaml
@ -30,7 +30,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Install code-server
        run: ./install.sh
@ -41,10 +41,10 @@ jobs:
  alpine:
    name: Test installer on Alpine
    runs-on: ubuntu-latest
-    container: "alpine:3.16"
+    container: "alpine:3.17"
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Install curl
        run: apk add curl
@ -67,7 +67,7 @@ jobs:
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Install code-server
        run: ./install.sh
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -4,6 +4,11 @@ on:
  # Shows the manual trigger in GitHub UI
  # helpful as a back-up in case the GitHub Actions Workflow fails
  workflow_dispatch:
    inputs:
      version:
        description: The version to publish (include "v", i.e. "v4.9.1").
        type: string
        required: true
  release:
    types: [released]
@ -16,80 +21,54 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 jobs:
  # NOTE: this job requires curl, jq and yarn
  # All of them are included in ubuntu-latest.
  npm:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
-      - name: Get version
+      - name: Install Node.js
-        id: version
+        uses: actions/setup-node@v6
-        run: echo "::set-output name=version::$(jq -r .version package.json)"
+        with:
          node-version-file: .node-version
      - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.5
+        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
-          tag: v${{ steps.version.outputs.version }}
+          tag: ${{ github.event.inputs.version || github.ref_name }}
          fileName: "package.tar.gz"
          out-file-path: "release-npm-package"
-      - name: Publish npm package and tag with "latest"
+      # Strip out the v (v4.9.1 -> 4.9.1).
-        run: yarn publish:npm
+      - name: Get and set VERSION
        run: |
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - run: npm run publish:npm
        env:
          VERSION: ${{ env.VERSION }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_ENVIRONMENT: "production"
  homebrew:
    needs: npm
    runs-on: ubuntu-latest
    steps:
      # Ensure things are up to date
      # Suggested by homebrew maintainers
      # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
      - name: Set up Homebrew
        id: set-up-homebrew
        uses: Homebrew/actions/setup-homebrew@master
      - name: Checkout code-server
        uses: actions/checkout@v3
      - name: Configure git
        run: |
          git config --global user.name cdrci
          git config --global user.email opensource@coder.com
      - name: Bump code-server homebrew version
        env:
          HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_GITHUB_API_TOKEN}}
        run: ./ci/steps/brew-bump.sh
  aur:
    needs: npm
    runs-on: ubuntu-latest
    timeout-minutes: 10
    env:
      GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
    steps:
      # We need to checkout code-server so we can get the version
      - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          path: "./code-server"
      - name: Get code-server version
        id: version
        run: |
          pushd code-server
          echo "::set-output name=version::$(jq -r .version package.json)"
          popd
      - name: Checkout code-server-aur repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          repository: "cdrci/code-server-aur"
          token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
@ -106,60 +85,82 @@ jobs:
          git config --global user.name cdrci
          git config --global user.email opensource@coder.com
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Validate package
-        uses: hapakaien/archlinux-package-action@v2
+        uses: heyhusen/archlinux-package-action@v2.4.0
        env:
          VERSION: ${{ env.VERSION }}
        with:
-          pkgver: ${{ steps.version.outputs.version }}
+          pkgver: ${{ env.VERSION }}
          updpkgsums: true
          srcinfo: true
      - name: Open PR
        # We need to git push -u otherwise gh will prompt
        # asking where to push the branch.
        env:
          VERSION: ${{ env.VERSION }}
        run: |
-          git checkout -b update-version-${{ steps.version.outputs.version }}
+          git checkout -b update-version-${{ env.VERSION }}
          git add .
-          git commit -m "chore: updating version to ${{ steps.version.outputs.version }}"
+          git commit -m "chore: updating version to ${{ env.VERSION }}"
          git push -u origin $(git branch --show)
-          gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ steps.version.outputs.version }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
+          gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
  docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code-server
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Get version
+      # Strip out the v (v4.9.1 -> 4.9.1).
-        id: version
+      - name: Get and set VERSION
-        run: echo "::set-output name=version::$(jq -r .version package.json)"
+        run: |
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
-      - name: Download release artifacts
+      - name: Download deb artifacts
-        uses: robinraju/release-downloader@v1.5
+        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
-          tag: v${{ steps.version.outputs.version }}
+          tag: v${{ env.VERSION }}
          fileName: "*.deb"
          out-file-path: "release-packages"
      - name: Download rpm artifacts
        uses: robinraju/release-downloader@v1.12
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
          fileName: "*.rpm"
          out-file-path: "release-packages"
      - name: Publish to Docker
-        run: yarn publish:docker
+        run: ./ci/steps/docker-buildx-push.sh
        env:
          VERSION: ${{ env.VERSION }}
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,6 +2,11 @@ name: Draft release
 on:
  workflow_dispatch:
    inputs:
      version:
        description: The version to publish (include "v", i.e. "v4.9.1").
        type: string
        required: true
 permissions:
  contents: write # For creating releases.
@ -14,139 +19,73 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 jobs:
-  # TODO: cache building yarn --production
+  package-linux-cross:
-  # possibly 2m30s of savings(?)
+    name: ${{ matrix.prefix }}
  # this requires refactoring our release scripts
  package-linux-amd64:
    name: x86-64 Linux build
    runs-on: ubuntu-latest
    timeout-minutes: 15
-    container: "centos:7"
+    needs: npm-version
-    env:
+    container: "python:3.8-slim-buster"
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Install Node.js v16
        uses: actions/setup-node@v3
        with:
          node-version: "16"
      - name: Install development tools
        run: |
          yum install -y epel-release centos-release-scl make
          yum install -y devtoolset-9-{make,gcc,gcc-c++} jq rsync python3
      - name: Install nfpm and envsubst
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          curl -sSfL https://github.com/a8m/envsubst/releases/download/v1.1.0/envsubst-`uname -s`-`uname -m` -o envsubst
          chmod +x envsubst
          mv envsubst ~/.local/bin
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      - name: Install yarn
        run: npm install -g yarn
      - name: Download artifacts
        uses: dawidd6/action-download-artifact@v2
        id: download
        with:
          branch: ${{ github.ref }}
          workflow: build.yaml
          workflow_conclusion: completed
          check_artifacts: true
          name: npm-package
      - name: Decompress npm package
        run: tar -xzf package.tar.gz
      # NOTE: && here is deliberate - GitHub puts each line in its own `.sh`
      # file when running inside a docker container.
      - name: Build standalone release
        run: source scl_source enable devtoolset-9 && yarn release:standalone
      - name: Fetch dependencies from cache
        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Install test dependencies
        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
      - name: Run integration tests on standalone release
        run: yarn test:integration
      - name: Upload coverage report to Codecov
        uses: codecov/codecov-action@v3
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
        if: success()
      - name: Build packages with nfpm
        run: yarn package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./release-packages/*
  # NOTE@oxy:
  # We use Ubuntu 16.04 here, so that our build is more compatible
  # with older libc versions. We used to (Q1'20) use CentOS 7 here,
  # but it has a full update EOL of Q4'20 and a 'critical security'
  # update EOL of 2024. We're dropping full support a few years before
  # the final EOL, but I don't believe CentOS 7 has a large arm64 userbase.
  # It is not feasible to cross-compile with CentOS.
  # Cross-compile notes: To compile native dependencies for arm64,
  # we install the aarch64/armv7l cross toolchain and then set it as the default
  # compiler/linker/etc. with the AR/CC/CXX/LINK environment variables.
  # qemu-user-static on ubuntu-16.04 currently doesn't run Node correctly,
  # so we just build with "native"/x86_64 node, then download arm64/armv7l node
  # and then put it in our release. We can't smoke test the cross build this way,
  # but this means we don't need to maintain a self-hosted runner!
  # NOTE@jsjoeio:
  # We used to use 16.04 until GitHub deprecated it on September 20, 2021
  # See here: https://github.com/actions/virtual-environments/pull/3862/files
  package-linux-cross:
    name: Linux cross-compile builds
    runs-on: ubuntu-18.04
    timeout-minutes: 15
    strategy:
      matrix:
        include:
          - prefix: x86_64-linux-gnu
            npm_arch: x64
            apt_arch: amd64
            package_arch: amd64
          - prefix: aarch64-linux-gnu
-            arch: arm64
+            npm_arch: arm64
            apt_arch: arm64
            package_arch: arm64
          - prefix: arm-linux-gnueabihf
-            arch: armv7l
+            npm_arch: armv7l
            apt_arch: armhf
            package_arch: armv7l
    env:
      AR: ${{ format('{0}-ar', matrix.prefix) }}
      AS: ${{ format('{0}-as', matrix.prefix) }}
      CC: ${{ format('{0}-gcc', matrix.prefix) }}
      CPP: ${{ format('{0}-cpp', matrix.prefix) }}
      CXX: ${{ format('{0}-g++', matrix.prefix) }}
-      LINK: ${{ format('{0}-g++', matrix.prefix) }}
+      FC: ${{ format('{0}-gfortran', matrix.prefix) }}
-      NPM_CONFIG_ARCH: ${{ matrix.arch }}
+      LD: ${{ format('{0}-ld', matrix.prefix) }}
-      NODE_VERSION: v16.13.0
+      STRIP: ${{ format('{0}-strip', matrix.prefix) }}
      PKG_CONFIG_PATH: ${{ format('/usr/lib/{0}/pkgconfig', matrix.prefix) }}
      TARGET_ARCH: ${{ matrix.apt_arch }}
      npm_config_arch: ${{ matrix.npm_arch }}
      PKG_ARCH: ${{ matrix.package_arch }}
      # Not building from source results in an x86_64 argon2, as if
      # npm_config_arch is being ignored.
      npm_config_build_from_source: true
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
-      - name: Install Node.js v16
+      - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
        with:
-          node-version: "16"
+          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - name: Install cross-compiler and system dependencies
        run: |
          sed -i 's/deb\.debian\.org/archive.debian.org/g' /etc/apt/sources.list
          dpkg --add-architecture $TARGET_ARCH
          apt update && apt install -y --no-install-recommends \
            crossbuild-essential-$TARGET_ARCH \
            libx11-dev:$TARGET_ARCH \
            libx11-xcb-dev:$TARGET_ARCH \
            libxkbfile-dev:$TARGET_ARCH \
            libsecret-1-dev:$TARGET_ARCH \
            libkrb5-dev:$TARGET_ARCH \
            ca-certificates \
            curl wget rsync gettext-base
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install nfpm
        run: |
@ -154,35 +93,30 @@ jobs:
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      - name: Install cross-compiler
+      - name: Download npm package
-        run: sudo apt update && sudo apt install $PACKAGE
+        uses: actions/download-artifact@v5
        env:
          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
      - name: Download artifacts
        uses: dawidd6/action-download-artifact@v2
        id: download
        with:
-          branch: ${{ github.ref }}
+          name: npm-release-package
          workflow: build.yaml
          workflow_conclusion: completed
          check_artifacts: true
          name: npm-package
-      - name: Decompress npm package
+      - run: tar -xzf package.tar.gz
-        run: tar -xzf package.tar.gz
+      - run: npm run release:standalone
      - name: Build standalone release
        run: yarn release:standalone
      - name: Replace node with cross-compile equivalent
        run: |
-          wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz
+          node_version=$(node --version)
-          tar -xf node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}.tar.xz node-${NODE_VERSION}-linux-${NPM_CONFIG_ARCH}/bin/node --strip-components=2
+          wget https://nodejs.org/dist/${node_version}/node-${node_version}-linux-${npm_config_arch}.tar.xz
          tar -xf node-${node_version}-linux-${npm_config_arch}.tar.xz node-${node_version}-linux-${npm_config_arch}/bin/node --strip-components=2
          mv ./node ./release-standalone/lib/node
-      - name: Build packages with nfpm
+      # Strip out the v (v4.9.1 -> 4.9.1).
-        run: yarn package ${NPM_CONFIG_ARCH}
+      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - env:
          VERSION: ${{ env.VERSION }}
        run: npm run package $PKG_ARCH
      - uses: softprops/action-gh-release@v1
        with:
@ -192,16 +126,26 @@ jobs:
  package-macos-amd64:
    name: x86-64 macOS build
-    runs-on: macos-latest
+    runs-on: macos-15-intel
    timeout-minutes: 15
    needs: npm-version
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
-      - name: Install Node.js v16
+      - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
        with:
-          node-version: "16"
+          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install nfpm
        run: |
@ -209,40 +153,92 @@ jobs:
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      - name: Download artifacts
+      # The version of node-gyp we use depends on distutils but it was removed
-        uses: dawidd6/action-download-artifact@v2
+      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
-        id: download
+      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - run: brew install python-setuptools
      - name: Download npm package
        uses: actions/download-artifact@v5
        with:
-          branch: ${{ github.ref }}
+          name: npm-release-package
          workflow: build.yaml
          workflow_conclusion: completed
          check_artifacts: true
          name: npm-package
-      - name: Decompress npm package
+      - run: tar -xzf package.tar.gz
-        run: tar -xzf package.tar.gz
+      - run: npm run release:standalone
      - run: npm run test:native
-      - name: Build standalone release
+      # Strip out the v (v4.9.1 -> 4.9.1).
-        run: yarn release:standalone
+      - name: Get and set VERSION
-
+        run: |
-      - name: Fetch dependencies from cache
+          TAG="${{ inputs.version || github.ref_name }}"
-        id: cache-node-modules
+          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Install test dependencies
        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn install
      - name: Run native module tests on standalone release
        run: yarn test:native
      - name: Build packages with nfpm
-        run: yarn package
+        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./release-packages/*
  package-macos-arm64:
    name: arm64 macOS build
    runs-on: macos-latest
    timeout-minutes: 15
    needs: npm-version
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v6
      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
          node-version-file: .node-version
          cache: npm
          cache-dependency-path: |
            package-lock.json
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - name: Install nfpm
        run: |
          mkdir -p ~/.local/bin
          curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      # The version of node-gyp we use depends on distutils but it was removed
      # in Python 3.12.  It seems to be fixed in the latest node-gyp so when we
      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - run: brew install python-setuptools
      - name: Download npm package
        uses: actions/download-artifact@v5
        with:
          name: npm-release-package
      - run: tar -xzf package.tar.gz
      - run: npm run release:standalone
      - run: npm run test:native
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Build packages with nfpm
        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package
      - uses: softprops/action-gh-release@v1
        with:
@ -254,19 +250,60 @@ jobs:
    name: Upload npm package
    runs-on: ubuntu-latest
    timeout-minutes: 15
    needs: npm-version
    steps:
-      - name: Download artifacts
+      - name: Download npm package
-        uses: dawidd6/action-download-artifact@v2
+        uses: actions/download-artifact@v5
        id: download
        with:
-          branch: ${{ github.ref }}
+          name: npm-release-package
          workflow: build.yaml
          workflow_conclusion: completed
          check_artifacts: true
          name: npm-package
      - uses: softprops/action-gh-release@v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
          files: ./package.tar.gz
  npm-version:
    name: Modify package.json version
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Download artifacts
        uses: dawidd6/action-download-artifact@v11
        id: download
        with:
          branch: ${{ github.ref }}
          workflow: build.yaml
          workflow_conclusion: completed
          name: npm-package
          check_artifacts: false
          if_no_artifact_found: fail
      - run: tar -xzf package.tar.gz
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV
      - name: Modify version
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          echo "Updating version in root package.json"
          npm version --prefix release "$VERSION"
          echo "Updating version in lib/vscode/product.json"
          tmp=$(mktemp)
          jq ".codeServerVersion = \"$VERSION\"" release/lib/vscode/product.json > "$tmp" && mv "$tmp" release/lib/vscode/product.json
          # Ensure it has the same permissions as before
          chmod 644 release/lib/vscode/product.json
      - run: tar -czf package.tar.gz release
      - name: Upload npm package artifact
        uses: actions/upload-artifact@v4
        with:
          name: npm-release-package
          path: ./package.tar.gz
--- a/.github/workflows/scripts.yaml
+++ b/.github/workflows/scripts.yaml
@ -38,10 +38,10 @@ jobs:
    name: Run script unit tests
    runs-on: ubuntu-latest
    # This runs on Alpine to make sure we're testing with actual sh.
-    container: "alpine:3.16"
+    container: "alpine:3.17"
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Install test utilities
        run: apk add bats checkbashisms
@ -58,7 +58,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Install lint utilities
        run: sudo apt install shellcheck
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@ -12,44 +12,30 @@ on:
    # Runs every Monday morning PST
    - cron: "17 15 * * 1"
-# Cancel in-progress runs for pull requests when developers push
+# Cancel in-progress runs for pull requests when developers push additional
-# additional changes, and serialize builds in branches.
+# changes, and serialize builds in branches.
 # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 jobs:
-  audit-ci:
+  audit:
    name: Audit node modules
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
-      - name: Install Node.js v16
+      - name: Install Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
        with:
-          node-version: "16"
+          node-version-file: .node-version
-      - name: Fetch dependencies from cache
+      - name: Audit npm for vulnerabilities
-        id: cache-yarn
+        run: npm audit
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            yarn-build-
      - name: Install dependencies
        if: steps.cache-yarn.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
      - name: Audit for vulnerabilities
        run: yarn _audit
        if: success()
  trivy-scan-repo:
@ -57,15 +43,15 @@ jobs:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@e55de85beea5fcec743de6bb6bc56943a0af3c33
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
        with:
          scan-type: "fs"
          scan-ref: "."
@ -76,7 +62,7 @@ jobs:
          severity: "HIGH,CRITICAL"
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-repo-results.sarif"
@ -86,21 +72,21 @@ jobs:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/autobuild to send a status report
    name: Analyze with CodeQL
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
        with:
          config-file: ./.github/codeql-config.yml
          languages: javascript
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@ -44,14 +44,14 @@ concurrency:
 jobs:
  trivy-scan-image:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
      - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@e55de85beea5fcec743de6bb6bc56943a0af3c33
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
        with:
          image-ref: "docker.io/codercom/code-server:latest"
          ignore-unfixed: true
@ -60,6 +60,6 @@ jobs:
          severity: "HIGH,CRITICAL"
      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-image-results.sarif"
--- a/.node-version
+++ b/.node-version
@ -1 +1 @@
-16
+22.21.1
--- a/.prettierignore
+++ b/.prettierignore
@ -1,8 +1,10 @@
 lib/vscode
 lib/vscode-reh-web-linux-x64
 release-standalone
 release-packages
 release
 helm-chart
 test/scripts
 test/e2e/extensions/test-extension
 .pc
 package-lock.json
--- a/.tours/start-development.tour
+++ b/.tours/start-development.tour
@ -5,7 +5,7 @@
    {
      "file": "package.json",
      "line": 31,
-      "description": "## Commands\n\nTo start developing, make sure you have Node 16+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> yarn\n\n3. Start development mode (and watch for changes):\n>> yarn watch"
+      "description": "## Commands\n\nTo start developing, make sure you have Node 16+ and the [required dependencies](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites) installed. Then, run the following commands:\n\n1. Install dependencies:\n>> npm\n\n3. Start development mode (and watch for changes):\n>> npm run watch"
    },
    {
      "file": "src/node/app.ts",
@ -20,7 +20,7 @@
    {
      "file": "src/node/app.ts",
      "line": 62,
-      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `yarn watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\"])\n- [Docs: FAQ.md](https://github.com/coder/code-server/blob/main/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/coder/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
+      "description": "## That's it!\n\n\nThat's all there is to it! When this tour ends, your terminal session may stop, but just use `npm run watch` to start developing from here on out!\n\n\nIf you haven't already, be sure to check out these resources:\n- [Tour: Contributing](command:codetour.startTourByTitle?[\"Contributing\"])\n- [Docs: FAQ.md](https://github.com/coder/code-server/blob/main/docs/FAQ.md)\n- [Docs: CONTRIBUTING.md](https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md)\n- [Community: GitHub Discussions](https://github.com/coder/code-server/discussions)\n- [Community: Slack](https://community.coder.com)"
    }
  ]
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -20,6 +20,791 @@ Code v99.99.999
 -->
 ## Unreleased
 Code v1.107.0
 ### Changed
 - Update to Code 1.107.0
 ### Added
 - New `--cookie-suffix` flag that can be used to add a suffix to the cookie when
  using the built-in password authentication. You can use this to avoid
  collisions with other instances of code-server.
 - Support a new property `authorizationHeaderToken` on the extension gallery
  configuration. This will be added to marketplace requests as a bearer token
  using the `Authorization` header.
 ## [4.106.3](https://github.com/coder/code-server/releases/tag/v4.106.3) - 2025-12-01
 Code v1.106.3
 ### Changed
 - Update to Code 1.106.3
 ## [4.106.2](https://github.com/coder/code-server/releases/tag/v4.106.2) - 2025-11-19
 Code v1.106.2
 ### Changed
 - Update to Code 1.106.2
 ## [4.106.0](https://github.com/coder/code-server/releases/tag/v4.106.0) - 2025-11-19
 Code v1.106.0
 ### Changed
 - Update to Code 1.106.0
 ## [4.105.1](https://github.com/coder/code-server/releases/tag/v4.105.1) - 2025-10-20
 Code v1.105.1
 ### Changed
 - Update to Code 1.105.1
 ## [4.105.0](https://github.com/coder/code-server/releases/tag/v4.105.0) - 2025-10-17
 Code v1.105.0
 ### Changed
 - Update to Code 1.105.0
 ## [4.104.3](https://github.com/coder/code-server/releases/tag/v4.104.3) - 2025-10-07
 Code v1.104.3
 ### Changed
 - Update to Code 1.104.3.
 ## [4.104.2](https://github.com/coder/code-server/releases/tag/v4.104.2) - 2025-09-26
 Code v1.104.2
 ### Changed
 - Update to Code 1.104.2.
 ## [4.104.1](https://github.com/coder/code-server/releases/tag/v4.104.1) - 2025-09-19
 Code v1.104.1
 ### Changed
 - Update to Code 1.104.1.
 ## [4.104.0](https://github.com/coder/code-server/releases/tag/v4.104.0) - 2025-09-15
 Code v1.104.0
 ### Fixed
 - Fix "extension not found" errors from Open VSX when trying to install the
  latest version of an extension.
 ### Changed
 - Update to Code 1.104.0.
 ## [4.103.2](https://github.com/coder/code-server/releases/tag/v4.103.2) - 2025-08-25
 Code v1.103.2
 ### Changed
 - Update to Code 1.103.2.
 ## [4.103.1](https://github.com/coder/code-server/releases/tag/v4.103.1) - 2025-08-15
 Code v1.103.1
 ### Changed
 - Update to Code 1.103.1.
 ## [4.103.0](https://github.com/coder/code-server/releases/tag/v4.103.0) - 2025-08-12
 Code v1.103.0
 ### Changed
 - Update to Code 1.103.0.
 ## [4.102.2](https://github.com/coder/code-server/releases/tag/v4.102.2) - 2025-07-24
 Code v1.102.2
 ### Changed
 - Update to Code 1.102.2.
 ## [4.102.1](https://github.com/coder/code-server/releases/tag/v4.102.1) - 2025-07-17
 Code v1.102.1
 ### Changed
 - Update to Code 1.102.1.
 ## [4.102.0](https://github.com/coder/code-server/releases/tag/v4.102.0) - 2025-07-16
 Code v1.102.0
 ### Changed
 - Update to Code 1.102.0.
 ### Added
 - Custom strings can be configured using the `--i18n` flag set to a JSON
  file. This can be used for either translation (and can be used alongside
  `--locale`) or for customizing the strings. See
  [./src/node/i18n/locales/en.json](./src/node/i18n/locales/en.json) for the
  available keys.
 ## [4.101.2](https://github.com/coder/code-server/releases/tag/v4.101.2) - 2025-06-25
 Code v1.101.2
 ### Changed
 - Update to Code 1.101.2.
 ### Fixed
 - Fix web views not loading due to 401 when requesting the service worker.
 ## [4.101.1](https://github.com/coder/code-server/releases/tag/v4.101.1) - 2025-06-20
 Code v1.101.1
 ### Changed
 - Update to Code 1.101.1.
 ## [4.101.0](https://github.com/coder/code-server/releases/tag/v4.101.0) - 2025-06-20
 Code v1.101.0
 ### Changed
 - Update to Code 1.101.0.
 ## [4.100.3](https://github.com/coder/code-server/releases/tag/v4.100.3) - 2025-06-03
 Code v1.100.3
 ### Changed
 - Update to Code 1.100.3.
 ## [4.100.2](https://github.com/coder/code-server/releases/tag/v4.100.2) - 2025-05-15
 Code v1.100.2
 ### Changed
 - Update to Code 1.100.2.
 ## [4.100.1](https://github.com/coder/code-server/releases/tag/v4.100.1) - 2025-05-13
 Code v1.100.1
 ### Changed
 - Update to Code 1.100.1.
 ## [4.100.0](https://github.com/coder/code-server/releases/tag/v4.100.0) - 2025-05-12
 Code v1.100.0
 ### Added
 - Trusted domains for links can now be set at run-time by configuring
  `linkProtectionTrustedDomains` in the `lib/vscode/product.json` file or via
  the `--link-protection-trusted-domains` flag.
 ### Changed
 - Update to Code 1.100.0.
 - Disable extension signature verification, which previously was skipped by
  default (the package used for verification is not available to OSS builds of
  VS Code) but now reportedly throws hard errors making it impossible to install
  extensions.
 ### Fixed
 - Flags with repeatable options now work via the config file.
 ## [4.99.4](https://github.com/coder/code-server/releases/tag/v4.99.4) - 2025-05-02
 Code v1.99.3
 ### Security
 - Validate that ports in the path proxy are numbers, to prevent proxying to
  arbitrary domains.
 ## [4.99.3](https://github.com/coder/code-server/releases/tag/v4.99.3) - 2025-04-17
 Code v1.99.3
 ### Added
 - Added `--skip-auth-preflight` flag to let preflight requests through the
  proxy.
 ### Changed
 - Update to Code 1.99.3.
 ## [4.99.2](https://github.com/coder/code-server/releases/tag/v4.99.2) - 2025-04-10
 Code v1.99.2
 ### Changed
 - Update to Code 1.99.2.
 ## [4.99.1](https://github.com/coder/code-server/releases/tag/v4.99.1) - 2025-04-08
 Code v1.99.1
 ### Changed
 - Update to Code 1.99.1.
 ## [4.99.0](https://github.com/coder/code-server/releases/tag/v4.99.0) - 2025-04-07
 Code v1.99.0
 ### Changed
 - Update to Code 1.99.0.
 ## [4.98.0](https://github.com/coder/code-server/releases/tag/v4.98.0) - 2025-03-07
 Code v1.98.0
 ### Changed
 - Update to Code 1.98.0.
 ## [4.97.2](https://github.com/coder/code-server/releases/tag/v4.96.4) - 2025-02-18
 Code v1.97.2
 ### Added
 - Added back macOS amd64 builds.
 ### Changed
 - Update to Code 1.97.2.
 - Softened dark mode login page colors.
 ## [4.96.4](https://github.com/coder/code-server/releases/tag/v4.96.4) - 2025-01-20
 Code v1.96.4
 ### Changed
 - Update to Code 1.96.4.
 ## [4.96.2](https://github.com/coder/code-server/releases/tag/v4.96.2) - 2024-12-20
 Code v1.96.2
 ### Changed
 - Update to Code 1.96.2.
 ## [4.96.1](https://github.com/coder/code-server/releases/tag/v4.96.1) - 2024-12-18
 Code v1.96.1
 ### Added
 - Dark color scheme for login and error pages.
 ### Changed
 - Update to Code 1.96.1.
 ## [4.95.3](https://github.com/coder/code-server/releases/tag/v4.95.3) - 2024-11-18
 Code v1.95.3
 ### Changed
 - Update to Code 1.95.3.
 ## [4.95.2](https://github.com/coder/code-server/releases/tag/v4.95.2) - 2024-11-12
 Code v1.95.2
 ### Changed
 - Update to Code 1.95.2.
 ## [4.95.1](https://github.com/coder/code-server/releases/tag/v4.95.1) - 2024-11-06
 Code v1.95.1
 ### Changed
 - Update to Code 1.95.1.
 ## [4.93.1](https://github.com/coder/code-server/releases/tag/v4.93.1) - 2024-09-23
 Code v1.93.1
 ### Changed
 - Updated to Code 1.93.1.
 ### Added
 - Added `--abs-proxy-base-path` flag for when code-server is not at the root.
 ## [4.92.2](https://github.com/coder/code-server/releases/tag/v4.92.2) - 2024-08-19
 Code v1.92.2
 ### Breaking changes
 - Dropped a patch that changed the compile target from es2022 to es2020 because
  it no longer works with the way VS Code uses static properties. This may break
  older browsers, so those browsers will either have to be updated or use an
  older version of code-server.
 ### Changed
 - Updated to Code 1.92.2.
 ## [4.91.0](https://github.com/coder/code-server/releases/tag/v4.91.0) - 2024-07-10
 Code v1.91.0
 ### Changed
 - Updated to Code 1.91.0.
 ## [4.90.3](https://github.com/coder/code-server/releases/tag/v4.90.3) - 2024-06-21
 Code v1.90.2
 ### Changed
 - Updated to Code 1.90.2.
 ### Fixed
 - When the log gets rotated it will no longer incorrectly be moved to a new
  directory created in the current working directory named with a date.
  Instead, the file itself is prepended with the date and kept in the same
  directory, as originally intended.
 ## [4.90.2](https://github.com/coder/code-server/releases/tag/v4.90.2) - 2024-06-14
 Code v1.90.1
 ### Changed
 - Updated to Code 1.90.1.
 ## [4.90.1](https://github.com/coder/code-server/releases/tag/v4.90.1) - 2024-06-12
 Code v1.90.0
 ### Fixed
 - Cache a call to get CPU information used in telemetry that could result in a
  lack responsiveness if it was particularly slow.
 ## [4.90.0](https://github.com/coder/code-server/releases/tag/v4.90.0) - 2024-06-11
 Code v1.90.0
 ### Changed
 - Updated to Code 1.90.0.
 - Updated Node to 20.11.1.
 ### Added
 - Send contents to the clipboard in the integrated terminal by piping to
  `code-server --stdin-to-clipboard` or `code-server -c`.
  You may want to make this an alias:
  ```
  alias xclip="code-server --stdin-to-clipboard"
  echo -n "hello world" | xclip
  ```
 ## [4.89.1](https://github.com/coder/code-server/releases/tag/v4.89.1) - 2024-04-14
 Code v1.89.1
 ### Changed
 - Updated to Code 1.89.1.
 ## [4.89.0](https://github.com/coder/code-server/releases/tag/v4.89.0) - 2024-04-08
 Code v1.89.0
 ### Changed
 - Updated to Code 1.89.0.
 ## [4.23.1](https://github.com/coder/code-server/releases/tag/v4.23.1) - 2024-04-15
 Code v1.88.1
 ### Changed
 - Updated to Code 1.88.1.
 ## [4.23.0](https://github.com/coder/code-server/releases/tag/v4.23.0) - 2024-04-08
 Code v1.88.0
 ### Changed
 - Updated to Code 1.88.0.
 - Updated Node to 18.18.2.
 ### Fixed
 - Fix masking the exit code when failing to install extensions on the command
  line outside the integrated terminal. Installing extensions inside the
  integrated terminal still masks the exit code and is an upstream bug.
 ## [4.22.1](https://github.com/coder/code-server/releases/tag/v4.22.1) - 2024-03-14
 Code v1.87.2
 ### Changed
 - Updated to Code 1.87.2.
 - Enable keep-alive for proxy agent.
 ## [4.22.0](https://github.com/coder/code-server/releases/tag/v4.22.0) - 2024-03-03
 Code v1.87.0
 ### Changed
 - Updated to Code 1.87.0.
 ## [4.21.2](https://github.com/coder/code-server/releases/tag/v4.21.2) - 2024-02-28
 Code v1.86.2
 ### Changed
 - Updated to Code 1.86.2.
 ## [4.21.1](https://github.com/coder/code-server/releases/tag/v4.21.1) - 2024-02-09
 Code v1.86.1
 ### Changed
 - Updated to Code 1.86.1.
 - Updated to Node 18.17.1.
 ### Added
 - Docker images for Fedora and openSUSE.
 ## [4.21.0](https://github.com/coder/code-server/releases/tag/v4.21.0) - 2024-02-05
 Code v1.86.0
 ### Changed
 - Updated to Code 1.86.0.
 ## [4.20.1](https://github.com/coder/code-server/releases/tag/v4.20.1) - 2024-01-22
 Code v1.85.2
 ### Changed
 - Updated to Code 1.85.2.
 ### Fixed
 - Query variables are no longer double-encoded when going over the path proxy.
 ## [4.20.0](https://github.com/coder/code-server/releases/tag/v4.20.0) - 2023-12-21
 Code v1.85.1
 ### Added
 - New flag `--disable-file-uploads` to disable uploading files to the remote by
  drag and drop and to disable opening local files via the "show local" button
  in the file open prompt. Note that you can still open local files by drag and
  dropping the file onto the editor pane.
 - Added `wget` to the release image.
 ### Changed
 - Updated to Code 1.85.1.
 - The `--disable-file-downloads` flag will now disable the "show local" button
  in the file save prompt as well.
 - Debian release image updated to use Bookworm.
 ## [4.19.1](https://github.com/coder/code-server/releases/tag/v4.19.1) - 2023-11-29
 Code v1.84.2
 ### Fixed
 - Fixed an issue where parts of the editor would not load (like the file
  explorer, source control, etc) when using a workspace file.
 ## [4.19.0](https://github.com/coder/code-server/releases/tag/v4.19.0) - 2023-11-18
 Code v1.84.2
 ### Changed
 - Updated to Code 1.84.2.
 ## [4.18.0](https://github.com/coder/code-server/releases/tag/v4.18.0) - 2023-10-20
 Code v1.83.1
 ### Changed
 - Updated to Code 1.83.1.
 ## [4.17.1](https://github.com/coder/code-server/releases/tag/v4.17.1) - 2023-09-29
 Code v1.82.2
 ### Fixed
 - Make secret storage persistent. For example, logging in with GitHub should
  persist between browser refreshes and code-server restarts.
 - Issues with argon2 on arm builds should be fixed now.
 ## [4.17.0](https://github.com/coder/code-server/releases/tag/v4.17.0) - 2023-09-22
 Code v1.82.2
 ### Added
 - Japanese locale.
 - `CODE_SERVER_HOST` environment variable.
 ### Changed
 - Update to Code 1.82.2. This includes an update to Node 18, which also means
  that the minimum glibc is now 2.28. If you need to maintain a lower glibc then
  you can take a version of Node 18 that is compiled with a lower glibc and use
  that to build code-server (or at a minimum rebuild the native modules).
 - Display paths to config files in full rather than abbreviated. If you have
  trouble with the password not working please update and make sure the
  displayed config paths are what you expect.
 ### Fixed
 - Fix some dependency issues for the standalone arm64 and armv7l releases. If
  you had issues with missing or failing modules please try these new builds.
 ## [4.16.1](https://github.com/coder/code-server/releases/tag/v4.16.1) - 2023-07-31
 Code v1.80.2
 ### Changed
 - Updated to Code 1.80.2.
 ## [4.16.0](https://github.com/coder/code-server/releases/tag/v4.16.0) - 2023-07-28
 Code v1.80.1
 ### Added
 - `--disable-proxy` flag. This disables the domain and path proxies but it does
  not disable the ports panel in Code. That can be disabled by using
  `remote.autoForwardPorts=false` in your settings.
 ## [4.15.0](https://github.com/coder/code-server/releases/tag/v4.15.0) - 2023-07-21
 Code v1.80.1
 ### Changed
 - Updated to Code 1.80.1.
 ### Added
 - `--trusted-origin` flag for specifying origins that you trust but do not
  control (for example a reverse proxy).
 Code v1.79.2
 ## [4.14.1](https://github.com/coder/code-server/releases/tag/v4.14.1) - 2023-06-26
 Code v1.79.2
 ### Security
 - Remove extra write permissions on the Node binary bundled with the linux-amd64
  tarball. If you extract the tar without a umask this could mean the Node
  binary would be unexpectedly writable.
 ### Fixed
 - Inability to launch multiple instances of code-server for different users.
 ### Added
 - `--session-socket` CLI flag to configure the location of the session socket.
  By default it will be placed in `<user data dir>/code-server-ipc.sock`.
 ## [4.14.0](https://github.com/coder/code-server/releases/tag/v4.14.0) - 2023-06-16
 Code v1.79.2
 ### Added
 - `--domain-proxy` now supports `{{port}}` and `{{host}}` template variables.
 ### Changed
 - Updated to Code 1.79.2
 - Files opened from an external terminal will now open in the most closely
  related window rather than in the last opened window.
 ## [4.13.0](https://github.com/coder/code-server/releases/tag/v4.13.0) - 2023-05-19
 Code v1.78.2
 ### Changed
 - Updated to Code 1.78.2.
 ### Fixed
 - Proxying files that contain non-ASCII characters.
 - Origin check when X-Forwarded-Host contains comma-separated hosts.
 ## [4.12.0](https://github.com/coder/code-server/releases/tag/v4.12.0) - 2023-04-21
 Code v1.77.3
 ### Changed
 - Updated to Code 1.77.3
 - Ports panel will use domain-based proxy (instead of the default path-based
  proxy) when set via --proxy-domain.
 - Apply --app-name to the PWA title.
 ### Added
 - Thai translation for login page.
 - Debug logs around the origin security check. If you are getting forbidden
  errors on web sockets please run code-server with `--log debug` to see why the
  requests are being blocked.
 ## [4.11.0](https://github.com/coder/code-server/releases/tag/v4.11.0) - 2023-03-16
 Code v1.76.1
 ### Changed
 - Updated to Code 1.76.1
 ## [4.10.1](https://github.com/coder/code-server/releases/tag/v4.10.1) - 2023-03-04
 Code v1.75.1
 ### Security
 Added an origin check to web sockets to prevent cross-site hijacking attacks on
 users using older or niche browser that do not support SameSite cookies and
 attacks across sub-domains that share the same root domain.
 The check requires the host header to be set so if you use a reverse proxy
 ensure it forwards that information otherwise web sockets will be blocked.
 ## [4.10.0](https://github.com/coder/code-server/releases/tag/v4.10.0) - 2023-02-15
 Code v1.75.1
 ### Changed
 - Updated to Code 1.75.1
 ### Removed
 - Removed `--link` (was deprecated over thirteen months ago in 4.0.1).
 ## [4.9.1](https://github.com/coder/code-server/releases/tag/v4.9.1) - 2022-12-15
 Code v1.73.1
 ### Changed
 - Updated a couple steps in the build and release process to ensure we're using
  `npm` and `yarn` consistently depending on the step.
 ### Fixed
 - Fixed an issue with code-server version not displaying in the Help > About window.
 - Fixed terminal not loading on macOS clients.
 ## [4.9.0](https://github.com/coder/code-server/releases/tag/v4.9.0) - 2022-12-06
 Code v1.73.1
 ### Changed
 - Upgraded to Code 1.73.1
 ### Added
 - `/security.txt` added as a route with info on our security policy information thanks to @ghuntley
 ### Fixed
 - Installing on majaro images should now work thanks to @MrPeacockNLB for
  adding the `--noconfirm` flag in `install.sh`
 ### Known Issues
 - `--cert` on Ubuntu 22.04: OpenSSL v3 is used which breaks `pem` meaning the
  `--cert` feature will not work. [Reference](https://github.com/adobe/fetch/pull/318#issuecomment-1306070259)
 ## [4.8.3](https://github.com/coder/code-server/releases/tag/v4.8.3) - 2022-11-07
 Code v1.72.1
 ### Added
 - install script now supports arch-like (i.e. manjaro, endeavourous, etc.)
  architectures
 ### Changed
 - Updated text in the Getting Started page.
 ## [4.8.2](https://github.com/coder/code-server/releases/tag/v4.8.2) - 2022-11-02
 Code v1.72.1
@ -93,7 +878,7 @@ Code v1.71.0
 ### Fixed
- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstsall.sh` which ensures installing with npm works correctly
+- Add flags --unsafe-perm --legacy-peer-deps in `npm-postinstall.sh` which ensures installing with npm works correctly
 ## [4.6.1](https://github.com/coder/code-server/releases/tag/v4.6.1) - 2022-09-31
@ -141,7 +926,6 @@ Code v1.68.1
  would be accessible at `my.domain/proxy/8000/` without any authentication.
  If all of the following apply to you please update as soon as possible:
  - You run code-server with the built-in password authentication.
  - You run unprotected HTTP services on ports accessible by code-server.
--- a/ci/README.md
+++ b/ci/README.md
@ -16,20 +16,18 @@ This directory contains scripts used for the development of code-server.
 - [./ci/dev/image](./dev/image)
  - See [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md) for docs on the development container.
- [./ci/dev/fmt.sh](./dev/fmt.sh) (`yarn fmt`)
+- [./ci/dev/fmt.sh](./dev/fmt.sh) (`npm run fmt`)
  - Runs formatters.
- [./ci/dev/lint.sh](./dev/lint.sh) (`yarn lint`)
+- [./ci/dev/lint.sh](./dev/lint.sh) (`npm run lint`)
  - Runs linters.
- [./ci/dev/test-unit.sh](./dev/test-unit.sh) (`yarn test:unit`)
+- [./ci/dev/test-unit.sh](./dev/test-unit.sh) (`npm run test:unit`)
  - Runs unit tests.
- [./ci/dev/test-e2e.sh](./dev/test-e2e.sh) (`yarn test:e2e`)
+- [./ci/dev/test-e2e.sh](./dev/test-e2e.sh) (`npm run test:e2e`)
  - Runs end-to-end tests.
- [./ci/dev/ci.sh](./dev/ci.sh) (`yarn ci`)
+- [./ci/dev/watch.ts](./dev/watch.ts) (`npm run watch`)
  - Runs `yarn fmt`, `yarn lint` and `yarn test`.
 - [./ci/dev/watch.ts](./dev/watch.ts) (`yarn watch`)
  - Starts a process to build and launch code-server and restart on any code changes.
  - Example usage in [./docs/CONTRIBUTING.md](../docs/CONTRIBUTING.md).
- [./ci/dev/gen_icons.sh](./ci/dev/gen_icons.sh) (`yarn icons`)
+- [./ci/dev/gen_icons.sh](./dev/gen_icons.sh) (`npm run icons`)
  - Generates the various icons from a single `.svg` favicon in
    `src/browser/media/favicon.svg`.
  - Requires [imagemagick](https://imagemagick.org/index.php)
@ -39,20 +37,20 @@ This directory contains scripts used for the development of code-server.
 This directory contains the scripts used to build and release code-server.
 You can disable minification by setting `MINIFY=`.
- [./ci/build/build-code-server.sh](./build/build-code-server.sh) (`yarn build`)
+- [./ci/build/build-code-server.sh](./build/build-code-server.sh) (`npm run build`)
  - Builds code-server into `./out` and bundles the frontend into `./dist`.
- [./ci/build/build-vscode.sh](./build/build-vscode.sh) (`yarn build:vscode`)
+- [./ci/build/build-vscode.sh](./build/build-vscode.sh) (`npm run build:vscode`)
  - Builds vscode into `./lib/vscode/out-vscode`.
- [./ci/build/build-release.sh](./build/build-release.sh) (`yarn release`)
+- [./ci/build/build-release.sh](./build/build-release.sh) (`npm run release`)
  - Bundles the output of the above two scripts into a single node module at `./release`.
- [./ci/build/clean.sh](./build/clean.sh) (`yarn clean`)
+- [./ci/build/clean.sh](./build/clean.sh) (`npm run clean`)
  - Removes all build artifacts.
  - Useful to do a clean build.
 - [./ci/build/code-server.sh](./build/code-server.sh)
  - Copied into standalone releases to run code-server with the bundled node binary.
- [./ci/build/test-standalone-release.sh](./build/test-standalone-release.sh) (`yarn test:standalone-release`)
+- [./ci/build/test-standalone-release.sh](./build/test-standalone-release.sh) (`npm run test:standalone-release`)
  - Ensures code-server in the `./release-standalone` directory works by installing an extension.
- [./ci/build/build-packages.sh](./build/build-packages.sh) (`yarn package`)
+- [./ci/build/build-packages.sh](./build/build-packages.sh) (`npm run package`)
  - Packages `./release-standalone` into a `.tar.gz` archive in `./release-packages`.
  - If on linux, [nfpm](https://github.com/goreleaser/nfpm) is used to generate `.deb` and `.rpm`.
 - [./ci/build/nfpm.yaml](./build/nfpm.yaml)
@ -61,21 +59,21 @@ You can disable minification by setting `MINIFY=`.
  - Entrypoint script for code-server for `.deb` and `.rpm`.
 - [./ci/build/code-server.service](./build/code-server.service)
  - systemd user service packaged into the `.deb` and `.rpm`.
- [./ci/build/release-github-draft.sh](./build/release-github-draft.sh) (`yarn release:github-draft`)
+- [./ci/build/release-github-draft.sh](./build/release-github-draft.sh) (`npm run release:github-draft`)
  - Uses [gh](https://github.com/cli/cli) to create a draft release with a template description.
- [./ci/build/release-github-assets.sh](./build/release-github-assets.sh) (`yarn release:github-assets`)
+- [./ci/build/release-github-assets.sh](./build/release-github-assets.sh) (`npm run release:github-assets`)
  - Downloads the release-package artifacts for the current commit from CI.
  - Uses [gh](https://github.com/cli/cli) to upload the artifacts to the release
    specified in `package.json`.
 - [./ci/build/npm-postinstall.sh](./build/npm-postinstall.sh)
  - Post install script for the npm package.
-  - Bundled by`yarn release`.
+  - Bundled by`npm run release`.
 ## release-image
 This directory contains the release docker container image.
- [./ci/steps/build-docker-buildx-push.sh](./ci/steps/docker-buildx-push.sh)
+- [./ci/steps/build-docker-buildx-push.sh](./steps/docker-buildx-push.sh)
  - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them.
  - Assumes debian releases are ready in `./release-packages`.
@ -89,15 +87,15 @@ This directory contains the scripts used in CI.
 Helps avoid clobbering the CI configuration.
 - [./steps/fmt.sh](./steps/fmt.sh)
-  - Runs `yarn fmt`.
+  - Runs `npm run fmt`.
 - [./steps/lint.sh](./steps/lint.sh)
-  - Runs `yarn lint`.
+  - Runs `npm run lint`.
 - [./steps/test-unit.sh](./steps/test-unit.sh)
-  - Runs `yarn test:unit`.
+  - Runs `npm run test:unit`.
 - [./steps/test-integration.sh](./steps/test-integration.sh)
-  - Runs `yarn test:integration`.
+  - Runs `npm run test:integration`.
 - [./steps/test-e2e.sh](./steps/test-e2e.sh)
-  - Runs `yarn test:e2e`.
+  - Runs `npm run test:e2e`.
 - [./steps/release.sh](./steps/release.sh)
  - Runs the release process.
  - Generates the npm package at `./release`.
--- a/ci/build/build-code-server.sh
+++ b/ci/build/build-code-server.sh
@ -14,22 +14,6 @@ main() {
    sed -i.bak "1s;^;#!/usr/bin/env node\n;" out/node/entry.js && rm out/node/entry.js.bak
    chmod +x out/node/entry.js
  fi
  # for arch; we do not use OS from lib.sh and get our own.
  # lib.sh normalizes macos to darwin - but cloud-agent's binaries do not
  source ./ci/lib.sh
  OS="$(uname | tr '[:upper:]' '[:lower:]')"
  mkdir -p ./lib
  if ! [ -f ./lib/coder-cloud-agent ]; then
    echo "Downloading the cloud agent..."
    set +e
    curl -fsSL "https://github.com/coder/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent
    chmod +x ./lib/coder-cloud-agent
    set -e
  fi
 }
 main "$@"
--- a/ci/build/build-packages.sh
+++ b/ci/build/build-packages.sh
@ -1,8 +1,10 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Packages code-server for the current OS and architecture into ./release-packages.
+# Given a platform-specific release found in ./release-standalone, generate an
-# This script assumes that a standalone release is built already into ./release-standalone
+# compressed archives and bundles (as appropriate for the platform) named after
 # the platform's architecture and OS and place them in ./release-packages and
 # ./release-gcp.
 main() {
  cd "$(dirname "${0}")/../.."
@ -27,7 +29,7 @@ main() {
 release_archive() {
  local release_name="code-server-$VERSION-$OS-$ARCH"
  if [[ $OS == "linux" ]]; then
-    tar -czf "release-packages/$release_name.tar.gz" --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone
+    tar -czf "release-packages/$release_name.tar.gz" --owner=0 --group=0 --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone
  else
    tar -czf "release-packages/$release_name.tar.gz" -s "/^release-standalone/$release_name/" release-standalone
  fi
@ -50,11 +52,6 @@ release_nfpm() {
  export NFPM_ARCH
  # Code deletes some files from the extension node_modules directory which
  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
  # on these broken symlinks so clean them up.
  rm -fr "./release-standalone/lib/vscode/extensions/node_modules/.bin"
  PKG_FORMAT="deb"
  NFPM_ARCH="$(get_nfpm_arch $PKG_FORMAT "$ARCH")"
  nfpm_config="$(envsubst < ./ci/build/nfpm.yaml)"
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@ -1,13 +1,16 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# This script requires vscode to be built with matching MINIFY.
+# Once both code-server and VS Code have been built, use this script to copy
 # them into a single directory (./release), prepare the package.json and
 # product.json, and add shrinkwraps.  This results in a generic NPM package that
 # we published to NPM and also use to compile platform-specific packages.
-# MINIFY controls whether minified vscode is bundled.
+# MINIFY controls whether minified VS Code is bundled. It must match the value
 # used when VS Code was built.
 MINIFY="${MINIFY-true}"
-# KEEP_MODULES controls whether the script cleans all node_modules requiring a yarn install
+# node_modules are not copied by default.  Set KEEP_MODULES=1 to copy them.
 # to run first.
 KEEP_MODULES="${KEEP_MODULES-0}"
 main() {
@ -41,12 +44,8 @@ bundle_code_server() {
  rsync src/browser/pages/*.css "$RELEASE_PATH/src/browser/pages"
  rsync src/browser/robots.txt "$RELEASE_PATH/src/browser"
  # Add typings for plugins
  mkdir -p "$RELEASE_PATH/typings"
  rsync typings/pluginapi.d.ts "$RELEASE_PATH/typings"
  # Adds the commit to package.json
-  jq --slurp '.[0] * .[1]' package.json <(
+  jq --slurp '(.[0] | del(.scripts,.jest,.devDependencies)) * .[1]' package.json <(
    cat << EOF
  {
    "commit": "$(git rev-parse HEAD)",
@ -56,15 +55,12 @@ bundle_code_server() {
  }
 EOF
  ) > "$RELEASE_PATH/package.json"
  rsync yarn.lock "$RELEASE_PATH"
  mv npm-shrinkwrap.json "$RELEASE_PATH"
  rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
  if [ "$KEEP_MODULES" = 1 ]; then
    rsync node_modules/ "$RELEASE_PATH/node_modules"
    mkdir -p "$RELEASE_PATH/lib"
    rsync ./lib/coder-cloud-agent "$RELEASE_PATH/lib"
  fi
 }
@ -91,51 +87,50 @@ bundle_vscode() {
  rsync "${rsync_opts[@]}" ./lib/vscode-reh-web-*/ "$VSCODE_OUT_PATH"
-  # Use the package.json for the web/remote server.  It does not have the right
+  # Merge the package.json for the web/remote server so we can include
-  # version though so pull that from the main package.json.
+  # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * {version: .[1].version}' \
+  jq --slurp '.[0] * .[1]' \
    "$VSCODE_SRC_PATH/remote/package.json" \
-    "$VSCODE_SRC_PATH/package.json" > "$VSCODE_OUT_PATH/package.json"
+    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
-
+  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
-  rsync "$VSCODE_SRC_PATH/remote/yarn.lock" "$VSCODE_OUT_PATH/yarn.lock"
+  cp "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
  mv "$VSCODE_SRC_PATH/remote/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/npm-shrinkwrap.json"
  # Include global extension dependencies as well.
  rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions/package.json"
-  rsync "$VSCODE_SRC_PATH/extensions/yarn.lock" "$VSCODE_OUT_PATH/extensions/yarn.lock"
+  cp "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
  mv "$VSCODE_SRC_PATH/extensions/npm-shrinkwrap.json" "$VSCODE_OUT_PATH/extensions/npm-shrinkwrap.json"
  rsync "$VSCODE_SRC_PATH/extensions/postinstall.mjs" "$VSCODE_OUT_PATH/extensions/postinstall.mjs"
 }
 create_shrinkwraps() {
-  # yarn.lock or package-lock.json files (used to ensure deterministic versions of dependencies) are
+  # package-lock.json files (used to ensure deterministic versions of
-  # not packaged when publishing to the NPM registry.
+  # dependencies) are not packaged when publishing to the NPM registry.
-  # To ensure deterministic dependency versions (even when code-server is installed with NPM), we create
+  #
-  # an npm-shrinkwrap.json file from the currently installed node_modules. This ensures the versions used
+  # To ensure deterministic dependency versions (even when code-server is
-  # from development (that the yarn.lock guarantees) are also the ones installed by end-users.
+  # installed with NPM), we create an npm-shrinkwrap.json file from the
-  # These will include devDependencies, but those will be ignored when installing globally (for code-server), and
+  # currently installed node_modules. This ensures the versions used from
-  # because we use --omit=dev when installing vscode.
+  # development (that the package-lock.json guarantees) are also the ones
  # installed by end-users.  These will include devDependencies, but those will
  # be ignored when installing globally (for code-server), and because we use
  # --omit=dev (for VS Code).
-  # We first generate the shrinkwrap file for code-server itself - which is the current directory
+  # We first generate the shrinkwrap file for code-server itself - which is the
-  create_shrinkwrap_keeping_yarn_lock
+  # current directory.
  cp package-lock.json package-lock.json.temp
  npm shrinkwrap
  mv package-lock.json.temp package-lock.json
-  # Then the shrinkwrap files for the bundled VSCode
+  # Then the shrinkwrap files for the bundled VS Code.
  pushd "$VSCODE_SRC_PATH/remote/"
-  create_shrinkwrap_keeping_yarn_lock
+  cp package-lock.json package-lock.json.temp
  npm shrinkwrap
  mv package-lock.json.temp package-lock.json
  popd
  pushd "$VSCODE_SRC_PATH/extensions/"
-  create_shrinkwrap_keeping_yarn_lock
+  cp package-lock.json package-lock.json.temp
  npm shrinkwrap
  mv package-lock.json.temp package-lock.json
  popd
 }
 create_shrinkwrap_keeping_yarn_lock() {
  # HACK@edvincent: Generating a shrinkwrap alters the yarn.lock which we don't want (with NPM URLs rather than the Yarn URLs)
  # But to generate a valid shrinkwrap, it has to exist... So we copy it to then restore it
  cp yarn.lock yarn.lock.temp
  npm shrinkwrap
  cp yarn.lock.temp yarn.lock
  rm yarn.lock.temp
 }
 main "$@"
--- a/ci/build/build-standalone-release.sh
+++ b/ci/build/build-standalone-release.sh
@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
+# Once we have an NPM package, use this script to copy it to a separate
-# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
+# directory (./release-standalone) and install the dependencies.  This new
-export npm_config_build_from_source=true
+# directory can then be packaged as a platform-specific release.
 main() {
  cd "$(dirname "${0}")/../.."
@ -13,19 +13,24 @@ main() {
  rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone"
  RELEASE_PATH+=-standalone
-  # We cannot find the path to node from $PATH because yarn shims a script to ensure
+  # Package managers may shim their own "node" wrapper into the PATH, so run
-  # we use the same version it's using so we instead run a script with yarn that
+  # node and ask it for its true path.
  # will print the path to node.
  local node_path
-  node_path="$(yarn -s node <<< 'console.info(process.execPath)')"
+  node_path="$(node -p process.execPath)"
  mkdir -p "$RELEASE_PATH/bin"
  mkdir -p "$RELEASE_PATH/lib"
  rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
  rsync "$node_path" "$RELEASE_PATH/lib/node"
  chmod 755 "$RELEASE_PATH/lib/node"
  pushd "$RELEASE_PATH"
  npm install --unsafe-perm --omit=dev
  # Code deletes some files from the extension node_modules directory which
  # leaves broken symlinks in the corresponding .bin directory.  nfpm will fail
  # on these broken symlinks so clean them up.
  rm -fr "./lib/vscode/extensions/node_modules/.bin"
  popd
 }
--- a/ci/build/build-vscode.sh
+++ b/ci/build/build-vscode.sh
@ -15,7 +15,7 @@ copy-bin-script() {
  local dest="lib/vscode-reh-web-linux-x64/bin/$script"
  cp "lib/vscode/resources/server/bin/$script" "$dest"
  sed -i.bak "s/@@VERSION@@/$(vscode_version)/g" "$dest"
-  sed -i.bak "s/@@COMMIT@@/$VSCODE_DISTRO_COMMIT/g" "$dest"
+  sed -i.bak "s/@@COMMIT@@/$BUILD_SOURCEVERSION/g" "$dest"
  sed -i.bak "s/@@APPNAME@@/code-server/g" "$dest"
  # Fix Node path on Darwin and Linux.
@ -40,16 +40,29 @@ main() {
  source ./ci/lib.sh
  pushd lib/vscode
  # Set the commit Code will embed into the product.json.  We need to do this
  # since Code tries to get the commit from the `.git` directory which will fail
  # as it is a submodule.
-  export VSCODE_DISTRO_COMMIT
+  #
-  VSCODE_DISTRO_COMMIT=$(git rev-parse HEAD)
+  # Also, we use code-server's commit rather than VS Code's otherwise it would
  # not update when only our patch files change, and that will cause caching
  # issues where the browser keeps using outdated code.
  export BUILD_SOURCEVERSION
  BUILD_SOURCEVERSION=$(git rev-parse HEAD)
-  # Add the date, our name, links, and enable telemetry (this just makes
+  pushd lib/vscode
-  # telemetry available; telemetry can still be disabled by flag or setting).
+
  if [[ ! ${VERSION-} ]]; then
    echo "VERSION not set. Please set before running this script:"
    echo "VERSION='0.0.0' npm run build:vscode"
    exit 1
  fi
  # Add the date, our name, links, enable telemetry (this just makes telemetry
  # available; telemetry can still be disabled by flag or setting), and
  # configure trusted extensions (since some, like github.copilot-chat, never
  # ask to be trusted and this is the only way to get auth working).
  #
  # This needs to be done before building as Code will read this file and embed
  # it into the client-side code.
  git checkout product.json             # Reset in case the script exited early.
@ -83,6 +96,11 @@ main() {
    "linkProtectionTrustedDomains": [
      "https://open-vsx.org"
    ],
    "trustedExtensionAuthAccess": [
      "vscode.git", "vscode.github",
      "github.vscode-pull-request-github",
      "github.copilot", "github.copilot-chat"
    ],
    "aiConfig": {
      "ariaKey": "code-server"
    }
@ -94,7 +112,9 @@ EOF
  # this because we have an NPM package that could be installed on any platform.
  # The correct platform dependencies and scripts will be installed as part of
  # the post-install during `npm install` or when building a standalone release.
-  yarn gulp "vscode-reh-web-linux-x64${MINIFY:+-min}"
+  node --max-old-space-size=16384 --optimize-for-size \
       ./node_modules/gulp/bin/gulp.js \
       "vscode-reh-web-linux-x64${MINIFY:+-min}"
  # Reset so if you develop after building you will not be stuck with the wrong
  # commit (the dev client will use `oss-dev` but the dev server will still use
@ -103,6 +123,15 @@ EOF
  popd
  pushd lib/vscode-reh-web-linux-x64
  # Make sure Code took the version we set in the environment variable.  Not
  # having a version will break display languages.
  if ! jq -e .commit product.json; then
    echo "'commit' is missing from product.json"
    exit 1
  fi
  popd
  # These provide a `code-server` command in the integrated terminal to open
  # files in the current instance.
  delete-bin-script remote-cli/code-server
--- a/ci/build/nfpm.yaml
+++ b/ci/build/nfpm.yaml
@ -4,7 +4,7 @@ platform: "linux"
 version: "v${VERSION}"
 section: "devel"
 priority: "optional"
-maintainer: "Anmol Sethi <hi@nhooyr.io>"
+maintainer: "Joe Previte <joe@coder.com>"
 description: |
  Run VS Code in the browser.
 vendor: "Coder"
@ -22,4 +22,4 @@ contents:
    dst: /usr/lib/systemd/user/code-server.service
  - src: ./release-standalone/*
-    dst: /usr/lib/code-server/
+    dst: /usr/lib/code-server
--- a/ci/build/npm-postinstall.sh
+++ b/ci/build/npm-postinstall.sh
@ -1,18 +1,8 @@
 #!/usr/bin/env sh
 set -eu
-# Copied from ../lib.sh.
+# Copied from ../lib.sh except we do not rename Darwin and we do not need to
-arch() {
+# detect Alpine.
  cpu="$(uname -m)"
  case "$cpu" in
    aarch64) cpu=arm64 ;;
    x86_64) cpu=amd64 ;;
  esac
  echo "$cpu"
 }
 # Copied from ../lib.sh except we do not rename Darwin since the cloud agent
 # uses "darwin" in the release names and we do not need to detect Alpine.
 os() {
  osname=$(uname | tr '[:upper:]' '[:lower:]')
  case $osname in
@ -61,12 +51,19 @@ symlink_bin_script() {
  cd "$oldpwd"
 }
-ARCH="${NPM_CONFIG_ARCH:-$(arch)}"
+command_exists() {
-OS="$(os)"
+  if [ ! "$1" ]; then return 1; fi
  command -v "$@" > /dev/null
 }
-# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
+is_root() {
-# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
+  if command_exists id && [ "$(id -u)" = 0 ]; then
-export npm_config_build_from_source=true
+    return 0
  fi
  return 1
 }
 OS="$(os)"
 main() {
  # Grabs the major version of node from $npm_config_user_agent which looks like
@ -79,8 +76,8 @@ main() {
    echo "USE AT YOUR OWN RISK!"
  fi
-  if [ "$major_node_version" -ne "${FORCE_NODE_VERSION:-16}" ]; then
+  if [ "$major_node_version" -ne "${FORCE_NODE_VERSION:-22}" ]; then
-    echo "ERROR: code-server currently requires node v16."
+    echo "ERROR: code-server currently requires node v22."
    if [ -n "$FORCE_NODE_VERSION" ]; then
      echo "However, you have overrided the version check to use v$FORCE_NODE_VERSION."
    fi
@ -90,24 +87,19 @@ main() {
    exit 1
  fi
-  case "${npm_config_user_agent-}" in npm*)
+  # Under npm, if we are running as root, we need --unsafe-perm otherwise
-    # We are running under npm.
+  # post-install scripts will not have sufficient permissions to do their thing.
-    if [ "${npm_config_unsafe_perm-}" != "true" ]; then
+  if is_root; then
-      echo "Please pass --unsafe-perm to npm to install code-server"
+    case "${npm_config_user_agent-}" in npm*)
-      echo "Otherwise the postinstall script does not have permissions to run"
+      if [ "${npm_config_unsafe_perm-}" != "true" ]; then
-      echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
+        echo "Please pass --unsafe-perm to npm to install code-server"
-      echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
+        echo "Otherwise post-install scripts will not have permissions to run"
-      exit 1
+        echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
-    fi
+        echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
-    ;;
+        exit 1
-  esac
+      fi
-
+      ;;
-  mkdir -p ./lib
+    esac
  if curl -fsSL "https://github.com/coder/cloud-agent/releases/latest/download/cloud-agent-$OS-$ARCH" -o ./lib/coder-cloud-agent; then
    chmod +x ./lib/coder-cloud-agent
  else
    echo "Failed to download cloud agent; --link will not work"
  fi
  if ! vscode_install; then
@ -124,26 +116,18 @@ main() {
 }
 install_with_yarn_or_npm() {
-  # NOTE@edvincent: We want to keep using the package manager that the end-user was using to install the package.
+  echo "User agent: ${npm_config_user_agent-none}"
-  # This also ensures that when *we* run `yarn` in the development process, the yarn.lock file is used.
+  # For development we enforce npm, but for installing the package as an
  # end-user we want to keep using whatever package manager is in use.
  case "${npm_config_user_agent-}" in
-    yarn*)
+    npm*)
-      if [ -f "yarn.lock" ]; then
+      if ! npm install --unsafe-perm --omit=dev; then
-        yarn --production --frozen-lockfile --no-default-rc
+        return 1
      else
        echo "yarn.lock file not present, not running in development mode. use npm to install code-server!"
        exit 1
      fi
      ;;
-    npm*)
+    yarn*)
-      if [ -f "yarn.lock" ]; then
+      if ! yarn --production --frozen-lockfile --no-default-rc; then
-        echo "yarn.lock file present, running in development mode. use yarn to install code-server!"
+        return 1
        exit 1
      else
        # HACK: NPM's use of semver doesn't like resolving some peerDependencies that vscode (upstream) brings in the form of pre-releases.
        # The legacy behavior doesn't complain about pre-releases being used, falling back to that for now.
        # See https://github.com//pull/5071
        npm install --unsafe-perm --legacy-peer-deps --omit=dev
      fi
      ;;
    *)
@ -151,19 +135,26 @@ install_with_yarn_or_npm() {
      exit 1
      ;;
  esac
  return 0
 }
 vscode_install() {
  echo 'Installing Code dependencies...'
  cd lib/vscode
-  install_with_yarn_or_npm
+  if ! install_with_yarn_or_npm; then
    return 1
  fi
  symlink_asar
  symlink_bin_script remote-cli code code-server
  symlink_bin_script helpers browser browser .sh
  cd extensions
-  install_with_yarn_or_npm
+  if ! install_with_yarn_or_npm; then
    return 1
  fi
  return 0
 }
 main "$@"
--- a/ci/build/release-prep.sh
+++ b/ci/build/release-prep.sh
@ -1,103 +0,0 @@
 #!/usr/bin/env bash
 # Description: This is a script to make the release process easier
 # Run it with `yarn release:prep` and it will do the following:
 # 1. Check that you have gh installed and that you're signed in
 # 2. Update the version of code-server (package.json, docs, etc.)
 # 3. Update the code coverage badge in the README
 # 4. Open a draft PR using the release_template.md and view in browser
 # If you want to perform a dry run of this script run DRY_RUN=1 yarn release:prep
 set -euo pipefail
 CHECKMARK="\xE2\x9C\x94"
 DASH="-"
 main() {
  if [ "${DRY_RUN-}" = 1 ]; then
    echo "Performing a dry run..."
    CMD="echo"
  else
    CMD=''
  fi
  cd "$(dirname "$0")/../.."
  # Check that gh is installed
  if ! command -v gh &> /dev/null; then
    echo "gh could not be found."
    echo "We use this with the release-github-draft.sh and release-github-assets.sh scripts."
    echo -e "See docs here: https://github.com/cli/cli#installation"
    exit
  fi
  # Check that they have jq installed
  if ! command -v jq &> /dev/null; then
    echo "jq could not be found."
    echo "We use this to parse the package.json and grab the current version of code-server."
    echo -e "See docs here: https://stedolan.github.io/jq/download/"
    exit
  fi
  # Check that they have rg installed
  if ! command -v rg &> /dev/null; then
    echo "rg could not be found."
    echo "We use this when updating files across the codebase."
    echo -e "See docs here: https://github.com/BurntSushi/ripgrep#installation"
    exit
  fi
  # Check that they have node installed
  if ! command -v node &> /dev/null; then
    echo "node could not be found."
    echo "That's surprising..."
    echo "We use it in this script for getting the package.json version"
    echo -e "See docs here: https://nodejs.org/en/download/"
    exit
  fi
  # Check that gh is authenticated
  if ! gh auth status -h github.com &> /dev/null; then
    echo "gh isn't authenticated to github.com."
    echo "This is needed for our scripts that use gh."
    echo -e "See docs regarding authentication: https://cli.github.com/manual/gh_auth_login"
    exit
  fi
  # Note: we need to set upstream as well or the gh pr create step will fail
  # See: https://github.com/cli/cli/issues/575
  CURRENT_BRANCH=$(git branch | grep '\*' | cut -d' ' -f2-)
  if [[ -z $(git config "branch.${CURRENT_BRANCH}.remote") ]]; then
    echo "Doesn't look like you've pushed this branch to remote"
    # Note: we need to set upstream as well or the gh pr create step will fail
    # See: https://github.com/cli/cli/issues/575
    echo "Please set the upstream and then run the script"
    exit 1
  fi
  # credit to jakwuh for this solution
  # https://gist.github.com/DarrenN/8c6a5b969481725a4413#gistcomment-1971123
  CODE_SERVER_CURRENT_VERSION=$(node -pe "require('./package.json').version")
  # Ask which version we should update to
  # In the future, we'll automate this and determine the latest version automatically
  echo -e "$DASH Current version: ${CODE_SERVER_CURRENT_VERSION}"
  # The $'\n' adds a line break. See: https://stackoverflow.com/a/39581815/3015595
  CODE_SERVER_VERSION_TO_UPDATE=$(git rev-parse --abbrev-ref HEAD | perl -pe '($_)=/([0-9]+([.][0-9]+)+)/')
  echo -e "$CHECKMARK Version in branch name"
  echo -e "$CHECKMARK Updating to: $CODE_SERVER_VERSION_TO_UPDATE"
  $CMD rg -g '!yarn.lock' -g '!*.svg' -g '!CHANGELOG.md' -g '!lib/vscode/**' --files-with-matches --fixed-strings "${CODE_SERVER_CURRENT_VERSION}" | $CMD xargs sd "$CODE_SERVER_CURRENT_VERSION" "$CODE_SERVER_VERSION_TO_UPDATE"
  $CMD git commit --no-verify -am "chore(release): bump version to $CODE_SERVER_VERSION_TO_UPDATE"
  # This runs from the root so that's why we use this path vs. ../../
  RELEASE_TEMPLATE_STRING=$(cat ./.github/PULL_REQUEST_TEMPLATE/release_template.md)
  echo -e "\nOpening a draft PR on GitHub"
  # To read about these flags, visit the docs: https://cli.github.com/manual/gh_pr_create
  $CMD gh pr create --base main --title "release: $CODE_SERVER_VERSION_TO_UPDATE" --body "$RELEASE_TEMPLATE_STRING" --reviewer @coder/code-server --repo coder/code-server --draft --assignee "@me"
  # Open PR in browser
  $CMD gh pr view --web
 }
 main "$@"
--- a/ci/dev/audit.sh
+++ b/ci/dev/audit.sh
@ -1,12 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 main() {
  cd "$(dirname "$0")/../.."
  # Prevents integration with moderate or higher vulnerabilities
  # Docs: https://github.com/IBM/audit-ci#options
  yarn audit-ci --moderate
 }
 main "$@"
--- a/ci/dev/ci.sh
+++ b/ci/dev/ci.sh
@ -1,13 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 main() {
  cd "$(dirname "$0")/../.."
  yarn fmt
  yarn lint
  yarn _audit
  yarn test:unit
 }
 main "$@"
--- a/ci/dev/doctoc.sh
+++ b/ci/dev/doctoc.sh
@ -18,7 +18,7 @@ main() {
    echo "Files need generation or are formatted incorrectly:"
    git -c color.ui=always status | grep --color=no '\[31m'
    echo "Please run the following locally:"
-    echo "  yarn doctoc"
+    echo "  npm run doctoc"
    exit 1
  fi
 }
--- a/ci/dev/gen_icons.sh
+++ b/ci/dev/gen_icons.sh
@ -1,44 +1,50 @@
 #!/bin/sh
 set -eu
 # Generate icons from a single favicon.svg.  favicon.svg should have no fill
 # colors set.
 main() {
  cd src/browser/media
-  # We need .ico for backwards compatibility.
+  # We need .ico for backwards compatibility.  The other two are the only icon
-  # The other two are the only icon sizes required by Chrome and
+  # sizes required by Chrome and we use them for stuff like apple-touch-icon as
-  # we use them for stuff like apple-touch-icon as well.
+  # well.  https://web.dev/add-manifest/
  # https://web.dev/add-manifest/
  #
  # This should be enough and we can always add more if there are problems.
-
+  #
  # -quiet to avoid https://github.com/ImageMagick/ImageMagick/issues/884
  # -background defaults to white but we want it transparent.
  # -density somehow makes the image both sharper and smaller in file size.
  #
  # https://imagemagick.org/script/command-line-options.php#background
-  convert -quiet -background transparent -resize 256x256 favicon.svg favicon.ico
+  convert -quiet -background transparent \
-  # We do not generate the pwa-icon from the favicon as they are slightly different
+          -resize 256x256 -density 256x256 \
-  # designs and sizes.
+          favicon.svg favicon.ico
  # See favicon.afdesign and #2401 for details on the differences.
  convert -quiet -background transparent -resize 192x192 pwa-icon.png pwa-icon-192.png
  convert -quiet -background transparent -resize 512x512 pwa-icon.png pwa-icon-512.png
-  # We use -quiet above to avoid https://github.com/ImageMagick/ImageMagick/issues/884
+  # Generate PWA icons.  There should be enough padding to support masking.
  convert -quiet -border 60x60 -bordercolor white -background white \
          -resize 192x192 -density 192x192 \
          favicon.svg pwa-icon-maskable-192.png
  convert -quiet -border 160x160 -bordercolor white -background white \
          -resize 512x512 -density 512x512 \
          favicon.svg pwa-icon-maskable-512.png
-  # The following adds dark mode support for the favicon as favicon-dark-support.svg
+  # Generate non-maskable PWA icons.
-  # There is no similar capability for pwas or .ico so we can only add support to the svg.
+  magick pwa-icon-maskable-192.png \
-  favicon_dark_style="<style>
+         \( +clone -threshold 101% -fill white -draw "roundRectangle 0,0 %[fx:int(w)],%[fx:int(h)] 50,50" \) \
-@media (prefers-color-scheme: dark) {
+         -channel-fx "| gray=>alpha" \
-  * {
+         pwa-icon-192.png
-    fill: white;
+  magick pwa-icon-maskable-512.png \
-  }
+         \( +clone -threshold 101% -fill white -draw "roundRectangle 0,0 %[fx:int(w)],%[fx:int(h)] 100,100" \) \
-}
+         -channel-fx "| gray=>alpha" \
-</style>"
+         pwa-icon-512.png
-  # See https://stackoverflow.com/a/22901380/4283659
+
-  # This escapes all newlines so that sed will accept them.
+  # The following adds dark mode support for the favicon as
-  favicon_dark_style="$(printf "%s\n" "$favicon_dark_style" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')"
+  # favicon-dark-support.svg There is no similar capability for pwas or .ico so
-  sed "$(
+  # we can only add support to the svg.
-    cat -n << EOF
+  favicon_dark_style="<style>@media (prefers-color-scheme: dark) {* { fill: white; }}</style>"
-s%<rect id="favicon"%$favicon_dark_style<rect id="favicon"%
+  cp favicon.svg favicon-dark-support.svg
-EOF
+  sed "s%<path%$favicon_dark_style\n  <path%" favicon.svg > favicon-dark-support.svg
  )" favicon.svg > favicon-dark-support.svg
 }
 main "$@"
--- a/ci/dev/postinstall.sh
+++ b/ci/dev/postinstall.sh
@ -3,14 +3,13 @@ set -euo pipefail
 # Install dependencies in $1.
 install-deps() {
-  local args=(install)
+  local args=()
  if [[ ${CI-} ]]; then
-    args+=(--frozen-lockfile)
+    args+=(ci)
  else
    args+=(install)
  fi
-  if [[ "$1" == "lib/vscode" ]]; then
+  # If there is no package.json then npm will look upward and end up installing
    args+=(--no-default-rc)
  fi
  # If there is no package.json then yarn will look upward and end up installing
  # from the root resulting in an infinite loop (this can happen if you have not
  # checked out the submodule yet for example).
  if [[ ! -f "$1/package.json" ]]; then
@ -19,7 +18,7 @@ install-deps() {
  fi
  pushd "$1"
  echo "Installing dependencies for $PWD"
-  yarn "${args[@]}"
+  npm "${args[@]}"
  popd
 }
--- a/ci/dev/preinstall.js
+++ b/ci/dev/preinstall.js
@ -0,0 +1,3 @@
 if (process.env.npm_execpath.includes("yarn")) {
  throw new Error("`yarn` is no longer supported; please use `npm install` instead")
 }
--- a/ci/dev/test-e2e.sh
+++ b/ci/dev/test-e2e.sh
@ -2,9 +2,9 @@
 set -euo pipefail
 help() {
-  echo >&2 "  You can build with 'yarn watch' or you can build a release"
+  echo >&2 "  You can build with 'npm run watch' or you can build a release"
-  echo >&2 "  For example: 'yarn build && yarn build:vscode && KEEP_MODULES=1 yarn release'"
+  echo >&2 "  For example: 'npm run build && npm run build:vscode && KEEP_MODULES=1 npm run release'"
-  echo >&2 "  Then 'CODE_SERVER_TEST_ENTRY=./release yarn test:e2e'"
+  echo >&2 "  Then 'CODE_SERVER_TEST_ENTRY=./release npm run test:e2e'"
  echo >&2 "  You can manually run that release with 'node ./release'"
 }
@ -15,7 +15,7 @@ main() {
  pushd test/e2e/extensions/test-extension
  echo "Building test extension"
-  yarn build
+  npm run build
  popd
  local dir="$PWD"
@ -44,7 +44,7 @@ main() {
  fi
  cd test
-  yarn playwright test "$@"
+  ./node_modules/.bin/playwright test "$@"
 }
 main "$@"
--- a/ci/dev/test-integration.sh
+++ b/ci/dev/test-integration.sh
@ -2,9 +2,9 @@
 set -euo pipefail
 help() {
-  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
  echo >&2 "  Or you can pass in a custom path."
-  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 # Make sure a code-server release works. You can pass in the path otherwise it
@ -33,7 +33,7 @@ main() {
    exit 1
  fi
-  CODE_SERVER_PATH="$path" CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration" --testPathIgnorePatterns "./test/integration/fixtures"
+  CODE_SERVER_PATH="$path" ./test/node_modules/.bin/jest "$@" --coverage=false --testRegex "./test/integration" --testPathIgnorePatterns "./test/integration/fixtures"
 }
 main "$@"
--- a/ci/dev/test-native.sh
+++ b/ci/dev/test-native.sh
@ -2,9 +2,9 @@
 set -euo pipefail
 help() {
-  echo >&2 "  You can build the standalone release with 'yarn release:standalone'"
+  echo >&2 "  You can build the standalone release with 'npm run release:standalone'"
  echo >&2 "  Or you can pass in a custom path."
-  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' yarn test:integration"
+  echo >&2 "  CODE_SERVER_PATH='/var/tmp/coder/code-server/bin/code-server' npm run test:integration"
 }
 # Make sure a code-server release works. You can pass in the path otherwise it
--- a/ci/dev/test-unit.sh
+++ b/ci/dev/test-unit.sh
@ -6,31 +6,10 @@ main() {
  source ./ci/lib.sh
  echo "Building test plugin"
  pushd test/unit/node/test-plugin
  make -s out/index.js
  popd
  # Our code imports from `out` in order to work during development but if you
  # have only built for production you will have not have this directory.  In
  # that case symlink `out` to a production build directory.
  if [[ ! -e lib/vscode/out ]]; then
    pushd lib
    local out=(vscode-reh-web-*)
    if [[ -d "${out[0]}" ]]; then
      ln -s "../${out[0]}/out" ./vscode/out
    else
      echo "Could not find lib/vscode/out or lib/vscode-reh-web-*"
      echo "Code must be built before running unit tests"
      exit 1
    fi
    popd
  fi
  # We must keep jest in a sub-directory. See ../../test/package.json for more
  # information. We must also run it from the root otherwise coverage will not
  # include our source files.
-  CS_DISABLE_PLUGINS=true ./test/node_modules/.bin/jest "$@" --testRegex "./test/unit/.*ts" --testPathIgnorePatterns "./test/unit/node/test-plugin"
+  ./test/node_modules/.bin/jest "$@" --testRegex "./test/unit/.*ts"
 }
 main "$@"
--- a/ci/dev/watch.ts
+++ b/ci/dev/watch.ts
@ -1,4 +1,4 @@
-import { spawn, fork, ChildProcess } from "child_process"
+import { spawn, ChildProcess } from "child_process"
 import * as path from "path"
 import { onLine, OnLineCallback } from "../../src/node/util"
@ -30,12 +30,13 @@ class Watcher {
    // Pass CLI args, save for `node` and the initial script name.
    const args = process.argv.slice(2)
-    this.webServer = fork(path.join(this.rootPath, "out/node/entry.js"), args)
+    this.webServer = spawn("node", [path.join(this.rootPath, "out/node/entry.js"), ...args])
    onLine(this.webServer, (line) => console.log("[code-server]", line))
    const { pid } = this.webServer
-    this.webServer.on("exit", () => console.log("[Code Server]", `Web process ${pid} exited`))
+    this.webServer.on("exit", () => console.log("[code-server]", `Web process ${pid} exited`))
-    console.log("\n[Code Server]", `Spawned web server process ${pid}`)
+    console.log("\n[code-server]", `Spawned web server process ${pid}`)
  }
  //#endregion
@ -44,9 +45,11 @@ class Watcher {
  private readonly compilers: DevelopmentCompilers = {
    codeServer: spawn("tsc", ["--watch", "--pretty", "--preserveWatchOutput"], { cwd: this.rootPath }),
-    vscode: spawn("yarn", ["watch"], { cwd: this.paths.vscodeDir }),
+    vscode: spawn("npm", ["run", "watch"], { cwd: this.paths.vscodeDir }),
-    vscodeWebExtensions: spawn("yarn", ["watch-web"], { cwd: this.paths.vscodeDir }),
+    vscodeWebExtensions: spawn("npm", ["run", "watch-web"], { cwd: this.paths.vscodeDir }),
-    plugins: this.paths.pluginDir ? spawn("yarn", ["build", "--watch"], { cwd: this.paths.pluginDir }) : undefined,
+    plugins: this.paths.pluginDir
      ? spawn("npm", ["run", "build", "--watch"], { cwd: this.paths.pluginDir })
      : undefined,
  }
  public async initialize(): Promise<void> {
@ -82,10 +85,10 @@ class Watcher {
  private parseVSCodeLine: OnLineCallback = (strippedLine, originalLine) => {
    if (!strippedLine.length) return
-    console.log("[VS Code]", originalLine)
+    console.log("[Code OSS]", originalLine)
    if (strippedLine.includes("Finished compilation with")) {
-      console.log("[VS Code] ✨ Finished compiling! ✨", "(Refresh your web browser ♻️)")
+      console.log("[Code OSS] ✨ Finished compiling! ✨", "(Refresh your web browser ♻️)")
      this.reloadWebServer()
    }
  }
@ -93,10 +96,10 @@ class Watcher {
  private parseCodeServerLine: OnLineCallback = (strippedLine, originalLine) => {
    if (!strippedLine.length) return
-    console.log("[Compiler][Code Server]", originalLine)
+    console.log("[Compiler][code-server]", originalLine)
    if (strippedLine.includes("Watching for file changes")) {
-      console.log("[Compiler][Code Server]", "Finished compiling!", "(Refresh your web browser ♻️)")
+      console.log("[Compiler][code-server]", "Finished compiling!", "(Refresh your web browser ♻️)")
      this.reloadWebServer()
    }
  }
--- a/ci/helm-chart/Chart.yaml
+++ b/ci/helm-chart/Chart.yaml
@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.3.2
+version: 3.31.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.8.2
+appVersion: 4.104.2
--- a/ci/helm-chart/templates/deployment.yaml
+++ b/ci/helm-chart/templates/deployment.yaml
@ -7,8 +7,11 @@ metadata:
    helm.sh/chart: {{ include "code-server.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  {{- if .Values.annotations }}
  annotations: {{- toYaml .Values.annotations | nindent 4 }}
  {{- end }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.replicaCount | default 1 }}
  strategy:
    type: Recreate
  selector:
@ -20,6 +23,9 @@ spec:
      labels:
        app.kubernetes.io/name: {{ include "code-server.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
      {{- if .Values.podAnnotations }}
      annotations: {{- toYaml .Values.podAnnotations | nindent 8 }}
      {{- end }}
    spec:
      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
      {{- if .Values.hostnameOverride }}
@ -32,8 +38,9 @@ spec:
      securityContext:
        fsGroup: {{ .Values.securityContext.fsGroup }}
      {{- end }}
-      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+      {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.extraInitContainers }}
      initContainers:
      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
      - name: init-chmod-data
        image: busybox:latest
        imagePullPolicy: IfNotPresent
@ -47,6 +54,7 @@ spec:
        volumeMounts:
        - name: data
          mountPath: /home/coder
      {{- end }}
 {{- if .Values.extraInitContainers }}
 {{ tpl .Values.extraInitContainers . | indent 6}}
 {{- end }}
@ -102,6 +110,7 @@ spec:
          {{- range .Values.extraSecretMounts }}
          - name: {{ .name }}
            mountPath: {{ .mountPath }}
            subPath: {{ .subPath | default "" }}
            readOnly: {{ .readOnly }}
          {{- end }}
          {{- range .Values.extraVolumeMounts }}
@ -114,6 +123,11 @@ spec:
            - name: http
              containerPort: 8080
              protocol: TCP
          {{- range .Values.extraPorts }}
            - name: {{ .name }}
              containerPort: {{ .port }}
              protocol: {{ .protocol }}
          {{- end }}
          livenessProbe:
            httpGet:
              path: /
@ -168,9 +182,12 @@ spec:
        {{- if .existingClaim }}
        persistentVolumeClaim:
          claimName: {{ .existingClaim }}
-        {{- else }}
+        {{- else if .hostPath }}
        hostPath:
          path: {{ .hostPath }}
          type: Directory
        {{- else }}
        emptyDir:
          {{- toYaml .emptyDir | nindent 10 }}
        {{- end }}
      {{- end }}
--- a/ci/helm-chart/templates/secrets.yaml
+++ b/ci/helm-chart/templates/secrets.yaml
@ -1,3 +1,4 @@
 {{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -11,8 +12,9 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 type: Opaque
 data:
-  {{ if .Values.password }}
+  {{- if .Values.password }}
  password: "{{ .Values.password | b64enc }}"
-  {{ else }}
+  {{- else }}
  password: "{{ randAlphaNum 24 | b64enc }}"
-  {{ end }}
+  {{- end }}
 {{- end }}
--- a/ci/helm-chart/templates/service.yaml
+++ b/ci/helm-chart/templates/service.yaml
@ -14,6 +14,12 @@ spec:
      targetPort: http
      protocol: TCP
      name: http
  {{- range .Values.extraPorts }}
    - port: {{ .port }}
      targetPort: {{ .port }}
      protocol: {{ .protocol }}
      name: {{ .name }}
  {{- end }}
  selector:
    app.kubernetes.io/name: {{ include "code-server.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@ -6,7 +6,7 @@ replicaCount: 1
 image:
  repository: codercom/code-server
-  tag: '4.8.2'
+  tag: '4.104.2'
  pullPolicy: Always
 # Specifies one or more secrets to be used when pulling images from a
@ -19,6 +19,9 @@ nameOverride: ""
 fullnameOverride: ""
 hostnameOverride: ""
 # The existing secret to use for code-server authentication in the frontend. the password is stored in the secret under the key `password`
 # existingSecret: ""
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
@ -28,6 +31,9 @@ serviceAccount:
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 # Specifies annotations for deployment
 annotations: {}
 podAnnotations: {}
 podSecurityContext: {}
@ -71,9 +77,10 @@ extraArgs: []
 # Optional additional environment variables
 extraVars: []
 #  - name: DISABLE_TELEMETRY
-#    value: true
+#    value: "true"
 # if dind is desired:
 #  - name: DOCKER_HOST
-#    value: "tcp://localhost:2375"
+#    value: "tcp://localhost:2376"
 ##
 ## Init containers parameters:
@ -136,25 +143,39 @@ lifecycle:
  #      - -c
  #      - curl -s -L SOME_SCRIPT | bash
  # for dind, the following may be helpful
  # postStart:
  #   exec:
  #     command:
  #       - /bin/sh
  #       - -c
  #       - |
  #         sudo apt-get update \
  #           && sudo apt-get install -y docker.io
 ## Enable an Specify container in extraContainers.
 ## This is meant to allow adding code-server dependencies, like docker-dind.
 extraContainers: |
 # If docker-dind is used, DOCKER_HOST env is mandatory to set in "extraVars"
-#- name: docker-dind
+# - name: docker-dind
-#  image: docker:19.03-dind
+#   image: docker:28.3.2-dind
-#  imagePullPolicy: IfNotPresent
+#   imagePullPolicy: IfNotPresent
-#  resources:
+#   resources:
-#    requests:
+#     requests:
-#      cpu: 250m
+#       cpu: 1
-#      memory: 256M
+#       ephemeral-storage: "50Gi"
-#  securityContext:
+#       memory: 10Gi
-#    privileged: true
+#   securityContext:
-#    procMount: Default
+#     privileged: true
-#  env:
+#     procMount: Default
-#  - name: DOCKER_TLS_CERTDIR
+#   env:
-#    value: ""
+#     - name: DOCKER_TLS_CERTDIR
-#  - name: DOCKER_DRIVER
+#       value: "" # disable TLS setup
-#    value: "overlay2"
+#   command:
 #     - dockerd
 #     - --host=unix:///var/run/docker.sock
 #     - --host=tcp://0.0.0.0:2376
 extraInitContainers: |
 # - name: customization
@ -179,6 +200,7 @@ extraInitContainers: |
 extraSecretMounts: []
  # - name: secret-files
  #   mountPath: /etc/secrets
  #   subPath: private.key # (optional)
  #   secretName: code-server-secret-files
  #   readOnly: true
@ -189,6 +211,7 @@ extraVolumeMounts: []
  #   readOnly: true
  #   existingClaim: volume-claim
  #   hostPath: ""
  #   emptyDir: {}
 extraConfigmapMounts: []
  # - name: certs-configmap
@ -196,3 +219,8 @@ extraConfigmapMounts: []
  #   subPath: certificates.crt # (optional)
  #   configMap: certs-configmap
  #   readOnly: true
 extraPorts: []
  # - name: minecraft
  #   port: 25565
  #   protocol: tcp
--- a/ci/lib.sh
+++ b/ci/lib.sh
@ -9,10 +9,6 @@ popd() {
  builtin popd > /dev/null
 }
 pkg_json_version() {
  jq -r .version package.json
 }
 vscode_version() {
  jq -r .version lib/vscode/package.json
 }
@ -48,8 +44,6 @@ rsync() {
  command rsync -a --del "$@"
 }
 VERSION="$(pkg_json_version)"
 export VERSION
 ARCH="$(arch)"
 export ARCH
 OS=$(os)
--- a/ci/release-image/Dockerfile
+++ b/ci/release-image/Dockerfile
@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:experimental
-ARG BASE=debian:11
+ARG BASE=debian:12
 FROM scratch AS packages
 COPY release-packages/code-server*.deb /tmp/
@ -10,18 +10,19 @@ RUN apt-get update \
  && apt-get install -y \
    curl \
    dumb-init \
    zsh \
    htop \
    locales \
    man \
    nano \
    git \
    git-lfs \
-    procps \
+    htop \
-    openssh-client \
+    locales \
    sudo \
    vim.tiny \
    lsb-release \
    man-db \
    nano \
    openssh-client \
    procps \
    sudo \
    vim-tiny \
    wget \
    zsh \
  && git lfs install \
  && rm -rf /var/lib/apt/lists/*
@ -30,11 +31,14 @@ RUN sed -i "s/# en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen \
  && locale-gen
 ENV LANG=en_US.UTF-8
-RUN adduser --gecos '' --disabled-password coder \
+RUN if grep -q 1000 /etc/passwd; then \
    userdel -r "$(id -un 1000)"; \
  fi \
  && adduser --gecos '' --disabled-password coder \
  && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
 RUN ARCH="$(dpkg --print-architecture)" \
-  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.5/fixuid-0.5-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
  && chown root:root /usr/local/bin/fixuid \
  && chmod 4755 /usr/local/bin/fixuid \
  && mkdir -p /etc/fixuid \
--- a/ci/release-image/Dockerfile.fedora
+++ b/ci/release-image/Dockerfile.fedora
@ -0,0 +1,51 @@
 # syntax=docker/dockerfile:experimental
 ARG BASE=fedora:39
 FROM scratch AS packages
 COPY release-packages/code-server*.rpm /tmp/
 FROM $BASE
 RUN dnf update -y \
    && dnf install -y \
    curl \
    git \
    git-lfs \
    htop \
    nano \
    openssh-clients \
    procps \
    wget \
    zsh \
    dumb-init \
    glibc-langpack-en \
    && rm -rf /var/cache/dnf
 RUN git lfs install
 ENV LANG=en_US.UTF-8
 RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
 RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
 RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
  && chown root:root /usr/local/bin/fixuid \
  && chmod 4755 /usr/local/bin/fixuid \
  && mkdir -p /etc/fixuid \
  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
 COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
 RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
 # Allow users to have scripts run on container startup to prepare workspace.
 # https://github.com/coder/code-server/issues/5177
 ENV ENTRYPOINTD=${HOME}/entrypoint.d
 EXPOSE 8080
 # This way, if someone sets $DOCKER_USER, docker-exec will still work as
 # the uid will remain the same. note: only relevant if -u isn't passed to
 # docker-run.
 USER 1000
 ENV USER=coder
 WORKDIR /home/coder
 ENTRYPOINT ["/usr/bin/entrypoint.sh", "--bind-addr", "0.0.0.0:8080", "."]
--- a/ci/release-image/Dockerfile.opensuse
+++ b/ci/release-image/Dockerfile.opensuse
@ -0,0 +1,51 @@
 # syntax=docker/dockerfile:experimental
 ARG BASE=opensuse/tumbleweed
 FROM scratch AS packages
 COPY release-packages/code-server*.rpm /tmp/
 FROM $BASE
 RUN zypper dup -y \
    && zypper in -y \
    curl \
    git \
    git-lfs \
    htop \
    nano \
    openssh-clients \
    procps \
    wget \
    zsh \
    sudo \
    catatonit \
    && rm -rf /var/cache/zypp /var/cache/zypper
 RUN git lfs install
 ENV LANG=en_US.UTF-8
 RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
 RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
 RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
  && chown root:root /usr/local/bin/fixuid \
  && chmod 4755 /usr/local/bin/fixuid \
  && mkdir -p /etc/fixuid \
  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
 COPY ci/release-image/entrypoint-catatonit.sh /usr/bin/entrypoint-catatonit.sh
 RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
 # Allow users to have scripts run on container startup to prepare workspace.
 # https://github.com/coder/code-server/issues/5177
 ENV ENTRYPOINTD=${HOME}/entrypoint.d
 EXPOSE 8080
 # This way, if someone sets $DOCKER_USER, docker-exec will still work as
 # the uid will remain the same. note: only relevant if -u isn't passed to
 # docker-run.
 USER 1000
 ENV USER=coder
 WORKDIR /home/coder
 ENTRYPOINT ["/usr/bin/entrypoint-catatonit.sh", "--bind-addr", "0.0.0.0:8080", "."]
--- a/ci/release-image/docker-bake.hcl
+++ b/ci/release-image/docker-bake.hcl
@ -16,8 +16,11 @@ variable "GITHUB_REGISTRY" {
 group "default" {
    targets = [
-        "code-server-debian-11", 
+        "code-server-debian-12",
        "code-server-ubuntu-focal",
        "code-server-ubuntu-noble",
        "code-server-fedora-39",
        "code-server-opensuse-tumbleweed",
    ]
 }
@ -45,12 +48,12 @@ function "gen_tags_for_docker_and_ghcr" {
    )
 }
-target "code-server-debian-11" {
+target "code-server-debian-12" {
    dockerfile = "ci/release-image/Dockerfile"
    tags = concat(
        gen_tags_for_docker_and_ghcr(""),
        gen_tags_for_docker_and_ghcr("debian"),
-        gen_tags_for_docker_and_ghcr("bullseye"),
+        gen_tags_for_docker_and_ghcr("bookworm"),
    )
    platforms = ["linux/amd64", "linux/arm64"]
 }
@ -66,3 +69,38 @@ target "code-server-ubuntu-focal" {
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
 target "code-server-ubuntu-noble" {
    dockerfile = "ci/release-image/Dockerfile"
    tags = concat(
        gen_tags_for_docker_and_ghcr("noble"),
    )
    args = {
        BASE = "ubuntu:noble"
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
 target "code-server-fedora-39" {
    dockerfile = "ci/release-image/Dockerfile.fedora"
    tags = concat(
        gen_tags_for_docker_and_ghcr("fedora"),
        gen_tags_for_docker_and_ghcr("39"),
    )
    args = {
        BASE = "fedora:39"
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
 target "code-server-opensuse-tumbleweed" {
    dockerfile = "ci/release-image/Dockerfile.opensuse"
    tags = concat(
        gen_tags_for_docker_and_ghcr("opensuse"),
        gen_tags_for_docker_and_ghcr("tumbleweed"),
    )
    args = {
        BASE = "opensuse/tumbleweed"
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
--- a/ci/release-image/entrypoint-catatonit.sh
+++ b/ci/release-image/entrypoint-catatonit.sh
@ -0,0 +1,27 @@
 #!/bin/sh
 set -eu
 # We do this first to ensure sudo works below when renaming the user.
 # Otherwise the current container UID may not exist in the passwd database.
 eval "$(fixuid -q)"
 if [ "${DOCKER_USER-}" ]; then
  USER="$DOCKER_USER"
  if [ "$DOCKER_USER" != "$(whoami)" ]; then
    echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd > /dev/null
    # Unfortunately we cannot change $HOME as we cannot move any bind mounts
    # nor can we bind mount $HOME into a new home as that requires a privileged container.
    sudo usermod --login "$DOCKER_USER" coder
    sudo groupmod -n "$DOCKER_USER" coder
    sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd
  fi
 fi
 # Allow users to have scripts run on container startup to prepare workspace.
 # https://github.com/coder/code-server/issues/5177
 if [ -d "${ENTRYPOINTD}" ]; then
  find "${ENTRYPOINTD}" -type f -executable -print -exec {} \;
 fi
 exec catatonit -- /usr/bin/code-server "$@"
--- a/ci/release-image/entrypoint.sh
+++ b/ci/release-image/entrypoint.sh
@ -7,7 +7,7 @@ eval "$(fixuid -q)"
 if [ "${DOCKER_USER-}" ]; then
  USER="$DOCKER_USER"
-  if [ "$DOCKER_USER" != "$(whoami)" ]; then
+  if [ -z "$(id -u "$DOCKER_USER" 2>/dev/null)" ]; then
    echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd > /dev/null
    # Unfortunately we cannot change $HOME as we cannot move any bind mounts
    # nor can we bind mount $HOME into a new home as that requires a privileged container.
--- a/ci/steps/docker-buildx-push.sh
+++ b/ci/steps/docker-buildx-push.sh
@ -3,9 +3,8 @@ set -euo pipefail
 main() {
  cd "$(dirname "$0")/../.."
-  # ci/lib.sh sets VERSION so it's available to ci/release-image/docker-bake.hcl
+  # NOTE@jsjoeio - this script assumes VERSION exists as an
-  # to push the VERSION tag.
+  # environment variable.
  source ./ci/lib.sh
  # NOTE@jsjoeio - this script assumes that you've downloaded
  # the release-packages artifact to ./release-packages before
--- a/ci/steps/publish-npm.sh
+++ b/ci/steps/publish-npm.sh
@ -19,12 +19,6 @@ main() {
  # This is because npm won't publish your package unless it's a new version.
  # i.e. for development, we bump the version to <current version>-<pr number>-<commit sha>
  # example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
  # We need the current package.json VERSION
  if ! is_env_var_set "VERSION"; then
    echo "VERSION is not set. Cannot publish to npm without VERSION."
    exit 1
  fi
  # We use this to grab the PR_NUMBER
  if ! is_env_var_set "GITHUB_REF"; then
    echo "GITHUB_REF is not set. Are you running this locally? We rely on values provided by GitHub."
@ -59,11 +53,11 @@ main() {
  # This string is used to determine how we should tag the npm release.
  # Environment can be one of three choices:
  # "development" - this means we tag with the PR number, allowing
-  # a developer to install this version with `yarn add code-server@<pr-number>`
+  # a developer to install this version with `npm install code-server@<pr-number>`
  # "staging" - this means we tag with `beta`, allowing
-  # a developer to install this version with `yarn add code-server@beta`
+  # a developer to install this version with `npm install code-server@beta`
  # "production" - this means we tag with `latest` (default), allowing
-  # a developer to install this version with `yarn add code-server@latest`
+  # a developer to install this version with `npm install code-server@latest`
  if ! is_env_var_set "NPM_ENVIRONMENT"; then
    echo "NPM_ENVIRONMENT is not set."
    echo "Determining in script based on GITHUB environment variables."
@ -92,7 +86,7 @@ main() {
  if [[ "$NPM_ENVIRONMENT" == "production" ]]; then
    NPM_VERSION="$VERSION"
    # This means the npm version will be published as "stable"
-    # and installed when a user runs `yarn install code-server`
+    # and installed when a user runs `npm install code-server`
    NPM_TAG="latest"
  else
    COMMIT_SHA="$GITHUB_SHA"
@ -100,8 +94,9 @@ main() {
    if [[ "$NPM_ENVIRONMENT" == "staging" ]]; then
      NPM_VERSION="$VERSION-beta-$COMMIT_SHA"
      # This means the npm version will be tagged with "beta"
-      # and installed when a user runs `yarn install code-server@beta`
+      # and installed when a user runs `npm install code-server@beta`
      NPM_TAG="beta"
      PACKAGE_NAME="@coder/code-server-pr"
    fi
    if [[ "$NPM_ENVIRONMENT" == "development" ]]; then
@ -110,7 +105,7 @@ main() {
      NPM_VERSION="$VERSION-$PR_NUMBER-$COMMIT_SHA"
      PACKAGE_NAME="@coder/code-server-pr"
      # This means the npm version will be tagged with "<pr number>"
-      # and installed when a user runs `yarn install code-server@<pr number>`
+      # and installed when a user runs `npm install code-server@<pr number>`
      NPM_TAG="$PR_NUMBER"
    fi
@ -125,10 +120,7 @@ main() {
    # Example: "version": "4.0.1-4769-ad7b23cfe6ffd72914e34781ef7721b129a23040"
    # Example: "version": "4.0.1-beta-ad7b23cfe6ffd72914e34781ef7721b129a23040"
    pushd release
    # NOTE@jsjoeio
    # I originally tried to use `yarn version` but ran into issues and abandoned it.
    npm version "$NPM_VERSION"
    # NOTE@jsjoeio
    # Use the development package name
    # This is so we don't clutter the code-server versions on npm
    # with development versions.
@ -139,7 +131,6 @@ main() {
    popd
  fi
  # NOTE@jsjoeio
  # We need to make sure we haven't already published the version.
  # If we get error, continue with script because we want to publish
  # If version is valid, we check if we're publishing the same one
@ -149,10 +140,10 @@ main() {
    return
  fi
  # NOTE@jsjoeio
  # Since the dev builds are scoped to @coder
  # We pass --access public to ensure npm knows it's not private.
-  yarn publish --non-interactive release --tag "$NPM_TAG" --access public
+  cd release
  npm publish --tag "$NPM_TAG" --access public
 }
 main "$@"
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@ -5,15 +5,14 @@
 - [Requirements](#requirements)
  - [Linux-specific requirements](#linux-specific-requirements)
 - [Creating pull requests](#creating-pull-requests)
  - [Commits and commit history](#commits-and-commit-history)
 - [Development workflow](#development-workflow)
  - [Version updates to Code](#version-updates-to-code)
  - [Patching Code](#patching-code)
  - [Build](#build)
    - [Creating a Standalone Release](#creating-a-standalone-release)
  - [Troubleshooting](#troubleshooting)
    - [I see "Forbidden access" when I load code-server in the browser](#i-see-forbidden-access-when-i-load-code-server-in-the-browser)
-  - ["Can only have one anonymous define call per script"](#can-only-have-one-anonymous-define-call-per-script)
+    - ["Can only have one anonymous define call per script"](#can-only-have-one-anonymous-define-call-per-script)
  - [Help](#help)
 - [Test](#test)
  - [Unit tests](#unit-tests)
@ -27,19 +26,16 @@
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
 - [Detailed CI and build process docs](../ci)
 ## Requirements
 The prerequisites for contributing to code-server are almost the same as those
-for [VS
+for [VS Code](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
 Code](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
 Here is what is needed:
- `node` v16.x
+- `node` v22.x
 - `git` v2.x or greater
 - [`git-lfs`](https://git-lfs.github.com)
- [`yarn`](https://classic.yarnpkg.com/en/)
+- [`npm`](https://www.npmjs.com/)
  - Used to install JS packages and run scripts
 - [`nfpm`](https://nfpm.goreleaser.com/)
  - Used to build `.deb` and `.rpm` packages
@ -59,38 +55,23 @@ Here is what is needed:
 ### Linux-specific requirements
-If you're developing code-server on Linux, make sure you have installed or install the following dependencies:
+If you're developing code-server on Linux, make sure you have installed or
 install the following dependencies:
 ```shell
-sudo apt-get install build-essential g++ libx11-dev libxkbfile-dev libsecret-1-dev python-is-python3
+sudo apt-get install build-essential g++ libx11-dev libxkbfile-dev libsecret-1-dev libkrb5-dev python-is-python3
 ```
-These are required by Code. See [their Wiki](https://github.com/microsoft/vscode/wiki/How-to-Contribute#prerequisites) for more information.
+These are required by Code. See [their Wiki](https://github.com/microsoft/vscode/wiki/How-to-Contribute#prerequisites)
-
+for more information.
 ## Creating pull requests
 Please create a [GitHub Issue](https://github.com/coder/code-server/issues) that
 includes context for issues that you see. You can skip this if the proposed fix
 is minor.
 In your pull requests (PR), link to the issue that the PR solves.
 Please ensure that the base of your PR is the **main** branch.
 ### Commits and commit history
 We prefer a clean commit history. This means you should squash all fixups and
 fixup-type commits before asking for a review (e.g., clean up, squash, then force
 push). If you need help with this, feel free to leave a comment in your PR, and
 we'll guide you.
 ## Development workflow
 1. `git clone https://github.com/coder/code-server.git` - Clone `code-server`
 2. `git submodule update --init` - Clone `vscode` submodule
 3. `quilt push -a` - Apply patches to the `vscode` submodule.
-4. `yarn` - Install dependencies
+4. `npm install` - Install dependencies
-5. `yarn watch` - Launch code-server localhost:8080. code-server will be live
+5. `npm run watch` - Launch code-server localhost:8080. code-server will be live
   reloaded when changes are made; the browser needs to be refreshed manually.
 When pulling down changes that include modifications to the patches you will
@ -98,55 +79,62 @@ need to apply them with `quilt`. If you pull down changes that update the
 `vscode` submodule you will need to run `git submodule update --init` and
 re-apply the patches.
 When you make a change that affects people deploying the marketplace please
 update the changelog as part of your PR.
 Note that building code-server takes a very, very long time, and loading it in
 the browser in development mode also takes a very, very long time.
 Display language (Spanish, etc) support only works in a full build; it will not
 work in development mode.
 Generally we prefer that PRs be squashed into `main` but you can rebase or merge
 if it is important to keep the individual commits (make sure to clean up the
 commits first if you are doing this).
 ### Version updates to Code
-1. Update the `lib/vscode` submodule to the desired upstream version branch.
+1. Remove any patches with `quilt pop -a`.
 2. Update the `lib/vscode` submodule to the desired upstream version branch.
   1. `cd lib/vscode && git checkout release/1.66 && cd ../..`
-   2. `git add lib && git commit -m "chore: update Code"`
+   2. `git add lib && git commit -m "chore: update to Code <version>"`
-2. Apply the patches (`quilt push -a`) or restore your stashed changes. At this
+3. Apply the patches one at a time (`quilt push`). If the application succeeds
-   stage you may need to resolve conflicts. For example use `quilt push -f`,
+   but the lines changed, update the patch with `quilt refresh`. If there are
-   manually apply the rejected portions, then `quilt refresh`.
+   conflicts, then force apply with `quilt push -f`, manually add back the
-3. From the code-server **project root**, run `yarn install`.
+   rejected code, then run `quilt refresh`.
-4. Test code-server locally to make sure everything works.
+4. From the code-server **project root**, run `npm install`.
 5. Check the Node.js version that's used by Electron (which is shipped with VS
-   Code. If necessary, update your version of Node.js to match.
+   Code. If necessary, update our version of Node.js to match.
 6. Commit the updated submodule and patches to `code-server`.
 7. Open a PR.
 Tip: if you're certain all patches are applied correctly and you simply need to
 refresh, you can use this trick:
 ```shell
 while quilt push; do quilt refresh; done
 ```
 [Source](https://raphaelhertzog.com/2012/08/08/how-to-use-quilt-to-manage-patches-in-debian-packages/)
 ### Patching Code
-0. You can go through the patch stack with `quilt push` and `quilt pop`.
+1. You can go through the patch stack with `quilt push` and `quilt pop`.
-1. Create a new patch (`quilt new {name}.diff`) or use an existing patch.
+2. Create a new patch (`quilt new {name}.diff`) or use an existing patch.
-2. Add the file(s) you are patching (`quilt add [-P patch] {file}`). A file
+3. Add the file(s) you are patching (`quilt add [-P patch] {file}`). A file
   **must** be added before you make changes to it.
-3. Make your changes. Patches do not need to be independent of each other but
+4. Make your changes. Patches do not need to be independent of each other but
   each patch must result in a working code-server without any broken in-between
   states otherwise they are difficult to test and modify.
-4. Add your changes to the patch (`quilt refresh`)
+5. Add your changes to the patch (`quilt refresh`)
-5. Add a comment in the patch about the reason for the patch and how to
+6. Add a comment in the patch about the reason for the patch and how to
   reproduce the behavior it fixes or adds. Every patch should have an e2e test
   as well.
 ### Build
-You can build as follows:
+You can build a full production as follows:
 ```shell
-yarn build
+git submodule update --init
-yarn build:vscode
+quilt push -a
-yarn release
+npm install
 npm run build
 VERSION=0.0.0 npm run build:vscode
 npm run release
 ```
-_NOTE: this does not keep `node_modules`. If you want them to be kept, use `KEEP_MODULES=1 yarn release` (if you're testing in Coder, you'll want to do this)_
+This does not keep `node_modules`. If you want them to be kept, use
 `KEEP_MODULES=1 npm run release`
 Run your build:
@ -157,34 +145,55 @@ npm install --omit=dev # Skip if you used KEEP_MODULES=1
 node .
 ```
-Build the release packages (make sure that you run `yarn release` first):
+Then, to build the release package:
 ```shell
-yarn release:standalone
+npm run release:standalone
-yarn test:integration
+npm run test:integration
-yarn package
+npm run package
 ```
 > On Linux, the currently running distro will become the minimum supported
-> version. In our GitHub Actions CI, we use CentOS 7 for maximum compatibility.
+> version. In our GitHub Actions CI, we use CentOS 8 for maximum compatibility.
 > If you need your builds to support older distros, run the build commands
 > inside a Docker container with all the build requirements installed.
 #### Creating a Standalone Release
 Part of the build process involves creating standalone releases. At the time of
 writing, we do this for the following platforms/architectures:
 - Linux amd64 (.tar.gz, .deb, and .rpm)
 - Linux arm64 (.tar.gz, .deb, and .rpm)
 - Linux arm7l (.tar.gz)
 - Linux armhf.deb
 - Linux armhf.rpm
 - macOS arm64.tar.gz
 Currently, these are compiled in CI using the `npm run release:standalone`
 command in the `release.yaml` workflow. We then upload them to the draft release
 and distribute via GitHub Releases.
 ### Troubleshooting
 #### I see "Forbidden access" when I load code-server in the browser
-This means your patches didn't apply correctly. We have a patch to remove the auth from vanilla Code because we use our own.
+This means your patches didn't apply correctly. We have a patch to remove the
 auth from vanilla Code because we use our own.
-Try popping off the patches with `quilt pop -a` and reapplying with `quilt push -a`.
+Try popping off the patches with `quilt pop -a` and reapplying with `quilt push
 -a`.
-### "Can only have one anonymous define call per script"
+#### "Can only have one anonymous define call per script"
-Code might be trying to use a dev or prod HTML in the wrong context. You can try re-running code-server and setting `VSCODE_DEV=1`.
+Code might be trying to use a dev or prod HTML in the wrong context. You can try
 re-running code-server and setting `VSCODE_DEV=1`.
 ### Help
-If you get stuck or need help, you can always start a new GitHub Discussion [here](https://github.com/coder/code-server/discussions). One of the maintainers will respond and help you out.
+If you get stuck or need help, you can always start a new GitHub Discussion
 [here](https://github.com/coder/code-server/discussions). One of the maintainers
 will respond and help you out.
 ## Test
@ -202,7 +211,9 @@ Our unit tests are written in TypeScript and run using
 These live under [test/unit](../test/unit).
-We use unit tests for functions and things that can be tested in isolation. The file structure is modeled closely after `/src` so it's easy for people to know where test files should live.
+We use unit tests for functions and things that can be tested in isolation. The
 file structure is modeled closely after `/src` so it's easy for people to know
 where test files should live.
 ### Script tests
@ -210,12 +221,14 @@ Our script tests are written in bash and run using [bats](https://github.com/bat
 These tests live under `test/scripts`.
-We use these to test anything related to our scripts (most of which live under `ci`).
+We use these to test anything related to our scripts (most of which live under
 `ci`).
 ### Integration tests
-These are a work in progress. We build code-server and run tests with `yarn test:integration`, which ensures that code-server builds work on their respective
+These are a work in progress. We build code-server and run tests with `npm run
-platforms.
+test:integration`, which ensures that code-server builds work on their
 respective platforms.
 Our integration tests look at components that rely on one another. For example,
 testing the CLI requires us to build and package code-server.
@ -236,15 +249,10 @@ Take a look at `codeServer.test.ts` to see how you would use it (see
 We also have a model where you can create helpers to use within tests. See
 [models/CodeServer.ts](../test/e2e/models/CodeServer.ts) for an example.
 Generally speaking, e2e means testing code-server while running in the browser
 and interacting with it in a way that's similar to how a user would interact
 with it. When running these tests with `yarn test:e2e`, you must have
 code-server running locally. In CI, this is taken care of for you.
 ## Structure
-The `code-server` script serves as an HTTP API for login and starting a remote
+code-server essentially serves as an HTTP API for logging in and starting a
-Code process.
+remote Code process.
 The CLI code is in [src/node](../src/node) and the HTTP routes are implemented
 in [src/node/routes](../src/node/routes).
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -14,6 +14,7 @@
 - [How do I install an extension manually?](#how-do-i-install-an-extension-manually)
 - [How do I use my own extensions marketplace?](#how-do-i-use-my-own-extensions-marketplace)
 - [Where are extensions stored?](#where-are-extensions-stored)
 - [Where is VS Code configuration stored?](#where-is-vs-code-configuration-stored)
 - [How can I reuse my VS Code configuration?](#how-can-i-reuse-my-vs-code-configuration)
 - [How does code-server decide what workspace or folder to open?](#how-does-code-server-decide-what-workspace-or-folder-to-open)
 - [How do I access my Documents/Downloads/Desktop folders in code-server on macOS?](#how-do-i-access-my-documentsdownloadsdesktop-folders-in-code-server-on-macos)
@ -26,13 +27,18 @@
 - [Is multi-tenancy possible?](#is-multi-tenancy-possible)
 - [Can I use Docker in a code-server container?](#can-i-use-docker-in-a-code-server-container)
 - [How do I disable telemetry?](#how-do-i-disable-telemetry)
 - [What's the difference between code-server and Coder?](#whats-the-difference-between-code-server-and-coder)
 - [What's the difference between code-server and Theia?](#whats-the-difference-between-code-server-and-theia)
 - [What's the difference between code-server and OpenVSCode-Server?](#whats-the-difference-between-code-server-and-openvscode-server)
 - [What's the difference between code-server and GitHub Codespaces?](#whats-the-difference-between-code-server-and-github-codespaces)
 - [What's the difference between code-server and VS Code web?](#whats-the-difference-between-code-server-and-vs-code-web)
 - [Does code-server have any security login validation?](#does-code-server-have-any-security-login-validation)
 - [Are there community projects involving code-server?](#are-there-community-projects-involving-code-server)
 - [How do I change the port?](#how-do-i-change-the-port)
 - [How do I hide the coder/coder promotion in Help: Getting Started?](#how-do-i-hide-the-codercoder-promotion-in-help-getting-started)
 - [How do I disable the proxy?](#how-do-i-disable-the-proxy)
 - [How do I disable file download?](#how-do-i-disable-file-download)
 - [Why do web views not work?](#why-do-web-views-not-work)
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
@ -86,6 +92,12 @@ app (PWA):
 1. Start the editor
 2. Click the **plus** icon in the URL toolbar to install the PWA
 If you use Firefox, you can use the appropriate extension to install PWA.
 1. Go to the installation [website](https://addons.mozilla.org/en-US/firefox/addon/pwas-for-firefox/) of the add-on
 2. Add the add-on to Firefox
 3. Follow the os-specific instructions on how to install the runtime counterpart
 For other browsers, you'll have to remap keybindings for shortcuts to work.
 ## Why can't code-server use Microsoft's extension marketplace?
@ -167,10 +179,10 @@ If you own a marketplace that implements the VS Code Extension Gallery API, you
 can point code-server to it by setting `$EXTENSIONS_GALLERY`.
 This corresponds directly with the `extensionsGallery` entry in in VS Code's `product.json`.
-For example, to use the legacy Coder extensions marketplace:
+For example:
 ```bash
-export EXTENSIONS_GALLERY='{"serviceUrl": "https://extensions.coder.com/api"}'
+export EXTENSIONS_GALLERY='{"serviceUrl": "https://my-extensions/api"}'
 ```
 Though you can technically use Microsoft's marketplace in this manner, we
@ -183,10 +195,20 @@ docs](https://github.com/VSCodium/vscodium/blob/master/DOCS.md#extensions--marke
 ## Where are extensions stored?
-Extensions are store, by default, to `~/.local/share/code-server/extensions`.
+Extensions are stored in `~/.local/share/code-server/extensions` by default.
-If you set the `XDG_DATA_HOME` environment variable, the data directory will be
+On Linux and macOS if you set the `XDG_DATA_HOME` environment variable, the
-`$XDG_DATA_HOME/code-server/extensions`. In general, we try to follow the XDG directory spec.
+extensions directory will be `$XDG_DATA_HOME/code-server/extensions`. In
 general, we try to follow the XDG directory spec.
 ## Where is VS Code configuration stored?
 VS Code configuration such as settings and keybindings are stored in
 `~/.local/share/code-server` by default.
 On Linux and macOS if you set the `XDG_DATA_HOME` environment variable, the data
 directory will be `$XDG_DATA_HOME/code-server`. In general, we try to follow the
 XDG directory spec.
 ## How can I reuse my VS Code configuration?
@ -301,12 +323,8 @@ As long as there is an active browser connection, code-server touches
 `~/.local/share/code-server/heartbeat` once a minute.
 If you want to shutdown code-server if there hasn't been an active connection
-after a predetermined amount of time, you can do so by checking continuously for
+after a predetermined amount of time, you can use the --idle-timeout-seconds flag
-the last modified time on the heartbeat file. If it is older than X minutes (or
+or set an `CODE_SERVER_IDLE_TIMEOUT_SECONDS` environment variable.
 whatever amount of time you'd like), you can kill code-server.
 Eventually, [#1636](https://github.com/coder/code-server/issues/1636) will make
 this process better.
 ## How do I change the password?
@ -336,6 +354,12 @@ hashed-password: "$argon2i$v=19$m=4096,t=3,p=1$wST5QhBgk2lu1ih4DMuxvg$LS1alrVdIW
 The `hashed-password` field takes precedence over `password`.
 If you're using Docker Compose file, in order to make this work, you need to change all the single $ to $$. For example:
 ```yaml
 - HASHED_PASSWORD=$$argon2i$$v=19$$m=4096,t=3,p=1$$wST5QhBgk2lu1ih4DMuxvg$$LS1alrVdIWtvZHwnzCM1DUGg+5DTO3Dt1d5v9XtLws4
 ```
 ## Is multi-tenancy possible?
 If you want to run multiple code-servers on shared infrastructure, we recommend
@ -356,12 +380,24 @@ mount into `/home/coder/myproject` from inside the `code-server` container. You
 need to make sure the Docker daemon's `/home/coder/myproject` is the same as the
 one mounted inside the `code-server` container, and the mount will work.
 If you want Docker enabled when deploying on Kubernetes, look at the `values.yaml`
 file for the 3 fields: `extraVars`, `lifecycle.postStart`, and `extraContainers`.
 ## How do I disable telemetry?
 Use the `--disable-telemetry` flag to disable telemetry.
 > We use the data collected only to improve code-server.
 ## What's the difference between code-server and Coder?
 code-server and Coder are both applications that can be installed on any
 machine. The main difference is who they serve. Out of the box, code-server is
 simply VS Code in the browser while Coder is a tool for provisioning remote
 development environments via Terraform.
 code-server was built for individuals while Coder was built for teams. In Coder, you create Workspaces which can have applications like code-server. If you're looking for a team solution, you should reach for [Coder](https://github.com/coder/coder).
 ## What's the difference between code-server and Theia?
 At a high level, code-server is a patched fork of VS Code that runs in the
@ -379,19 +415,13 @@ Theia doesn't allow you to reuse your existing VS Code config.
 ## What's the difference between code-server and OpenVSCode-Server?
 code-server and OpenVSCode-Server both allow you to access VS Code via a
-browser. The two projects also use their own [forks of VS Code](https://github.com/coder/vscode) to
+browser. OpenVSCode-Server is a direct fork of VS Code with changes comitted
-leverage modern VS Code APIs and stay up to date with the upsteam version.
+directly while code-server pulls VS Code in via a submodule and makes changes
 via patch files.
-However, OpenVSCode-Server is scoped at only making VS Code available in the web browser.
+However, OpenVSCode-Server is scoped at only making VS Code available as-is in
-code-server includes some other features:
+the web browser. code-server contains additional changes to make the self-hosted
-
+experience better (see the next section for details).
 - password auth
 - proxy web ports
 - certificate support
 - plugin API
 - settings sync (coming soon)
 For more details, see [this discussion post](https://github.com/coder/code-server/discussions/4267#discussioncomment-1411583).
 ## What's the difference between code-server and GitHub Codespaces?
@ -399,8 +429,32 @@ Both code-server and GitHub Codespaces allow you to access VS Code via a
 browser. GitHub Codespaces, however, is a closed-source, paid service offered by
 GitHub and Microsoft.
-On the other hand, code-server is self-hosted, free, open-source, and
+On the other hand, code-server is self-hosted, free, open-source, and can be run
-can be run on any machine with few limitations.
+on any machine with few limitations.
 Specific changes include:
 - Password authentication
 - The ability to host at sub-paths
 - Self-contained web views that do not call out to Microsoft's servers
 - The ability to use your own marketplace and collect your own telemetry
 - Built-in proxy for accessing ports on the remote machine integrated into
  VS Code's ports panel
 - Settings are stored on disk like desktop VS Code, instead of in browser
  storage (note that state is still stored in browser storage).
 - Wrapper process that spawns VS Code on-demand and has a separate CLI
 - Notification when updates are available
 - [Some other things](https://github.com/coder/code-server/tree/main/patches)
 Some of these changes appear very unlikely to ever be adopted by Microsoft.
 Some may make their way upstream, further closing the gap, but at the moment it
 looks like there will always be some subtle differences.
 ## What's the difference between code-server and VS Code web?
 VS Code web (which can be ran using `code serve-web`) has the same differences
 as the Codespaces section above. VS Code web can be a better choice if you need
 access to the official Microsoft marketplace.
 ## Does code-server have any security login validation?
@ -425,3 +479,39 @@ There are two ways to change the port on which code-server runs:
 You can pass the flag `--disable-getting-started-override` to `code-server` or
 you can set the environment variable `CS_DISABLE_GETTING_STARTED_OVERRIDE=1` or
 `CS_DISABLE_GETTING_STARTED_OVERRIDE=true`.
 ## How do I disable the proxy?
 You can pass the flag `--disable-proxy` to `code-server` or
 you can set the environment variable `CS_DISABLE_PROXY=1` or
 `CS_DISABLE_PROXY=true`.
 Note, this option currently only disables the proxy routes to forwarded ports, including
 the domain and path proxy routes over HTTP and WebSocket; however, it does not
 disable the automatic port forwarding in the VS Code workbench itself. In other words,
 user will still see the Ports tab and notifications, but will not be able to actually
 use access the ports. It is recommended to set `remote.autoForwardPorts` to `false`
 when using the option.
 ## How do I disable file download?
 You can pass the flag `--disable-file-downloads` to `code-server`
 ## Why do web views not work?
 Web views rely on service workers, and service workers are only available in a
 secure context, so most likely the answer is that you are using an insecure
 context (for example an IP address).
 If this happens, in the browser log you will see something like:
 > Error loading webview: Error: Could not register service workers: SecurityError: Failed to register a ServiceWorker for scope with script: An SSL certificate error occurred when fetching the script..
 To fix this, you must either:
 - Access over localhost/127.0.0.1 which is always considered secure.
 - Use a domain with a real certificate (for example with Let's Encrypt).
 - Use a trusted self-signed certificate with [mkcert](https://mkcert.dev) (or
  create and trust a certificate manually).
 - Disable security if your browser allows it. For example, in Chromium see
  `chrome://flags/#unsafely-treat-insecure-origin-as-secure`
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@ -3,24 +3,13 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Maintaining
- [Team](#team)
+- [Releasing](#releasing)
  - [Onboarding](#onboarding)
  - [Offboarding](#offboarding)
 - [Workflow](#workflow)
  - [Milestones](#milestones)
  - [Triage](#triage)
 - [Versioning](#versioning)
 - [Pull requests](#pull-requests)
  - [Merge strategies](#merge-strategies)
  - [Changelog](#changelog)
 - [Releases](#releases)
  - [Publishing a release](#publishing-a-release)
    - [Release Candidates](#release-candidates)
    - [AUR](#aur)
    - [Docker](#docker)
    - [Homebrew](#homebrew)
    - [nixpkgs](#nixpkgs)
    - [npm](#npm)
 - [Syncing with upstream Code](#syncing-with-upstream-code)
 - [Testing](#testing)
 - [Documentation](#documentation)
  - [Troubleshooting](#troubleshooting)
@ -28,138 +17,41 @@
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
-This document is meant to serve current and future maintainers of code-server,
+We keep code-server up to date with VS Code releases (there are usually two or
-as well as share our workflow for maintaining the project.
+three a month) but we are not generally actively developing code-server aside
 from fixing regressions.
-## Team
+Most of the work is keeping on top of issues and discussions.
-Current maintainers:
+## Releasing
- @code-asher
+1. Check that the changelog lists all the important changes.
- @jsjoeio
+2. Make sure the changelog entry lists the current version of VS Code.
-
+3. Update the changelog with the release date.
-Occasionally, other Coder employees may step in time to time to assist with code-server.
+4. Go to GitHub Actions > Draft release > Run workflow on the commit you want to
-
+   release. Make sure CI has finished the build workflow on that commit or this
-### Onboarding
+   will fail. For the version we match VS Code's minor and patch version. The
-
+   patch number may become temporarily out of sync if we need to put out a
-To onboard a new maintainer to the project, please make sure to do the following:
+   patch, but if we make our own minor change then we will not release it until
-
+   the next minor VS Code release.
- [ ] Add to [coder/code-server](https://github.com/orgs/coder/teams/code-server)
+5. CI will automatically grab the build artifact on that commit (which is why CI
- [ ] Add as Admin under [Repository Settings > Access](https://github.com/coder/code-server/settings/access)
+   has to have completed), inject the provided version into the `package.json`,
- [ ] Add to [npm Coder org](https://www.npmjs.com/org/coder)
+   put together platform-specific packages, and upload those packages to a draft
- [ ] Add as [AUR maintainer](https://aur.archlinux.org/packages/code-server/) (talk to Colin)
+   release.
- [ ] Introduce to community via Discussion (see [example](https://github.com/coder/code-server/discussions/3955))
+6. Update the resulting draft release with the changelog contents.
-
+7. Publish the draft release after validating it.
-### Offboarding
+8. Bump the Helm chart version once the Docker images have published.
 Very similar to Onboarding but Remove maintainer from all teams and revoke access. Please also do the following:
 - [ ] Write farewell post via Discussion (see [example](https://github.com/coder/code-server/discussions/3933))
 ## Workflow
 The workflow used by code-server maintainers aims to be easy to understood by
 the community and easy enough for new maintainers to jump in and start
 contributing on day one.
 ### Milestones
 We operate mainly using
 [milestones](https://github.com/coder/code-server/milestones). This was heavily
 inspired by our friends over at [vscode](https://github.com/microsoft/vscode).
 Here are the milestones we use and how we use them:
 - "Backlog" -> Work not yet planned for a specific release.
 - "On Deck" -> Work under consideration for upcoming milestones.
 - "Backlog Candidates" -> Work that is not yet accepted for the backlog. We wait
  for the community to weigh in.
 - "<Month>" -> Work to be done for said month.
 With this flow, any un-assigned issues are essentially in triage state. Once
 triaged, issues are either "Backlog" or "Backlog Candidates". They will
 eventually move to "On Deck" (or be closed). Lastly, they will end up on a
 version milestone where they will be worked on.
 ### Triage
 We use the following process for triaging GitHub issues:
 1. Create an issue
 1. Add appropriate labels to the issue (including "needs-investigation" if we
   should look into it further)
 1. Add the issue to a milestone
   1. If it should be fixed soon, add to version milestone or "On Deck"
   2. If not urgent, add to "Backlog"
   3. Otherwise, add to "Backlog Candidate" for future consideration
 ## Versioning
 `<major.minor.patch>`
 The code-server project follows traditional [semantic
 versioning](https://semver.org/), with the objective of minimizing major changes
 that break backward compatibility. We increment the patch level for all
 releases, except when the upstream Visual Studio Code project increments its
 minor version or we change the plugin API in a backward-compatible manner. In
 those cases, we increment the minor version rather than the patch level.
 ## Pull requests
 Ideally, every PR should fix an issue. If it doesn't, make sure it's associated
 with a version milestone.
 If a PR does fix an issue, don't add it to the version milestone. Otherwise, the
 version milestone will have duplicate information: the issue and the PR fixing
 the issue.
 ### Merge strategies
 For most things, we recommend the **squash and merge** strategy. There
 may be times where **creating a merge commit** makes sense as well. Use your
 best judgment. If you're unsure, you can always discuss in the PR with the team.
 ### Changelog
 To save time when creating a new release for code-server, we keep a running
 changelog at `CHANGELOG.md`.
 If either the author or reviewer of a PR believes the change should be mentioned
 in the changelog, then it should be added.
 If there is not a **Next Version** when you modify `CHANGELOG.md`, please add it
 using the template you see near the top of the changelog.
 When writing your changelog item, ask yourself:
 1. How do these changes affect code-server users?
 2. What actions do they need to take (if any)?
 If you need inspiration, we suggest looking at the [Emacs
 changelog](https://github.com/emacs-mirror/emacs/blob/master/etc/NEWS).
 ## Releases
 ### Publishing a release
 1. Create a new branch called `release/v0.0.0` (replace 0s with actual version aka v4.5.0)
 1. Run `yarn release:prep`
 1. Bump chart version in `Chart.yaml`.
 1. Summarize the major changes in the `CHANGELOG.md`
 1. Download CI artifacts and make sure code-server works locally.
 1. Merge PR and wait for CI build on `main` to finish.
 1. Go to GitHub Actions > Draft release > Run workflow off `main`. CI will automatically upload the artifacts to the release.
 1. Add the release notes from the `CHANGELOG.md` and publish release. CI will automatically grab the
   artifacts, publish the NPM package from `npm-package`, and publish the Docker
   Hub image from `release-images`.
 #### Release Candidates
-We prefer to do release candidates so the community can test things before a full-blown release. To do this follow the same steps as above but:
+We prefer to do release candidates so the community can test things before a
 full-blown release. To do this follow the same steps as above but:
-1. Only bump version in `package.json`
+1. Add a `-rc.<number>` suffix to the version.
-1. use `0.0.0-rc.0`
+2. When you publish the release select "pre-release". CI will not automatically
-1. When you publish the release, select "pre-release"
+   publish pre-releases.
 3. Do not update the chart version or merge in the changelog until the final
   release.
 #### AUR
@ -167,7 +59,7 @@ We publish to AUR as a package [here](https://aur.archlinux.org/packages/code-se
 #### Docker
-We publish code-server as a Docker image [here](https://registry.hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.
+We publish code-server as a Docker image [here](https://hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.
 This is currently automated with the release process.
@ -182,37 +74,44 @@ This is currently automated with the release process (but may fail occasionally)
 brew bump-formula-pr --version="${VERSION}" code-server --no-browse --no-audit
 ```
 #### nixpkgs
 We publish code-server in nixpkgs but it must be updated manually.
 #### npm
 We publish code-server as a npm package [here](https://www.npmjs.com/package/code-server/v/latest).
 This is currently automated with the release process.
 ## Syncing with upstream Code
 Refer to the [contributing docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#version-updates-to-code) for information on how to update Code within code-server.
 ## Testing
 Our testing structure is laid out under our [Contributing docs](https://coder.com/docs/code-server/latest/CONTRIBUTING#test).
 We hope to eventually hit 100% test coverage with our unit tests, and maybe one day our scripts (coverage not tracked currently).
 If you're ever looking to add more tests, here are a few ways to get started:
- run `yarn test:unit` and look at the coverage chart. You'll see all the uncovered lines. This is a good place to start.
+- run `npm run test:unit` and look at the coverage chart. You'll see all the
- look at `test/scripts` to see which scripts are tested. We can always use more tests there.
+  uncovered lines. This is a good place to start.
 - look at `test/scripts` to see which scripts are tested. We can always use more
  tests there.
 - look at `test/e2e`. We can always use more end-to-end tests.
-Otherwise, talk to a current maintainer and ask which part of the codebase is lacking most when it comes to tests.
+Otherwise, talk to a current maintainer and ask which part of the codebase is
 lacking most when it comes to tests.
 ## Documentation
 ### Troubleshooting
-Our docs are hosted on [Vercel](https://vercel.com/). Vercel only shows logs in realtime, which means you need to have the logs open in one tab and reproduce your error in another tab. Since our logs are private to Coder the organization, you can only follow these steps if you're a Coder employee. Ask a maintainer for help if you need it.
+Our docs are hosted on [Vercel](https://vercel.com/). Vercel only shows logs in
 realtime, which means you need to have the logs open in one tab and reproduce
 your error in another tab. Since our logs are private to Coder the organization,
 you can only follow these steps if you're a Coder employee. Ask a maintainer for
 help if you need it.
-Taking a real scenario, let's say you wanted to troubleshoot [this docs change](https://github.com/coder/code-server/pull/4042). Here is how you would do it:
+Taking a real scenario, let's say you wanted to troubleshoot [this docs
 change](https://github.com/coder/code-server/pull/4042). Here is how you would
 do it:
 1. Go to https://vercel.com/codercom/codercom
 2. Click "View Function Logs"
--- a/docs/README.md
+++ b/docs/README.md
@ -1,11 +1,12 @@
 # code-server
-[!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/coder/code-server/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://coder.com/community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq) [![codecov](https://codecov.io/gh/coder/code-server/branch/main/graph/badge.svg?token=5iM9farjnC)](https://codecov.io/gh/coder/code-server) [![See latest](https://img.shields.io/static/v1?label=Docs&message=see%20latest&color=blue)](https://coder.com/docs/code-server/latest)
+[!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/coder/code-server/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://coder.com/community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq) [![Discord](https://img.shields.io/discord/747933592273027093)](https://discord.com/invite/coder) [![codecov](https://codecov.io/gh/coder/code-server/branch/main/graph/badge.svg?token=5iM9farjnC)](https://codecov.io/gh/coder/code-server) [![See latest](https://img.shields.io/static/v1?label=Docs&message=see%20latest&color=blue)](https://coder.com/docs/code-server/latest)
 Run [VS Code](https://github.com/Microsoft/vscode) on any machine anywhere and
 access it in the browser.
-![Screenshot](./assets/screenshot.png)
+![Screenshot](./assets/screenshot-1.png)
 ![Screenshot](./assets/screenshot-2.png)
 ## Highlights
@ -16,14 +17,14 @@ access it in the browser.
 ## Requirements
-See [requirements](requirements.md) for minimum specs, as well as instructions
+See [requirements](https://coder.com/docs/code-server/latest/requirements) for minimum specs, as well as instructions
 on how to set up a Google VM on which you can install code-server.
 **TL;DR:** Linux machine with WebSockets enabled, 1 GB RAM, and 2 vCPUs
 ## Getting started
-There are four ways to get started:
+There are five ways to get started:
 1. Using the [install
   script](https://github.com/coder/code-server/blob/main/install.sh), which
@ -34,6 +35,9 @@ There are four ways to get started:
 3. Deploy code-server to your team with [coder/coder](https://cdr.co/coder-github)
 4. Using our one-click buttons and guides to [deploy code-server to a cloud
   provider](https://github.com/coder/deploy-code-server) ⚡
 5. Using the [code-server feature for
   devcontainers](https://github.com/coder/devcontainer-features/blob/main/src/code-server/README.md),
   if you already use devcontainers in your project.
 If you use the install script, you can preview what occurs during the install
 process:
@ -72,7 +76,7 @@ details.
 Interested in [working at Coder](https://coder.com/careers)? Check out [our open
 positions](https://coder.com/careers#openings)!
-## For Organizations
+## For Teams
-Want remote development for your organization or enterprise? Visit [our
+We develop [coder/coder](https://cdr.co/coder-github) to help teams to
-website](https://coder.com) to learn more about Coder.
+adopt remote development.
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@ -17,10 +17,8 @@ We use the following tools to help us stay on top of vulnerability mitigation.
    - Comprehensive vulnerability scanner that runs on PRs into the default
      branch and scans both our container image and repository code (see
      `trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
- [`audit-ci`](https://github.com/IBM/audit-ci)
+- `npm audit`
-  - Audits npm and Yarn dependencies in CI (see `Audit for vulnerabilities` step
+  - Audits NPM dependencies.
    in `build.yaml`) on PRs into the default branch and fails CI if moderate or
    higher vulnerabilities (see the `audit.sh` script) are present.
 ## Supported Versions
--- a/docs/android.md
+++ b/docs/android.md
@ -11,13 +11,21 @@ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
 ```
 6. Exit the terminal using `exit` and then reopen the terminal
-7. Install and use Node.js 16:
+7. Install and use Node.js 22:
 ```shell
-nvm install 16
+nvm install 22
-nvm use 16
+nvm use 22
 ```
-8. Install code-server globally on device with: `npm install --global code-server --unsafe-perm`
+8. Install code-server globally on device with: `npm install --global code-server`
 9. Run code-server with `code-server`
 10. Access on localhost:8080 in your browser
 # Running code-server using Nix-on-Droid
 1. Install Nix-on-Droid from [F-Droid](https://f-droid.org/packages/com.termux.nix/)
 2. Start app
 3. Spawn a shell with code-server by running `nix-shell -p code-server`
 4. Run code-server with `code-server`
 5. Access on localhost:8080 in your browser
--- a/docs/assets/screenshot-1.png
+++ b/docs/assets/screenshot-1.png
--- a/docs/assets/screenshot-2.png
+++ b/docs/assets/screenshot-2.png
--- a/docs/assets/screenshot.png
+++ b/docs/assets/screenshot.png
--- a/docs/coder.md
+++ b/docs/coder.md
@ -0,0 +1,48 @@
 # Coder
 To install and run code-server in a Coder workspace, we suggest using the `install.sh`
 script in your template like so:
 ```terraform
 resource "coder_agent" "dev" {
  arch           = "amd64"
  os             = "linux"
  startup_script = <<EOF
    #!/bin/sh
    set -x
    # install and start code-server
    curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.8.3
    code-server --auth none --port 13337 &
    EOF
 }
 resource "coder_app" "code-server" {
  agent_id     = coder_agent.dev.id
  slug         = "code-server"
  display_name = "code-server"
  url          = "http://localhost:13337/"
  icon         = "/icon/code.svg"
  subdomain    = false
  share        = "owner"
  healthcheck {
    url       = "http://localhost:13337/healthz"
    interval  = 3
    threshold = 10
  }
 }
 ```
 Or use our official [`code-server`](https://registry.coder.com/modules/code-server) module from the Coder [module registry](htpps://registry.coder.com/modules):
 ```terraform
 module "code-server" {
  source     = "registry.coder.com/modules/code-server/coder"
  version    = "1.0.5"
  agent_id   = coder_agent.example.id
  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
 }
 ```
 If you run into issues, ask for help on the `coder/coder` [Discussions
 here](https://github.com/coder/coder/discussions).
--- a/docs/guide.md
+++ b/docs/guide.md
@ -14,13 +14,17 @@
 - [Accessing web services](#accessing-web-services)
  - [Using a subdomain](#using-a-subdomain)
  - [Using a subpath](#using-a-subpath)
  - [Using your own proxy](#using-your-own-proxy)
  - [Stripping `/proxy/<port>` from the request path](#stripping-proxyport-from-the-request-path)
  - [Proxying to create a React app](#proxying-to-create-a-react-app)
  - [Proxying to a Vue app](#proxying-to-a-vue-app)
  - [Proxying to an Angular app](#proxying-to-an-angular-app)
- [SSH into code-server on VS Code](#ssh-into-code-server-on-vs-code)
+  - [Proxying to a Svelte app](#proxying-to-a-svelte-app)
-  - [Option 1: cloudflared tunnel](#option-1-cloudflared-tunnel)
+  - [Prefixing `/absproxy/<port>` with a path](#prefixing-absproxyport-with-a-path)
-  - [Option 2: ngrok tunnel](#option-2-ngrok-tunnel)
+  - [Preflight requests](#preflight-requests)
 - [Internationalization and customization](#internationalization-and-customization)
  - [Available keys and placeholders](#available-keys-and-placeholders)
  - [Legacy flag](#legacy-flag)
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
@ -119,27 +123,27 @@ access code-server on an iPad or do not want to use SSH port forwarding.
 1. This option requires that the remote machine be exposed to the internet. Make sure that your instance allows HTTP/HTTPS traffic.
-1. You'll need a domain name (if you don't have one, you can purchase one from
+2. You'll need a domain name (if you don't have one, you can purchase one from
   [Google Domains](https://domains.google.com) or the domain service of your
-   choice)). Once you have a domain name, add an A record to your domain that contains your
+   choice). Once you have a domain name, add an A record to your domain that contains your
   instance's IP address.
-1. Install [Caddy](https://caddyserver.com/docs/download#debian-ubuntu-raspbian):
+3. Install [Caddy](https://caddyserver.com/docs/download#debian-ubuntu-raspbian):
-```console
+   ```console
-sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
+   sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
-sudo apt update
+   sudo apt update
-sudo apt install caddy
+   sudo apt install caddy
-```
+   ```
-1. Replace `/etc/caddy/Caddyfile` using `sudo` so that the file looks like this:
+4. Replace `/etc/caddy/Caddyfile` using `sudo` so that the file looks like this:
   ```text
-   mydomain.com
+   mydomain.com {
-
+     reverse_proxy 127.0.0.1:8080
-   reverse_proxy 127.0.0.1:8080
+   }
   ```
   If you want to serve code-server from a sub-path, you can do so as follows:
@ -153,7 +157,7 @@ sudo apt install caddy
   Remember to replace `mydomain.com` with your domain name!
-1. Reload Caddy:
+5. Reload Caddy:
   ```console
   sudo systemctl reload caddy
@ -164,21 +168,22 @@ At this point, you should be able to access code-server via
 ### Using Let's Encrypt with NGINX
-1. This option requires that the remote machine be exposed to the internet. Make sure that your instance allows HTTP/HTTPS traffic.
+1. This option requires that the remote machine be exposed to the internet. Make
   sure that your instance allows HTTP/HTTPS traffic.
-1. You'll need a domain name (if you don't have one, you can purchase one from
+2. You'll need a domain name (if you don't have one, you can purchase one from
   [Google Domains](https://domains.google.com) or the domain service of your
-   choice)). Once you have a domain name, add an A record to your domain that contains your
+   choice). Once you have a domain name, add an A record to your domain that contains your
   instance's IP address.
-1. Install NGINX:
+3. Install NGINX:
   ```bash
   sudo apt update
   sudo apt install -y nginx certbot python3-certbot-nginx
   ```
-1. Update `/etc/nginx/sites-available/code-server` using sudo with the following
+4. Update `/etc/nginx/sites-available/code-server` using sudo with the following
   configuration:
   ```text
@ -189,7 +194,7 @@ At this point, you should be able to access code-server via
       location / {
         proxy_pass http://localhost:8080/;
-         proxy_set_header Host $host;
+         proxy_set_header Host $http_host;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
         proxy_set_header Accept-Encoding gzip;
@ -199,13 +204,11 @@ At this point, you should be able to access code-server via
   Be sure to replace `mydomain.com` with your domain name!
-1. Enable the config:
+5. Enable the config:
   ```console
   sudo ln -s ../sites-available/code-server /etc/nginx/sites-enabled/code-server
   sudo certbot --non-interactive --redirect --agree-tos --nginx -d mydomain.com -m me@example.com
   ```
   Be sure to replace `me@example.com` with your actual email.
 At this point, you should be able to access code-server via
@ -271,9 +274,9 @@ should see OSSStatus: 9836 in the browser console.
 If you want to use external authentication mechanism (e.g., Sign in with
 Google), you can do this with a reverse proxy such as:
- [Pomerium](https://www.pomerium.io/guides/code-server.html)
+- [Pomerium](https://www.pomerium.com/docs/guides/code-server.html)
- [oauth2_proxy](https://github.com/pusher/oauth2_proxy)
+- [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/)
- [Cloudflare Access](https://teams.cloudflare.com/access)
+- [Cloudflare Access](https://www.cloudflare.com/zero-trust/products/access/)
 ## HTTPS and self-signed certificates
@ -292,7 +295,9 @@ redirect all HTTP requests to HTTPS.
 > You can use [Let's Encrypt](https://letsencrypt.org/) to get a TLS certificate
 > for free.
-Note: if you set `proxy_set_header Host $host;` in your reverse proxy config, it will change the address displayed in the green section of code-server in the bottom left to show the correct address.
+Note: if you set `proxy_set_header Host $host;` in your reverse proxy config, it
 will change the address displayed in the green section of code-server in the
 bottom left to show the correct address.
 ## Accessing web services
@ -316,12 +321,32 @@ To set your domain, start code-server with the `--proxy-domain` flag:
 code-server --proxy-domain <domain>
 ```
-Now you can browse to `<port>.<domain>`. Note that this uses the host header, so
+For instance, if you have code-server exposed on `domain.tld` and a Python
-ensure your reverse proxy (if you're using one) forwards that information.
+server running on port 8080 of the same machine code-server is running on, you
 could run code-server with `--proxy-domain domain.tld` and access the Python
 server via `8080.domain.tld`.
 Note that this uses the host header, so ensure your reverse proxy (if you're
 using one) forwards that information.
 ### Using a subpath
-Simply browse to `/proxy/<port>/`.
+Simply browse to `/proxy/<port>/`. For instance, if you have code-server
 exposed on `domain.tld` and a Python server running on port 8080 of the same
 machine code-server is running on, you could access the Python server via
 `domain.tld/proxy/8000`.
 ### Using your own proxy
 You can make extensions and the ports panel use your own proxy by setting
 `VSCODE_PROXY_URI`. For example if you set
 `VSCODE_PROXY_URI=https://{{port}}.kyle.dev` when an application is detected
 running on port 3000 of the same machine code-server is running on the ports
 panel will create a link to https://3000.kyle.dev instead of pointing to the
 built-in subpath-based proxy.
 Note: relative paths are also supported i.e.
 `VSCODE_PROXY_URI=./proxy/{{port}}`
 ### Stripping `/proxy/<port>` from the request path
@ -358,14 +383,16 @@ PUBLIC_URL=/absproxy/3000 \
  BROWSER=none yarn start
 ```
-You should then be able to visit `https://my-code-server-address.io/absproxy/3000` to see your app exposed through
+You should then be able to visit
-code-server!
+`https://my-code-server-address.io/absproxy/3000` to see your app exposed
 through code-server.
 > We highly recommend using the subdomain approach instead to avoid this class of issue.
 ### Proxying to a Vue app
-Similar to the situation with React apps, you have to make a few modifications to proxy a Vue app.
+Similar to the situation with React apps, you have to make a few modifications
 to proxy a Vue app.
 1. add `vue.config.js`
 2. update the values to match this (you can use any free port):
@ -386,99 +413,100 @@ Read more about `publicPath` in the [Vue.js docs](https://cli.vuejs.org/config/#
 ### Proxying to an Angular app
-In order to use code-server's built-in proxy with Angular, you need to make the following changes in your app:
+In order to use code-server's built-in proxy with Angular, you need to make the
 following changes in your app:
 1. use `<base href="./.">` in `src/index.html`
 2. add `--serve-path /absproxy/4200` to `ng serve` in your `package.json`
 For additional context, see [this GitHub Discussion](https://github.com/coder/code-server/discussions/5439#discussioncomment-3371983).
-## SSH into code-server on VS Code
+### Proxying to a Svelte app
-[![SSH](https://img.shields.io/badge/SSH-363636?style=for-the-badge&logo=GNU+Bash&logoColor=ffffff)](https://ohmyz.sh/) [![Terminal](https://img.shields.io/badge/Terminal-2E2E2E?style=for-the-badge&logo=Windows+Terminal&logoColor=ffffff)](https://img.shields.io/badge/Terminal-2E2E2E?style=for-the-badge&logo=Windows+Terminal&logoColor=ffffff) [![Visual Studio Code](https://img.shields.io/badge/Visual_Studio_Code-007ACC?style=for-the-badge&logo=Visual+Studio+Code&logoColor=ffffff)](vscode:extension/ms-vscode-remote.remote-ssh)
+In order to use code-server's built-in proxy with Svelte, you need to make the
 following changes in your app:
-Follow these steps where code-server is running:
+1. Add `svelte.config.js` if you don't already have one
 2. Update the values to match this (you can use any free port):
-1. Install `openssh-server`, `wget`, and `unzip`.
+```js
-
+const config = {
-```bash
+  kit: {
-# example for Debian and Ubuntu operating systems
+    paths: {
-sudo apt update
+      base: "/absproxy/5173",
-sudo apt install wget unzip openssh-server
+    },
  },
 }
 ```
-2. Start the SSH server and set the password for your user, if you haven't already. If you use [deploy-code-server](https://github.com/coder/deploy-code-server),
+3. Access app at `<code-server-root>/absproxy/5173/` e.g. `http://localhost:8080/absproxy/5173/
-```bash
+For additional context, see [this Github Issue](https://github.com/sveltejs/kit/issues/2958)
-sudo service ssh start
+
-sudo passwd {user} # replace user with your code-server user
+### Prefixing `/absproxy/<port>` with a path
 This is a case where you need to serve an application via `absproxy` as
 explained above while serving code-server itself from a path other than the root
 in your domain.
 For example: `http://my-code-server.com/user/123/workspace/my-app`. To achieve
 this result:
 1. Start code-server with the switch `--abs-proxy-base-path=/user/123/workspace`
 2. Follow one of the instructions above for your framework.
 ### Preflight requests
 By default, if you have auth enabled, code-server will authenticate all proxied
 requests including preflight requests. This can cause issues because preflight
 requests do not typically include credentials. To allow all preflight requests
 through the proxy without authentication, use `--skip-auth-preflight`.
 ## Internationalization and customization
 code-server allows you to provide a JSON file to configure certain strings. This
 can be used for both internationalization and customization.
 Create a JSON file with your custom strings:
 ```json
 {
  "WELCOME": "Welcome to {{app}}",
  "LOGIN_TITLE": "{{app}} Access Portal",
  "LOGIN_BELOW": "Please log in to continue",
  "PASSWORD_PLACEHOLDER": "Enter Password"
 }
 ```
-### Option 1: cloudflared tunnel
+Then reference the file:
 [![Cloudflared](https://img.shields.io/badge/Cloudflared-E4863B?style=for-the-badge&logo=cloudflare&logoColor=ffffff)](https://github.com/cloudflare/cloudflared)
 1.  Install [cloudflared](https://github.com/cloudflare/cloudflared#installing-cloudflared) on your local computer and remote server
 2.  Then go to `~/.ssh/config` and add the following on your local computer:
 ```shell
-Host *.trycloudflare.com
+code-server --i18n /path/to/custom-strings.json
 HostName %h
 User user
 Port 22
 ProxyCommand "cloudflared location" access ssh --hostname %h
 ```
-3. Run `cloudflared tunnel --url ssh://localhost:22` on the remote server
+Or this can be done in the config file:
-4. Finally on VS Code or any IDE that supports SSH, run `ssh user@https://your-link.trycloudflare.com` or `ssh user@your-link.trycloudflare.com`
+```yaml
-
+i18n: /path/to/custom-strings.json
 ### Option 2: ngrok tunnel
 [![Ngrok](https://img.shields.io/badge/Ngrok-1F1E37?style=for-the-badge&logo=ngrok&logoColor=ffffff)](https://ngrok.com/)
 1.  Make a new account for ngrok [here](https://dashboard.ngrok.com/login)
 2.  Now, get the ngrok binary with `wget` and unzip it with `unzip`:
 ```bash
 wget "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
 unzip "ngrok-stable-linux-amd64.zip"
 ```
-5.  Then, go to [dashboard.ngrok.com](https://dashboard.ngrok.com) and go to the `Your Authtoken` section.
+You can combine this with the `--locale` flag to configure language support for
-6.  Copy the Authtoken shown there.
+both code-server and VS Code in cases where code-server has no support but VS
-7.  Now, go to the folder where you unzipped ngrok and store the Authtoken from the ngrok Dashboard.
+Code does. If you are using this for internationalization, please consider
 sending us a pull request to contribute it to `src/node/i18n/locales`.
-```bash
+### Available keys and placeholders
 ./ngrok authtoken YOUR_AUTHTOKEN # replace YOUR_AUTHTOKEN with the ngrok authtoken.
 ```
-8.  Now, forward port 22, which is the SSH port with this command:
+Refer to [../src/node/i18n/locales/en.json](../src/node/i18n/locales/en.json)
 for a full list of the available keys for translations. Note that the only
 placeholders supported for each key are the ones used in the default string.
-```bash
+The `--app-name` flag controls the `{{app}}` placeholder in templates. If you
-./ngrok tcp 22
+want to change the name, you can either:
 ```
-Now, you get a screen in the terminal like this:
+1. Set `--app-name` (potentially alongside `--i18n`)
 2. Use `--i18n` and hardcode the name in your strings
-```console
+### Legacy flag
 ngrok by @inconshreveable(Ctrl+C to quit)
-Session Status                online
+The `--welcome-text` flag is now deprecated. Use the `WELCOME` key instead.
 Account                       {Your name} (Plan: Free)
 Version                       2.3.40
 Region                        United States (us)
 Web Interface                 http://127.0.0.1:4040
 Forwarding                    tcp://0.tcp.ngrok.io:19028 -> localhost:22
 ```
 In this case, copy the forwarded link `0.tcp.ngrok.io` and remember the port number `19028`. Type this on your local Visual Studio Code:
 ```bash
 ssh user@0.tcp.ngrok.io -p 19028
 ```
 The port redirects you to the default SSH port 22, and you can then successfully connect to code-server by entering the password you set for the user.
 Note: the port and the url provided by ngrok will change each time you run it so modify as needed.
--- a/docs/install.md
+++ b/docs/install.md
@ -59,6 +59,7 @@ following flags:
 - `--prefix=/usr/local`: install a standalone release archive system-wide.
 - `--version=X.X.X`: install version `X.X.X` instead of latest version.
 - `--help`: see usage docs.
 - `--edge`: install the latest edge version (i.e. pre-release)
 When done, the install script prints out instructions for running and starting
 code-server.
@ -81,13 +82,11 @@ _exact_ same commands presented in the rest of this document.
 - For Arch Linux, code-server will install the AUR package.
 - For any unrecognized Linux operating system, code-server will install the
  latest standalone release into `~/.local`.
  - Ensure that you add `~/.local/bin` to your `$PATH` to run code-server.
 - For macOS, code-server will install the Homebrew package (if you don't have
  Homebrew installed, code-server will install the latest standalone release
  into `~/.local`).
  - Ensure that you add `~/.local/bin` to your `$PATH` to run code-server.
 - For FreeBSD, code-server will install the [npm package](#npm) with `npm`
@ -102,10 +101,9 @@ _exact_ same commands presented in the rest of this document.
 We recommend installing with `npm` when:
 1. You aren't using a machine with `amd64` or `arm64`.
-1. You are installing code-server on Windows
+2. You are installing code-server on Windows.
-1. You're on Linux with `glibc` < v2.17, `glibcxx` < v3.4.18 on `amd64`, `glibc`
+3. You're on Linux with `glibc` < v2.28 or `glibcxx` < v3.4.21.
-   < v2.23, or `glibcxx` < v3.4.21 on `arm64`.
+4. You're running Alpine Linux or are using a non-glibc libc. See
 1. You're running Alpine Linux or are using a non-glibc libc. See
   [#1430](https://github.com/coder/code-server/issues/1430#issuecomment-629883198)
   for more information.
@ -122,8 +120,8 @@ node binary and node modules.
 We create the standalone releases using the [npm package](#npm), and we
 then create the remaining releases using the standalone version.
-The only requirement to use the standalone release is `glibc` >= 2.17 and
+The only requirement to use the standalone release is `glibc` >= 2.28 and
-`glibcxx` >= v3.4.18 on Linux (for macOS, there is no minimum system
+`glibcxx` >= v3.4.21 on Linux (for macOS, there is no minimum system
 requirement).
 To use a standalone release:
@ -279,6 +277,7 @@ brew services start code-server
 # outside the container.
 mkdir -p ~/.config
 docker run -it --name code-server -p 127.0.0.1:8080:8080 \
  -v "$HOME/.local:/home/coder/.local" \
  -v "$HOME/.config:/home/coder/.config" \
  -v "$PWD:/home/coder/project" \
  -u "$(id -u):$(id -g)" \
@ -296,9 +295,9 @@ You can install code-server using the [Helm package manager](https://coder.com/d
 ## Windows
-We currently [do not publish Windows releases](https://github.com/coder/code-server/issues/1397). We recommend installing code-server onto Windows with [`npm`](#npm).
+We currently [do not publish Windows
-
+releases](https://github.com/coder/code-server/issues/1397). We recommend
-> Note: You will also need to [build coder/cloud-agent manually](https://github.com/coder/cloud-agent/issues/17) if you would like to use `code-server --link` on Windows.
+installing code-server onto Windows with [`npm`](#npm).
 ## Raspberry Pi
--- a/docs/link.md
+++ b/docs/link.md
@ -1,11 +0,0 @@
 # code-server --link
 > Note: This feature is no longer recommended due to instability. Stay tuned for a revised version.
 Run code-server with the flag `--link` and you'll get TLS, authentication, and a dedicated URL
 for accessing your IDE out of the box.
 ```console
 $ code-server --link
 Proxying code-server, you can access your IDE at https://example.coder.co
 ```
--- a/docs/manifest.json
+++ b/docs/manifest.json
@ -38,9 +38,9 @@
      "path": "./guide.md",
      "children": [
        {
-          "title": "--link",
+          "title": "Coder",
-          "description": "How to run code-server --link",
+          "description": "How to run code-server in Coder",
-          "path": "./link.md"
+          "path": "./coder.md"
        },
        {
          "title": "iPad",
--- a/docs/npm.md
+++ b/docs/npm.md
@ -30,7 +30,7 @@ includes installing instructions based on your operating system.
 ## Node.js version
 We use the same major version of Node.js shipped with Code's remote, which is
-currently `16.x`. VS Code also [lists Node.js
+currently `22.x`. VS Code also [lists Node.js
 requirements](https://github.com/microsoft/vscode/wiki/How-to-Contribute#prerequisites).
 Using other versions of Node.js [may lead to unexpected
@ -62,8 +62,7 @@ Proceed to [installing](#installing)
 ## Alpine
 ```bash
-apk add alpine-sdk bash libstdc++ libc6-compat
+apk add alpine-sdk bash libstdc++ libc6-compat python3 krb5-dev
 npm config set python python3
 ```
 Proceed to [installing](#installing)
@ -79,7 +78,7 @@ Proceed to [installing](#installing)
 ## FreeBSD
 ```sh
-pkg install -y git python npm-node16 pkgconf
+pkg install -y git python npm-node22 pkgconf
 pkg install -y libinotify
 ```
@ -92,12 +91,12 @@ Installing code-server requires all of the [prerequisites for VS Code developmen
 Next, install code-server with:
 ```bash
-npm install --global code-server --unsafe-perm
+npm install --global code-server
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
-A `postinstall.sh` script will attempt to run. Select your terminal (e.g., Git bash) as the default application for `.sh` files. If an additional dialog does not appear, run the install command again.
+A `postinstall.sh` script will attempt to run. Select your terminal (e.g., Git bash) as the default shell for npm run-scripts. If an additional dialog does not appear, run the install command again.
 If the `code-server` command is not found, you'll need to [add a directory to your PATH](https://www.architectryan.com/2018/03/17/add-to-the-path-on-windows-10/). To find the directory, use the following command:
@ -112,7 +111,7 @@ For help and additional troubleshooting, see [#1397](https://github.com/coder/co
 After adding the dependencies for your OS, install the code-server package globally:
 ```bash
-npm install --global code-server --unsafe-perm
+npm install --global code-server
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@ -144,8 +143,8 @@ To debug installation issues, install with `npm`:
 ```shell
 # Uninstall
-npm uninstall --global --unsafe-perm code-server > /dev/null 2>&1
+npm uninstall --global code-server > /dev/null 2>&1
 # Install with logging
-npm install --loglevel verbose --global --unsafe-perm code-server
+npm install --loglevel verbose --global code-server
 ```
--- a/docs/requirements.md
+++ b/docs/requirements.md
@ -22,7 +22,7 @@ The following steps walk you through setting up a VM running Debian using Google
 Cloud (though you are welcome to use any machine or VM provider).
 If you're [signing up with Google](https://console.cloud.google.com/getting-started) for the first time, you should get a 3-month trial with
-$300 of credits.
+\$300 of credits.
 After you sign up and create a new Google Cloud Provider (GCP) project, create a
 new Compute Engine VM instance:
--- a/docs/termux.md
+++ b/docs/termux.md
@ -8,11 +8,12 @@
 - [Upgrade](#upgrade)
 - [Known Issues](#known-issues)
  - [Git won't work in `/sdcard`](#git-wont-work-in-sdcard)
  - [Many extensions including language packs fail to install](#many-extensions-including-language-packs-fail-to-install)
 - [Extra](#extra)
  - [Keyboard Shortcuts and Tab Key](#keyboard-shortcuts-and-tab-key)
  - [Create a new user](#create-a-new-user)
  - [Install Go](#install-go)
  - [Install Python](#install-python)
  - [Working with PRoot](#working-with-proot)
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
@ -20,53 +21,9 @@
 ## Install
 1. Get [Termux](https://f-droid.org/en/packages/com.termux/) from **F-Droid**.
-2. Install Debian by running the following:
+2. Run `pkg install tur-repo`
-   - Run `termux-setup-storage` to allow storage access, or else code-server won't be able to read from `/sdcard`.\
+3. Run `pkg install code-server`
-     > The following command is from [proot-distro](https://github.com/termux/proot-distro), but you can also use [Andronix](https://andronix.app/).
+4. You can now start code server by simply running `code-server`.
     > After Debian is installed the `~ $` will change to `root@localhost`.
 ```bash
 pkg update -y && pkg install proot-distro -y && proot-distro install debian && proot-distro login debian
 ```
 3. Run the following commands to setup Debian:
 ```bash
 apt update && apt upgrade -y && apt-get install sudo vim git -y
 ```
 4. Install [NVM](https://github.com/nvm-sh/nvm#install--update-script) by following the install guide in the README, just a curl/wget command.
 5. Set up NVM for multi-user. After installing NVM it automatically adds the necessary commands for it to work, but it will only work if you are logged in as root:
   - Copy the lines NVM asks you to run after running the install script.
   - Run `nano /root/.bashrc` and comment out those lines by adding a `#` at the start.
   - Run `nano /etc/profile` and paste those lines at the end of the file. Make sure to replace `$HOME` with `/root` on the first line.
   - Now run `exit`
   - Start Debian again `proot-distro login debian`
 6. After following the instructions and setting up NVM you can now install the [required node version](https://coder.com/docs/code-server/latest/npm#nodejs-version) by running:
 ```bash
 nvm install v<major_version_here>
 ```
 7. To install `code-server` run the following:
   > To check the install process (Will not actually install code-server)
   > If it all looks good, you can install code-server by running the second command
 ```bash
 curl -fsSL https://code-server.dev/install.sh | sh -s -- --dry-run
 ```
 ```bash
 curl -fsSL https://code-server.dev/install.sh | sh
 ```
 8. You can now start code server by simply running `code-server`.
 > Consider using a new user instead of root, read [here](https://www.howtogeek.com/124950/htg-explains-why-you-shouldnt-log-into-your-linux-system-as-root/) why using root is not recommended.\
 > Learn how to add a user [here](#create-a-new-user).
 ## NPM Installation
@ -100,7 +57,7 @@ npm config set python python3
 node -v
 ```
-you will get node version `v16.15.0`
+you will get Node version `v22`
 5. Now install code-server following our guide on [installing with npm](./npm.md)
@ -113,7 +70,7 @@ code-server --auth none
 7. If already installed then use the following command for upgradation.
 ```
-npm update --global code-server --unsafe-perm
+npm update --global code-server
 ```
 ## Upgrade
@ -132,8 +89,50 @@ Potential Workaround :
 1. Create a soft-link from the debian-fs to your folder in `/sdcard`
 2. Use git from termux (preferred)
 ### Many extensions including language packs fail to install
 Issue: Android is not seen as a Linux environment but as a separate, unsupported platform, so code-server only allows [Web Extensions](https://code.visualstudio.com/api/extension-guides/web-extensions), refusing to download extensions that run on the server.\
 Fix: None\
 Potential workarounds :
 Either
 - Manually download extensions as `.vsix` file and install them via `Extensions: Install from VSIX...` in the Command Palette.
 - Use an override to pretend the platform is Linux:
 Create a JS script that patches `process.platform`:
 ```js
 // android-as-linux.js
 Object.defineProperty(process, "platform", {
  get() {
    return "linux"
  },
 })
 ```
 Then use Node's `--require` option to make sure it is loaded before `code-server` starts:
 ```sh
 NODE_OPTIONS="--require /path/to/android-as-linux.js" code-server
 ```
 ⚠️ Note that Android and Linux are not 100% compatible, so use these workarounds at your own risk. Extensions that have native dependencies other than Node or that directly interact with the OS might cause issues.
 ## Extra
 ### Keyboard Shortcuts and Tab Key
 In order to support the tab key and use keyboard shortcuts, add this to your
 settings.json:
 ```json
 {
  "keyboard.dispatch": "keyCode"
 }
 ```
 ### Create a new user
 To create a new user follow these simple steps -
@ -202,35 +201,3 @@ eval "$(pyenv virtualenv-init -)"
 7. Run `touch /root/.pyenv/version && echo "your_version_here" > /root/.pyenv/version`
 8. (You may have to start Debian again) Run `python3 -V` to verify if PATH works or not.
   > If `python3` doesn't work but pyenv says that the install was successful in step 6 then try running `$PYENV_ROOT/versions/your_version/bin/python3`.
 ### Working with PRoot
 Debian PRoot Distro Dev Environment
 - Since Node and code-server are installed in the Debian PRoot distro, your `~/.ssh/` configuration, `~/.bashrc`, git, npm packages, etc. should be setup in PRoot as well.
 - The terminal accessible in code-server will bring up the filesystem and `~/.bashrc` in the Debian PRoot distro.
 Accessing files in the Debian PRoot Distro
 - The `/data/data/com.termux/files/home` directory in PRoot accesses the termux home directory (`~`)
 - The `/sdcard` directory in PRoot accesses the Android storage directory, though there are [known issues with git and files in the `/sdcard` path](#git-wont-work-in-sdcard)
 Accessing the Debian PRoot distro/Starting code-server
 - Run the following command to access the Debian PRoot distro, from the termux shell:
 ```bash
 proot-distro login debian
 ```
 - Run the following command to start code-server directly in the Debian PRoot distro, from the termux shell:
 ```bash
 proot-distro login debian -- code-server
 ```
 - If you [created a new user](#create-a-new-user), you'll need to insert the `--user <username>` option between `login` and `debian` in the commands above to run as the user instead of root in PRoot.
 Additional information on PRoot and Termux
 - Additional information on using your Debian PRoot Distro can be [found here](https://github.com/termux/proot-distro#functionality-overview).
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@ -0,0 +1,84 @@
 import { fixupConfigRules } from "@eslint/compat"
 import globals from "globals"
 import tsParser from "@typescript-eslint/parser"
 import path from "node:path"
 import { fileURLToPath } from "node:url"
 import js from "@eslint/js"
 import { FlatCompat } from "@eslint/eslintrc"
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 const compat = new FlatCompat({
  baseDirectory: __dirname,
  recommendedConfig: js.configs.recommended,
  allConfig: js.configs.all,
 })
 export default [
  ...fixupConfigRules(
    compat.extends(
      "eslint:recommended",
      "plugin:@typescript-eslint/recommended",
      "plugin:import/recommended",
      "plugin:import/typescript",
      "plugin:prettier/recommended",
      "prettier",
    ),
  ),
  {
    languageOptions: {
      globals: {
        ...globals.browser,
        ...globals.jest,
        ...globals.node,
      },
      parser: tsParser,
      ecmaVersion: 2018,
      sourceType: "module",
    },
    settings: {
      "import/resolver": {
        typescript: {
          alwaysTryTypes: true,
        },
      },
    },
    rules: {
      "@typescript-eslint/no-unused-vars": [
        "error",
        {
          args: "none",
        },
      ],
      "no-dupe-class-members": "off",
      "@typescript-eslint/no-use-before-define": "off",
      "@typescript-eslint/no-non-null-assertion": "off",
      "@typescript-eslint/ban-types": "off",
      "@typescript-eslint/no-var-requires": "off",
      "@typescript-eslint/explicit-module-boundary-types": "off",
      "@typescript-eslint/no-explicit-any": "off",
      "@typescript-eslint/no-extra-semi": "off",
      "@typescript-eslint/no-require-imports": "off",
      "@typescript-eslint/no-unused-vars": "off", // TODO: Fix these.
      "@typescript-eslint/no-empty-object-type": "off",
      eqeqeq: "error",
      "import/order": [
        "error",
        {
          alphabetize: {
            order: "asc",
          },
          groups: [["builtin", "external", "internal"], "parent", "sibling"],
        },
      ],
      "no-async-promise-executor": "off",
    },
  },
 ]
--- a/flake.lock
+++ b/flake.lock
@ -1,12 +1,15 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1659877975,
+        "lastModified": 1731533236,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -17,16 +20,18 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1660639432,
+        "lastModified": 1739303263,
-        "narHash": "sha256-2WDiboOCfB0LhvnDVMXOAr8ZLDfm3WdO54CkoDPwN1A=",
+        "narHash": "sha256-c/Z/6gZLN8BIpYh1B3qMzEn0TArjf4F2lmy59lDLVBM=",
-        "owner": "NixOS",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6c6409e965a6c883677be7b9d87a95fab6c3472e",
+        "rev": "6cc4213488e886db863878a1e3dc26cc932d38b8",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "owner": "nixos",
-        "type": "indirect"
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
@ -34,6 +39,21 @@
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,20 +1,32 @@
 {
  description = "code-server";
-  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
    flake-utils.url = "github:numtide/flake-utils";
  };
  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem
      (system:
        let pkgs = nixpkgs.legacyPackages.${system};
-            nodejs = pkgs.nodejs-16_x;
+            nodejs = pkgs.nodejs_22;
            yarn' = pkgs.yarn.override { inherit nodejs; };
        in {
          devShells.default = pkgs.mkShell {
            nativeBuildInputs = with pkgs; [
-              nodejs yarn' python pkg-config git rsync jq moreutils quilt bats
+              imagemagick
              nodejs
              python3
              pkg-config
              git
              rsync
              jq
              moreutils
              quilt
              bats
              openssl
            ];
-            buildInputs = with pkgs; (lib.optionals (!stdenv.isDarwin) [ libsecret ]
+            buildInputs = with pkgs; (lib.optionals (!stdenv.isDarwin) [ libsecret libkrb5 ]
                          ++ (with xorg; [ libX11 libxkbfile ])
                          ++ lib.optionals stdenv.isDarwin (with pkgs.darwin.apple_sdk.frameworks; [
                            AppKit Cocoa CoreServices Security xcbuild
--- a/install.sh
+++ b/install.sh
@ -46,7 +46,7 @@ Usage:
      Sets the prefix used by standalone release archives. Defaults to ~/.local
      The release is unarchived into ~/.local/lib/code-server-X.X.X
      and the binary symlinked into ~/.local/bin/code-server
-      To install system wide pass ---prefix=/usr/local
+      To install system wide pass --prefix=/usr/local
  --rsh <bin>
      Specifies the remote shell for remote installation. Defaults to ssh.
@ -387,7 +387,7 @@ install_aur() {
  if [ ! "${DRY_RUN-}" ]; then
    cd "$CACHE_DIR/code-server-aur"
  fi
-  sh_c makepkg -si
+  sh_c makepkg -si --noconfirm
  echo_systemd_postinstall AUR
 }
@ -424,7 +424,7 @@ install_standalone() {
 }
 install_npm() {
-  echoh "Installing latest from npm."
+  echoh "Installing v$VERSION from npm."
  echoh
  NPM_PATH="${YARN_PATH-npm}"
@ -436,12 +436,12 @@ install_npm() {
    fi
    echoh "Installing with npm."
    echoh
-    "$sh_c" "$NPM_PATH" install -g code-server --unsafe-perm
+    "$sh_c" "$NPM_PATH" install -g "code-server@$VERSION" --unsafe-perm
    NPM_BIN_DIR="\$($NPM_PATH bin -g)" echo_npm_postinstall
    return
  fi
  echoerr "Please install npm to install code-server!"
-  echoerr "You will need at least node v12 and a few C dependencies."
+  echoerr "You will need at least node v20 and a few C dependencies."
  echoerr "See the docs https://coder.com/docs/code-server/latest/install#npm"
  exit 1
@ -461,9 +461,9 @@ npm_fallback() {
 # Determine if we have standalone releases on GitHub for the system's arch.
 has_standalone() {
  case $ARCH in
-    amd64) return 0 ;;
+    arm64) return 0 ;;
-    # We only have amd64 for macOS.
+    # We only have arm64 for macOS.
-    arm64)
+    amd64)
      [ "$(distro)" != macos ]
      return
      ;;
--- a/lib/vscode
+++ b/lib/vscode
@ -1 +1 @@
-Subproject commit 129500ee4c8ab7263461ffe327268ba56b9f210d
+Subproject commit 302ff6a2e235c95b88e587d4a4b6eeb1b6613297
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
  "name": "code-server",
  "license": "MIT",
-  "version": "4.8.2",
+  "version": "0.0.0",
  "description": "Run VS Code on a remote server.",
  "homepage": "https://github.com/coder/code-server",
  "bugs": {
@ -23,90 +23,74 @@
    "test:native": "./ci/dev/test-native.sh",
    "test:scripts": "./ci/dev/test-scripts.sh",
    "package": "./ci/build/build-packages.sh",
-    "prettier": "prettier --write --loglevel=warn --cache .",
+    "prettier": "prettier --write --log-level=warn --cache .",
    "preinstall": "node ./ci/dev/preinstall.js",
    "postinstall": "./ci/dev/postinstall.sh",
    "publish:npm": "./ci/steps/publish-npm.sh",
    "publish:docker": "./ci/steps/docker-buildx-push.sh",
-    "_audit": "./ci/dev/audit.sh",
+    "fmt": "npm run prettier && ./ci/dev/doctoc.sh",
    "fmt": "yarn prettier && ./ci/dev/doctoc.sh",
    "lint:scripts": "./ci/dev/lint-scripts.sh",
    "lint:ts": "eslint --max-warnings=0 --fix $(git ls-files '*.ts' '*.js' | grep -v 'lib/vscode')",
-    "test": "echo 'Run yarn test:unit or yarn test:e2e' && exit 1",
+    "test": "echo 'Run npm run test:unit or npm run test:e2e' && exit 1",
    "ci": "./ci/dev/ci.sh",
    "watch": "VSCODE_DEV=1 VSCODE_IPC_HOOK_CLI= NODE_OPTIONS='--max_old_space_size=32384 --trace-warnings' ts-node ./ci/dev/watch.ts",
    "icons": "./ci/dev/gen_icons.sh"
  },
  "main": "out/node/entry.js",
  "devDependencies": {
-    "@schemastore/package": "^0.0.6",
+    "@eslint/compat": "^1.2.0",
-    "@types/compression": "^1.7.0",
+    "@eslint/eslintrc": "^3.1.0",
-    "@types/cookie-parser": "^1.4.2",
+    "@eslint/js": "^9.12.0",
-    "@types/express": "^4.17.8",
+    "@schemastore/package": "^0.0.10",
-    "@types/http-proxy": "^1.17.4",
+    "@types/compression": "^1.7.3",
-    "@types/js-yaml": "^4.0.0",
+    "@types/cookie-parser": "^1.4.4",
-    "@types/node": "^16.0.0",
+    "@types/eslint__js": "^8.42.3",
-    "@types/pem": "^1.9.5",
+    "@types/express": "^5.0.0",
    "@types/http-proxy": "1.17.7",
    "@types/js-yaml": "^4.0.6",
    "@types/node": "22.x",
    "@types/pem": "^1.14.1",
    "@types/proxy-from-env": "^1.0.1",
    "@types/safe-compare": "^1.1.0",
-    "@types/semver": "^7.1.0",
+    "@types/semver": "^7.5.2",
-    "@types/split2": "^3.2.0",
+    "@types/trusted-types": "^2.0.4",
-    "@types/trusted-types": "^2.0.2",
+    "@types/ws": "^8.5.5",
-    "@types/ws": "^8.5.3",
+    "doctoc": "^2.2.1",
-    "@typescript-eslint/eslint-plugin": "^5.41.0",
+    "eslint": "^9.12.0",
-    "@typescript-eslint/parser": "^5.41.0",
+    "eslint-config-prettier": "^9.0.0",
-    "audit-ci": "^6.0.0",
+    "eslint-import-resolver-typescript": "^4.4.4",
-    "doctoc": "2.2.1",
+    "eslint-plugin-import": "^2.28.1",
-    "eslint": "^8.26.0",
+    "eslint-plugin-prettier": "^5.0.0",
-    "eslint-config-prettier": "^8.5.0",
+    "globals": "^16.1.0",
-    "eslint-import-resolver-typescript": "^3.5.2",
+    "prettier": "3.6.2",
-    "eslint-plugin-import": "^2.26.0",
+    "prettier-plugin-sh": "^0.14.0",
-    "eslint-plugin-prettier": "^4.2.1",
+    "ts-node": "^10.9.1",
-    "prettier": "2.7.1",
+    "typescript": "^5.6.2",
-    "prettier-plugin-sh": "^0.12.8",
+    "typescript-eslint": "^8.8.0"
    "ts-node": "^10.0.0",
    "typescript": "^4.6.2"
  },
  "resolutions": {
    "ansi-regex": "^5.0.1",
    "normalize-package-data": "^5.0.0",
    "doctoc/underscore": "^1.13.1",
    "doctoc/**/trim": "^1.0.0",
    "postcss": "^8.2.1",
    "browserslist": "^4.16.5",
    "safe-buffer": "^5.1.1",
    "vfile-message": "^2.0.2",
    "tar": "^6.1.9",
    "path-parse": "^1.0.7",
    "vm2": "^3.9.11",
    "follow-redirects": "^1.14.8",
    "node-fetch": "^2.6.7",
    "nanoid": "^3.1.31",
    "minimist": "npm:minimist-lite@2.2.1",
    "glob-parent": "^6.0.1",
    "@types/node": "^16.0.0"
  },
  "dependencies": {
-    "@coder/logger": "^3.0.0",
+    "@coder/logger": "^3.0.1",
-    "argon2": "0.29.0",
+    "argon2": "^0.31.1",
    "compression": "^1.7.4",
-    "cookie-parser": "^1.4.5",
+    "cookie-parser": "^1.4.6",
-    "env-paths": "^2.2.0",
+    "env-paths": "^2.2.1",
-    "express": "5.0.0-alpha.8",
+    "express": "^5.0.1",
-    "http-proxy": "^1.18.0",
+    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",
-    "js-yaml": "^4.0.0",
+    "i18next": "^25.3.0",
-    "limiter": "^1.1.5",
+    "js-yaml": "^4.1.0",
-    "pem": "^1.14.2",
+    "limiter": "^2.1.0",
-    "proxy-agent": "^5.0.0",
+    "pem": "^1.14.8",
-    "qs": "6.11.0",
+    "proxy-agent": "^6.3.1",
-    "rotating-file-stream": "^3.0.0",
+    "qs": "6.14.0",
-    "safe-buffer": "^5.1.1",
+    "rotating-file-stream": "^3.1.1",
    "safe-compare": "^1.1.4",
-    "semver": "^7.1.3",
+    "semver": "^7.5.4",
-    "split2": "^4.0.0",
+    "ws": "^8.14.2",
    "ws": "^8.0.0",
    "xdg-basedir": "^4.0.0"
  },
  "resolutions": {
    "@types/node": "22.x"
  },
  "bin": {
    "code-server": "out/node/entry.js"
  },
@ -116,10 +100,11 @@
    "ide",
    "coder",
    "vscode-remote",
-    "browser-ide"
+    "browser-ide",
    "remote-development"
  ],
  "engines": {
-    "node": "16"
+    "node": "22"
  },
  "jest": {
    "transform": {
--- a/patches/base-path.diff
+++ b/patches/base-path.diff
@ -10,7 +10,7 @@ Index: code-server/lib/vscode/src/vs/base/common/network.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/network.ts
 +++ code-server/lib/vscode/src/vs/base/common/network.ts
-@@ -162,7 +162,9 @@ class RemoteAuthoritiesImpl {
+@@ -237,7 +237,9 @@ class RemoteAuthoritiesImpl {
 		return URI.from({
 			scheme: platform.isWeb ? this._preferredWebSchema : Schemas.vscodeRemoteResource,
 			authority: `${host}:${port}`,
@ -46,18 +46,18 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench-dev.html
 +		<link rel="icon" href="{{BASE}}/_static/src/browser/media/favicon-dark-support.svg" />
 +		<link rel="alternate icon" href="{{BASE}}/_static/src/browser/media/favicon.ico" type="image/x-icon" />
 +		<link rel="manifest" href="{{VS_BASE}}/manifest.json" crossorigin="use-credentials" />
- 	</head>
+ 		<style id="vscode-css-modules" type="text/css" media="screen"></style>
- 	<body aria-label="">
+ 	</head>
@@ -39,7 +39,7 @@
- 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/loader.js"></script>
+ 
- 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/webPackagePaths.js"></script>
+ 	<!-- Startup (do not modify order of script tags!) -->
 	<script>
 -		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location.origin).toString();
 +		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location).toString();
- 		Object.keys(self.webPackagePaths).map(function (key, index) {
+ 		globalThis._VSCODE_FILE_ROOT = baseUrl + '/out/';
- 			self.webPackagePaths[key] = `${baseUrl}/remote/web/node_modules/${key}/${self.webPackagePaths[key]}`;
+ 	</script>
- 		});
+ 	<script>
 Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.html
@ -83,100 +83,91 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 +		<link rel="icon" href="{{BASE}}/_static/src/browser/media/favicon-dark-support.svg" />
 +		<link rel="alternate icon" href="{{BASE}}/_static/src/browser/media/favicon.ico" type="image/x-icon" />
 +		<link rel="manifest" href="{{VS_BASE}}/manifest.json" crossorigin="use-credentials" />
- 		<link data-name="vs/workbench/workbench.web.main" rel="stylesheet" href="{{WORKBENCH_WEB_BASE_URL}}/out/vs/workbench/workbench.web.main.css">
+ 		<link rel="stylesheet" href="{{WORKBENCH_WEB_BASE_URL}}/out/vs/code/browser/workbench/workbench.css">
 	</head>
-@@ -38,7 +38,7 @@
+@@ -36,7 +36,7 @@
- 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/loader.js"></script>
+ 
- 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/webPackagePaths.js"></script>
+ 	<!-- Startup (do not modify order of script tags!) -->
 	<script>
 -		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location.origin).toString();
 +		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location).toString();
- 		Object.keys(self.webPackagePaths).map(function (key, index) {
+ 		globalThis._VSCODE_FILE_ROOT = baseUrl + '/out/';
- 			self.webPackagePaths[key] = `${baseUrl}/node_modules/${key}/${self.webPackagePaths[key]}`;
+ 	</script>
- 		});
+ 	<script>
 Index: code-server/lib/vscode/src/vs/platform/remote/browser/browserSocketFactory.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/remote/browser/browserSocketFactory.ts
 +++ code-server/lib/vscode/src/vs/platform/remote/browser/browserSocketFactory.ts
-@@ -274,6 +274,7 @@ export class BrowserSocketFactory implem
+@@ -282,6 +282,7 @@ export class BrowserSocketFactory implem
- 
+ 	connect({ host, port }: WebSocketRemoteConnection, path: string, query: string, debugLabel: string): Promise<ISocket> {
- 	connect(host: string, port: number, path: string, query: string, debugLabel: string, callback: IConnectCallback): void {
+ 		return new Promise<ISocket>((resolve, reject) => {
- 		const webSocketSchema = (/^https:/.test(window.location.href) ? 'wss' : 'ws');
+ 			const webSocketSchema = (/^https:/.test(mainWindow.location.href) ? 'wss' : 'ws');
-+		path = (window.location.pathname + "/" + path).replace(/\/\/+/g, "/")
+			path = (mainWindow.location.pathname + "/" + path).replace(/\/\/+/g, "/")
- 		const socket = this._webSocketFactory.create(`${webSocketSchema}://${(/:/.test(host) && !/\[/.test(host)) ? `[${host}]` : host}:${port}${path}?${query}&skipWebSocketFrames=false`, debugLabel);
+ 			const socket = this._webSocketFactory.create(`${webSocketSchema}://${(/:/.test(host) && !/\[/.test(host)) ? `[${host}]` : host}:${port}${path}?${query}&skipWebSocketFrames=false`, debugLabel);
- 		const errorListener = socket.onError((err) => callback(err, undefined));
+ 			const disposables = new DisposableStore();
- 		socket.onOpen(() => {
+ 			disposables.add(socket.onError(reject));
@@ -282,6 +283,3 @@ export class BrowserSocketFactory implem
 		});
 	}
 }
 -
 -
 -
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -267,12 +267,11 @@ export class WebClientServer {
+@@ -245,7 +245,9 @@ export class WebClientServer {
- 			return res.end();
+ 		};
 		}
-		const getFirstHeader = (headerName: string) => {
+ 		// Prefix routes with basePath for clients
-			const val = req.headers[headerName];
+-		const basePath = getFirstHeader('x-forwarded-prefix') || this._basePath;
-			return Array.isArray(val) ? val[0] : val;
+		const rootBase = relativeRoot(getOriginalUrl(req))
-		};
+		const vscodeBase = relativePath(getOriginalUrl(req))
-
+		const basePath = vscodeBase || getFirstHeader('x-forwarded-prefix') || this._basePath;
-		const remoteAuthority = getFirstHeader('x-original-host') || getFirstHeader('x-forwarded-host') || req.headers.host;
+ 
 		const queryConnectionToken = parsedUrl.query[connectionTokenQueryName];
 		if (typeof queryConnectionToken === 'string') {
@@ -284,10 +286,14 @@ export class WebClientServer {
 		};
 		const useTestResolver = (!this._environmentService.isBuilt && this._environmentService.args['use-test-resolver']);
 +		// For now we are getting the remote authority from the client to avoid
 +		// needing specific configuration for reverse proxies to work.  Set this to
 +		// something invalid to make sure we catch code that is using this value
 +		// from the backend when it should not.
-+		const remoteAuthority = 'remote';
+ 		let remoteAuthority = (
 			useTestResolver
 				? 'test+test'
 -				: (getFirstHeader('x-original-host') || getFirstHeader('x-forwarded-host') || req.headers.host)
 +				: 'remote'
 		);
 		if (!remoteAuthority) {
 			return serveError(req, res, 400, `Bad request.`);
- 		}
+@@ -334,6 +340,7 @@ export class WebClientServer {
@@ -298,6 +297,8 @@ export class WebClientServer {
 			scopes: [['user:email'], ['repo']]
 		} : undefined;
-+		const base = relativeRoot(getOriginalUrl(req))
+ 		const productConfiguration: Partial<Mutable<IProductConfiguration>> = {
-+		const vscodeBase = relativePath(getOriginalUrl(req))
+ 			codeServerVersion: this._productService.codeServerVersion,
- 
+			rootEndpoint: rootBase,
- 		const workbenchWebConfiguration = {
+ 			embedderIdentifier: 'server-distro',
- 			remoteAuthority,
+ 			extensionsGallery: this._webExtensionResourceUrlTemplate && this._productService.extensionsGallery ? {
-@@ -309,6 +310,7 @@ export class WebClientServer {
+ 				...this._productService.extensionsGallery,
- 			workspaceUri: resolveWorkspaceURI(this._environmentService.args['default-workspace']),
+@@ -387,7 +394,9 @@ export class WebClientServer {
 			productConfiguration: <Partial<IProductConfiguration>>{
 				codeServerVersion: this._productService.codeServerVersion,
 +				rootEndpoint: base,
 				embedderIdentifier: 'server-distro',
 				extensionsGallery: this._webExtensionResourceUrlTemplate ? {
 					...this._productService.extensionsGallery,
@@ -326,8 +328,10 @@ export class WebClientServer {
 		const values: { [key: string]: string } = {
 			WORKBENCH_WEB_CONFIGURATION: asJSON(workbenchWebConfiguration),
 			WORKBENCH_AUTH_SESSION: authSessionInfo ? asJSON(authSessionInfo) : '',
-			WORKBENCH_WEB_BASE_URL: this._staticRoute,
+ 			WORKBENCH_WEB_BASE_URL: staticRoute,
-			WORKBENCH_NLS_BASE_URL: nlsBaseUrl ? `${nlsBaseUrl}${!nlsBaseUrl.endsWith('/') ? '/' : ''}${this._productService.commit}/${this._productService.version}/` : '',
+ 			WORKBENCH_NLS_URL,
-+			WORKBENCH_WEB_BASE_URL: vscodeBase + this._staticRoute,
+-			WORKBENCH_NLS_FALLBACK_URL: `${staticRoute}/out/nls.messages.js`
-+			WORKBENCH_NLS_BASE_URL: vscodeBase + (nlsBaseUrl ? `${nlsBaseUrl}${!nlsBaseUrl.endsWith('/') ? '/' : ''}${this._productService.commit}/${this._productService.version}/` : ''),
+			WORKBENCH_NLS_FALLBACK_URL: `${staticRoute}/out/nls.messages.js`,
-+			BASE: base,
+			BASE: rootBase,
-+			VS_BASE: vscodeBase,
+			VS_BASE: basePath,
 		};
- 
+ 		// DEV ---------------------------------------------------------------------------------------
-@@ -344,7 +348,7 @@ export class WebClientServer {
+@@ -424,7 +433,7 @@ export class WebClientServer {
 			'default-src \'self\';',
 			'img-src \'self\' https: data: blob:;',
 			'media-src \'self\';',
-			`script-src 'self' 'unsafe-eval' ${this._getScriptCspHashes(data).join(' ')} 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=' http://${remoteAuthority};`, // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+-			`script-src 'self' 'unsafe-eval' ${WORKBENCH_NLS_BASE_URL ?? ''} blob: 'nonce-1nline-m4p' ${this._getScriptCspHashes(data).join(' ')} '${webWorkerExtensionHostIframeScriptSHA}' 'sha256-/r7rqQ+yrxt57sxLuQ6AMYcy/lUpvAIzHjIJt/OeLWU=' ${useTestResolver ? '' : `http://${remoteAuthority}`};`,  // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
-+			`script-src 'self' 'unsafe-eval' ${this._getScriptCspHashes(data).join(' ')} 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=';`, // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+			`script-src 'self' 'unsafe-eval' ${WORKBENCH_NLS_BASE_URL ?? ''} blob: 'nonce-1nline-m4p' ${this._getScriptCspHashes(data).join(' ')} '${webWorkerExtensionHostIframeScriptSHA}' 'sha256-/r7rqQ+yrxt57sxLuQ6AMYcy/lUpvAIzHjIJt/OeLWU=' ${useTestResolver ? '' : ``};`,  // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
 			'child-src \'self\';',
 			`frame-src 'self' https://*.vscode-cdn.net data:;`,
- 			'worker-src \'self\' data:;',
+ 			'worker-src \'self\' data: blob:;',
-@@ -417,3 +421,70 @@ export class WebClientServer {
+@@ -497,3 +506,70 @@ export class WebClientServer {
- 		return res.end(data);
+ 		return void res.end(data);
 	}
 }
 +
@ -250,7 +241,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
 +++ code-server/lib/vscode/src/vs/base/common/product.ts
-@@ -32,6 +32,7 @@ export type ExtensionVirtualWorkspaceSup
+@@ -66,6 +66,7 @@ export type ExtensionVirtualWorkspaceSup
 export interface IProductConfiguration {
 	readonly codeServerVersion?: string
@ -262,39 +253,53 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 +++ code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
-@@ -489,6 +489,7 @@ function doCreateUri(path: string, query
+@@ -339,7 +339,8 @@ class LocalStorageURLCallbackProvider ex
- 		});
+ 			this.startListening();
 		}
 -		return URI.parse(mainWindow.location.href).with({ path: this._callbackRoute, query: queryParams.join('&') });
 +		const path = (mainWindow.location.pathname + "/" + this._callbackRoute).replace(/\/\/+/g, "/");
 +		return URI.parse(mainWindow.location.href).with({ path: path, query: queryParams.join('&') });
 	}
-+	path = (window.location.pathname + "/" + path).replace(/\/\/+/g, "/")
+ 	private startListening(): void {
- 	return URI.parse(window.location.href).with({ path, query });
+@@ -584,17 +585,6 @@ class WorkspaceProvider implements IWork
 	}
 }
-@@ -500,7 +501,7 @@ function doCreateUri(path: string, query
+-function readCookie(name: string): string | undefined {
 -	const cookies = document.cookie.split('; ');
 -	for (const cookie of cookies) {
 -		if (cookie.startsWith(name + '=')) {
 -			return cookie.substring(name.length + 1);
 -		}
 -	}
 -
 -	return undefined;
 -}
 -
 (function () {
 	// Find config by checking for DOM
@@ -604,8 +594,8 @@ function readCookie(name: string): strin
 	if (!configElement || !configElementAttribute) {
 		throw new Error('Missing web configuration element');
 	}
 -	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = JSON.parse(configElementAttribute);
 -	const secretStorageKeyPath = readCookie('vscode-secret-key-path');
 +	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = { ...JSON.parse(configElementAttribute), remoteAuthority: location.host }
 +	const secretStorageKeyPath = (window.location.pathname + "/mint-key").replace(/\/\/+/g, "/");
 	const secretStorageCrypto = secretStorageKeyPath && ServerKeyedAESCrypto.supported()
 		? new ServerKeyedAESCrypto(secretStorageKeyPath) : new TransparentCrypto();
- 	// Create workbench
+Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 	create(document.body, {
 Index: code-server/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
 ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
+--- code-server.orig/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
-+++ code-server/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
+++ code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
-@@ -16,7 +16,6 @@ import { getServiceMachineId } from 'vs/
+@@ -120,7 +120,7 @@ export abstract class AbstractExtensionR
- import { IStorageService } from 'vs/platform/storage/common/storage';
+ 					: version,
- import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';
+ 				path: 'extension'
- import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';
+ 			}));
 -import { RemoteAuthorities } from 'vs/base/common/network';
 import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
 export const WEB_EXTENSION_RESOURCE_END_POINT = 'web-extension-resource';
@@ -75,7 +74,7 @@ export abstract class AbstractExtensionR
 	public getExtensionGalleryResourceURL(galleryExtension: { publisher: string; name: string; version: string }, path?: string): URI | undefined {
 		if (this._extensionGalleryResourceUrlTemplate) {
 			const uri = URI.parse(format2(this._extensionGalleryResourceUrlTemplate, { publisher: galleryExtension.publisher, name: galleryExtension.name, version: galleryExtension.version, path: 'extension' }));
 -			return this._isWebExtensionResourceEndPoint(uri) ? uri.with({ scheme: RemoteAuthorities.getPreferredWebSchema() }) : uri;
 +			return this._isWebExtensionResourceEndPoint(uri) ? URI.joinPath(URI.parse(window.location.href), uri.path) : uri;
 		}
--- a/patches/cli-window-open.diff
+++ b/patches/cli-window-open.diff
@ -8,7 +8,7 @@ To test:
 2. Open code-server
 3. Open terminal
 4. Open another code-server window
-5. Run code-server with a file or directory argument
+5. Run node ./out/node/entry.js with a file or directory argument
 The file or directory should only open from the instance attached to that
 terminal.
@ -17,7 +17,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTe
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
-@@ -100,10 +100,14 @@ class RemoteTerminalBackend extends Base
+@@ -107,10 +107,14 @@ class RemoteTerminalBackend extends Base
 			}
 			const reqId = e.reqId;
 			const commandId = e.commandId;
--- a/patches/clipboard.diff
+++ b/patches/clipboard.diff
@ -0,0 +1,135 @@
 Index: code-server/lib/vscode/src/vs/workbench/api/browser/mainThreadCLICommands.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/api/browser/mainThreadCLICommands.ts
 +++ code-server/lib/vscode/src/vs/workbench/api/browser/mainThreadCLICommands.ts
@@ -8,6 +8,7 @@ import { isWeb } from '../../../base/com
 import { isString } from '../../../base/common/types.js';
 import { URI, UriComponents } from '../../../base/common/uri.js';
 import { localize } from '../../../nls.js';
 +import { IClipboardService } from '../../../platform/clipboard/common/clipboardService.js';
 import { CommandsRegistry, ICommandService } from '../../../platform/commands/common/commands.js';
 import { IExtensionGalleryService, IExtensionManagementService } from '../../../platform/extensionManagement/common/extensionManagement.js';
 import { ExtensionManagementCLI } from '../../../platform/extensionManagement/common/extensionManagementCLI.js';
@@ -95,6 +96,11 @@ CommandsRegistry.registerCommand('_remot
 });
 +CommandsRegistry.registerCommand('_remoteCLI.setClipboard', function (accessor: ServicesAccessor, content: string) {
 +	const clipboardService = accessor.get(IClipboardService);
 +	clipboardService.writeText(content);
 +})
 +
 class RemoteExtensionManagementCLI extends ExtensionManagementCLI {
 	private _location: string | undefined;
 Index: code-server/lib/vscode/src/vs/workbench/api/node/extHostCLIServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/api/node/extHostCLIServer.ts
 +++ code-server/lib/vscode/src/vs/workbench/api/node/extHostCLIServer.ts
@@ -44,7 +44,12 @@ export interface ExtensionManagementPipe
 	force?: boolean;
 }
 -export type PipeCommand = OpenCommandPipeArgs | StatusPipeArgs | OpenExternalCommandPipeArgs | ExtensionManagementPipeArgs;
 +export interface ClipboardPipeArgs {
 +	type: 'clipboard';
 +	content: string;
 +}
 +
 +export type PipeCommand = OpenCommandPipeArgs | StatusPipeArgs | OpenExternalCommandPipeArgs | ExtensionManagementPipeArgs | ClipboardPipeArgs;
 export interface ICommandsExecuter {
 	executeCommand<T>(id: string, ...args: any[]): Promise<T>;
@@ -106,6 +111,9 @@ export class CLIServerBase {
 					case 'extensionManagement':
 						returnObj = await this.manageExtensions(data);
 						break;
 +					case 'clipboard':
 +						returnObj = await this.clipboard(data);
 +						break;
 					default:
 						sendResponse(404, `Unknown message type: ${data.type}`);
 						break;
@@ -173,6 +181,10 @@ export class CLIServerBase {
 		return await this._commands.executeCommand<string | undefined>('_remoteCLI.getSystemStatus');
 	}
 +	private async clipboard(data: ClipboardPipeArgs): Promise<undefined> {
 +		return await this._commands.executeCommand('_remoteCLI.setClipboard', data.content);
 +	}
 +
 	dispose(): void {
 		this._server.close();
 Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
@@ -98,7 +98,7 @@ class RemoteTerminalBackend extends Base
 			}
 		});
 -		const allowedCommands = ['_remoteCLI.openExternal', '_remoteCLI.windowOpen', '_remoteCLI.getSystemStatus', '_remoteCLI.manageExtensions'];
 +		const allowedCommands = ['_remoteCLI.openExternal', '_remoteCLI.windowOpen', '_remoteCLI.getSystemStatus', '_remoteCLI.manageExtensions', '_remoteCLI.setClipboard'];
 		this._remoteTerminalChannel.onExecuteCommand(async e => {
 			// Ensure this request for for this window
 			const pty = this._ptys.get(e.persistentProcessId);
 Index: code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/argv.ts
@@ -137,6 +137,7 @@ export interface NativeParsedArgs {
 	'disable-chromium-sandbox'?: boolean;
 	sandbox?: boolean;
 	'enable-coi'?: boolean;
 +	'stdin-to-clipboard'?: boolean;
 	'unresponsive-sample-interval'?: string;
 	'unresponsive-sample-period'?: string;
 	'enable-rdp-display-tracking'?: boolean;
 Index: code-server/lib/vscode/src/vs/platform/environment/node/argv.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/node/argv.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/node/argv.ts
@@ -105,6 +105,7 @@ export const OPTIONS: OptionDescriptions
 	'user-data-dir': { type: 'string', cat: 'o', args: 'dir', description: localize('userDataDir', "Specifies the directory that user data is kept in. Can be used to open multiple distinct instances of Code.") },
 	'profile': { type: 'string', 'cat': 'o', args: 'profileName', description: localize('profileName', "Opens the provided folder or workspace with the given profile and associates the profile with the workspace. If the profile does not exist, a new empty one is created.") },
 	'help': { type: 'boolean', cat: 'o', alias: 'h', description: localize('help', "Print usage.") },
 +	'stdin-to-clipboard': { type: 'boolean', cat: 'o', alias: 'c', description: localize('clipboard', "copies the STDIN to the clipboard") },
 	'extensions-dir': { type: 'string', deprecates: ['extensionHomePath'], cat: 'e', args: 'dir', description: localize('extensionHomePath', "Set the root path for extensions.") },
 	'extensions-download-dir': { type: 'string' },
 Index: code-server/lib/vscode/src/vs/server/node/server.cli.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/server.cli.ts
 +++ code-server/lib/vscode/src/vs/server/node/server.cli.ts
@@ -77,6 +77,7 @@ const isSupportedForPipe = (optionId: ke
 		case 'verbose':
 		case 'remote':
 		case 'locate-shell-integration-path':
 +		case 'stdin-to-clipboard':
 			return true;
 		default:
 			return false;
@@ -300,6 +301,22 @@ export async function main(desc: Product
 			}
 		}
 	} else {
 +		if (parsedArgs['stdin-to-clipboard']) {
 +			if(!hasStdinWithoutTty()) {
 +				console.error("stdin has a tty.");
 +				return;
 +			}
 +			const stdinBuffer = fs.readFileSync(0); // STDIN_FILENO = 0
 +			const clipboardContent = stdinBuffer.toString();
 +			sendToPipe({
 +				type: 'clipboard',
 +				content: clipboardContent
 +			}, verbose).catch(e => {
 +				console.error('Error when requesting status:', e);
 +			});
 +			return;
 +		}
 +
 		if (parsedArgs.status) {
 			await sendToPipe({
 				type: 'status'
--- a/patches/disable-builtin-ext-update.diff
+++ b/patches/disable-builtin-ext-update.diff
@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -237,6 +237,10 @@ export class Extension implements IExten
+@@ -341,6 +341,10 @@ export class Extension implements IExten
 			if (this.type === ExtensionType.System && this.productService.quality === 'stable') {
 				return false;
 			}
@ -18,14 +18,3 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 			if (!this.local.preRelease && this.gallery.properties.isPreReleaseVersion) {
 				return false;
 			}
@@ -1234,6 +1238,10 @@ export class ExtensionsWorkbenchService 
 				// Skip if check updates only for builtin extensions and current extension is not builtin.
 				continue;
 			}
 +			if (installed.type !== ExtensionType.User) {
 +				// Never update builtin extensions.
 +				continue;
 +			}
 			if (installed.isBuiltin && (!installed.local?.identifier.uuid || (!isWeb && this.productService.quality === 'stable'))) {
 				// Skip checking updates for a builtin extension if it does not has Marketplace identifier or the current product is VS Code Desktop stable.
 				continue;
--- a/patches/disable-downloads.diff
+++ b/patches/disable-downloads.diff
@ -1,183 +0,0 @@
 Add option to disable file downloads via CLI
 This patch adds support for a new CLI flag called `--disable-file-downloads`
 which allows a user to remove the "Download..." option that shows up when you
 right-click files in Code. The default value for this is `false`.
 To test this, start code-server with `--disable-file-downloads`, open editor,
 right-click on a file (not a folder) and you should **not** see the
 "Download..." option.
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
@@ -271,6 +271,11 @@ export interface IWorkbenchConstructionO
 	 */
 	readonly userDataPath?: string
 +	/**
 +	 * Whether the "Download..." option is enabled for files.
 +	 */
 +	readonly isEnabledFileDownloads?: boolean
 +
 	//#endregion
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -31,6 +31,11 @@ export interface IBrowserWorkbenchEnviro
 	 * Options used to configure the workbench.
 	 */
 	readonly options?: IWorkbenchConstructionOptions;
 +
 +	/**
 +	 * Enable downloading files via menu actions.
 +	 */
 +	readonly isEnabledFileDownloads?: boolean;
 }
 export class BrowserWorkbenchEnvironmentService implements IBrowserWorkbenchEnvironmentService {
@@ -62,6 +67,13 @@ export class BrowserWorkbenchEnvironment
 		return this.options.userDataPath;
 	}
 +	get isEnabledFileDownloads(): boolean {
 +		if (typeof this.options.isEnabledFileDownloads === "undefined") {
 +			throw new Error('isEnabledFileDownloads was not provided to the browser');
 +		}
 +		return this.options.isEnabledFileDownloads;
 +	}
 +
 	@memoize
 	get argvResource(): URI { return joinPath(this.userRoamingDataHome, 'argv.json'); }
 Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
@@ -14,6 +14,7 @@ export const serverOptions: OptionDescri
 	/* ----- code-server ----- */
 	'disable-update-check': { type: 'boolean' },
 	'auth': { type: 'string' },
 +	'disable-file-downloads': { type: 'boolean' },
 	/* ----- server setup ----- */
@@ -94,6 +95,7 @@ export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
 	'auth'?: string
 +	'disable-file-downloads'?: boolean;
 	/* ----- server setup ----- */
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
@@ -304,6 +304,7 @@ export class WebClientServer {
 			remoteAuthority,
 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 			userDataPath: this._environmentService.userDataPath,
 +			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
 			_wrapWebWorkerExtHostInIframe,
 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
 			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
 Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
@@ -7,12 +7,11 @@ import { Event } from 'vs/base/common/ev
 import { Disposable } from 'vs/base/common/lifecycle';
 import { IContextKeyService, IContextKey } from 'vs/platform/contextkey/common/contextkey';
 import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from 'vs/platform/contextkey/common/contextkeys';
 -import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext } from 'vs/workbench/common/contextkeys';
 +import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, IsEnabledFileDownloads } from 'vs/workbench/common/contextkeys';
 import { TEXT_DIFF_EDITOR_ID, EditorInputCapabilities, SIDE_BY_SIDE_EDITOR_ID, DEFAULT_EDITOR_ASSOCIATION } from 'vs/workbench/common/editor';
 import { trackFocus, addDisposableListener, EventType } from 'vs/base/browser/dom';
 import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from 'vs/workbench/services/editor/common/editorGroupsService';
 import { IConfigurationService } from 'vs/platform/configuration/common/configuration';
 -import { IWorkbenchEnvironmentService } from 'vs/workbench/services/environment/common/environmentService';
 import { IEditorService } from 'vs/workbench/services/editor/common/editorService';
 import { WorkbenchState, IWorkspaceContextService, isTemporaryWorkspace } from 'vs/platform/workspace/common/workspace';
 import { IWorkbenchLayoutService, Parts, positionToString } from 'vs/workbench/services/layout/browser/layoutService';
@@ -25,6 +24,7 @@ import { IPaneCompositePartService } fro
 import { Schemas } from 'vs/base/common/network';
 import { WebFileSystemAccess } from 'vs/platform/files/browser/webFileSystemAccess';
 import { IProductService } from 'vs/platform/product/common/productService';
 +import { IBrowserWorkbenchEnvironmentService } from 'vs/workbench/services/environment/browser/environmentService';
 export class WorkbenchContextKeysHandler extends Disposable {
 	private inputFocusedContext: IContextKey<boolean>;
@@ -77,7 +77,7 @@ export class WorkbenchContextKeysHandler
 		@IContextKeyService private readonly contextKeyService: IContextKeyService,
 		@IWorkspaceContextService private readonly contextService: IWorkspaceContextService,
 		@IConfigurationService private readonly configurationService: IConfigurationService,
 -		@IWorkbenchEnvironmentService private readonly environmentService: IWorkbenchEnvironmentService,
 +		@IBrowserWorkbenchEnvironmentService private readonly environmentService: IBrowserWorkbenchEnvironmentService,
 		@IProductService private readonly productService: IProductService,
 		@IEditorService private readonly editorService: IEditorService,
 		@IEditorResolverService private readonly editorResolverService: IEditorResolverService,
@@ -202,6 +202,9 @@ export class WorkbenchContextKeysHandler
 		this.auxiliaryBarVisibleContext = AuxiliaryBarVisibleContext.bindTo(this.contextKeyService);
 		this.auxiliaryBarVisibleContext.set(this.layoutService.isVisible(Parts.AUXILIARYBAR_PART));
 +		// code-server
 +		IsEnabledFileDownloads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileDownloads ?? true)
 +
 		this.registerListeners();
 	}
 Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
@@ -22,7 +22,7 @@ import { CLOSE_SAVED_EDITORS_COMMAND_ID,
 import { AutoSaveAfterShortDelayContext } from 'vs/workbench/services/filesConfiguration/common/filesConfigurationService';
 import { WorkbenchListDoubleSelection } from 'vs/platform/list/browser/listService';
 import { Schemas } from 'vs/base/common/network';
 -import { DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey } from 'vs/workbench/common/contextkeys';
 +import { DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, IsEnabledFileDownloads } from 'vs/workbench/common/contextkeys';
 import { IsWebContext } from 'vs/platform/contextkey/common/contextkeys';
 import { ServicesAccessor } from 'vs/platform/instantiation/common/instantiation';
 import { ThemeIcon } from 'vs/platform/theme/common/themeService';
@@ -477,13 +477,16 @@ MenuRegistry.appendMenuItem(MenuId.Explo
 		id: DOWNLOAD_COMMAND_ID,
 		title: DOWNLOAD_LABEL
 	},
 -	when: ContextKeyExpr.or(
 -		// native: for any remote resource
 -		ContextKeyExpr.and(IsWebContext.toNegated(), ResourceContextKey.Scheme.notEqualsTo(Schemas.file)),
 -		// web: for any files
 -		ContextKeyExpr.and(IsWebContext, ExplorerFolderContext.toNegated(), ExplorerRootContext.toNegated()),
 -		// web: for any folders if file system API support is provided
 -		ContextKeyExpr.and(IsWebContext, HasWebFileSystemAccess)
 +	when: ContextKeyExpr.and(
 +		IsEnabledFileDownloads,
 +		ContextKeyExpr.or(
 +			// native: for any remote resource
 +			ContextKeyExpr.and(IsWebContext.toNegated(), ResourceContextKey.Scheme.notEqualsTo(Schemas.file)),
 +			// web: for any files
 +			ContextKeyExpr.and(IsWebContext, ExplorerFolderContext.toNegated(), ExplorerRootContext.toNegated()),
 +			// web: for any folders if file system API support is provided
 +			ContextKeyExpr.and(IsWebContext, HasWebFileSystemAccess)
 +		)
 	)
 }));
 Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
@@ -32,6 +32,8 @@ export const IsFullscreenContext = new R
 export const HasWebFileSystemAccess = new RawContextKey<boolean>('hasWebFileSystemAccess', false, true); // Support for FileSystemAccess web APIs (https://wicg.github.io/file-system-access)
 +export const IsEnabledFileDownloads = new RawContextKey<boolean>('isEnabledFileDownloads', true, true);
 +
 //#endregion
--- a/patches/display-language.diff
+++ b/patches/display-language.diff
@ -1,131 +1,38 @@
 Add display language support
-We can remove this once upstream supports all language packs.
+VS Code web appears to implement language support by setting a cookie and
-
+downloading language packs from a URL configured in the product.json. This patch
-1. Proxies language packs to the service on the backend.
+supports language pack extensions and uses files on the remote to set the
-2. NLS configuration is embedded into the HTML for the browser to pick up.  This
+language instead, so it works like the desktop version.
   code to generate this configuration is copied from the native portion.
 3. Remove configuredLocale since we have our own thing.
 4. Move the argv.json file to the server instead of in-browser storage.  This is
   where the current locale is stored and currently the server needs to be able
   to read it.
 5. Add the locale flag.
 6. Remove the redundant locale verification.  It does the same as the existing
   one but is worse because it does not handle non-existent or empty files.
 7. Replace some caching and Node requires because code-server does not restart
   when changing the language unlike native Code.
 Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverServices.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverServices.ts
-@@ -209,6 +209,9 @@ export async function setupServerService
+@@ -12,7 +12,7 @@ import * as path from '../../base/common
- 		const channel = new ExtensionManagementChannel(extensionManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority));
+ import { IURITransformer } from '../../base/common/uriIpc.js';
- 		socketServer.registerChannel('extensions', channel);
+ import { getMachineId, getSqmMachineId, getDevDeviceId } from '../../base/node/id.js';
 import { Promises } from '../../base/node/pfs.js';
 -import { ClientConnectionEvent, IMessagePassingProtocol, IPCServer, StaticRouter } from '../../base/parts/ipc/common/ipc.js';
 +import { ClientConnectionEvent, IMessagePassingProtocol, IPCServer, ProxyChannel, StaticRouter } from '../../base/parts/ipc/common/ipc.js';
 import { ProtocolConstants } from '../../base/parts/ipc/common/ipc.net.js';
 import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
 import { ConfigurationService } from '../../platform/configuration/common/configurationService.js';
@@ -272,6 +272,9 @@ export async function setupServerService
-+		const languagePackChannel = ProxyChannel.fromService<RemoteAgentConnectionContext>(accessor.get(ILanguagePackService));
+ 		socketServer.registerChannel('mcpManagement', new McpManagementChannel(mcpManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority)));
 +		const languagePackChannel = ProxyChannel.fromService<RemoteAgentConnectionContext>(accessor.get(ILanguagePackService), disposables);
 +		socketServer.registerChannel('languagePacks', languagePackChannel);
 +
- 		const encryptionChannel = ProxyChannel.fromService<RemoteAgentConnectionContext>(accessor.get(IEncryptionMainService));
+ 		// clean up extensions folder
- 		socketServer.registerChannel('encryption', encryptionChannel);
+ 		remoteExtensionsScanner.whenExtensionsReady().then(() => extensionManagementService.cleanUp());
 Index: code-server/lib/vscode/src/vs/base/common/platform.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/platform.ts
 +++ code-server/lib/vscode/src/vs/base/common/platform.ts
@@ -2,8 +2,6 @@
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 -import * as nls from 'vs/nls';
 -
 export const LANGUAGE_DEFAULT = 'en';
 let _isWindows = false;
@@ -83,17 +81,19 @@ if (typeof navigator === 'object' && !is
 	_isMobile = _userAgent?.indexOf('Mobi') >= 0;
 	_isWeb = true;
 -	const configuredLocale = nls.getConfiguredDefaultLocale(
 -		// This call _must_ be done in the file that calls `nls.getConfiguredDefaultLocale`
 -		// to ensure that the NLS AMD Loader plugin has been loaded and configured.
 -		// This is because the loader plugin decides what the default locale is based on
 -		// how it's able to resolve the strings.
 -		nls.localize({ key: 'ensureLoaderPluginIsLoaded', comment: ['{Locked}'] }, '_')
 -	);
 -
 -	_locale = configuredLocale || LANGUAGE_DEFAULT;
 +	_locale = LANGUAGE_DEFAULT;
 	_language = _locale;
 +	const el = typeof document !== 'undefined' && document.getElementById('vscode-remote-nls-configuration');
 +	const rawNlsConfig = el && el.getAttribute('data-settings');
 +	if (rawNlsConfig) {
 +		try {
 +			const nlsConfig: NLSConfig = JSON.parse(rawNlsConfig);
 +			_locale = nlsConfig.locale;
 +			_translationsConfigFile = nlsConfig._translationsConfigFile;
 +			_language = nlsConfig.availableLanguages['*'] || LANGUAGE_DEFAULT;
 +		} catch (error) { /* Oh well. */ }
 +	}
 }
 // Native environment
 Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.html
 +++ code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
@@ -23,6 +23,9 @@
 		<!-- Workbench Auth Session -->
 		<meta id="vscode-workbench-auth-session" data-settings="{{WORKBENCH_AUTH_SESSION}}">
 +		<!-- NLS Configuration -->
 +		<meta id="vscode-remote-nls-configuration" data-settings="{{NLS_CONFIGURATION}}">
 +
 		<!-- Workbench Icon/Manifest/CSS -->
 		<link rel="icon" href="{{BASE}}/_static/src/browser/media/favicon-dark-support.svg" />
 		<link rel="alternate icon" href="{{BASE}}/_static/src/browser/media/favicon.ico" type="image/x-icon" />
@@ -46,15 +49,26 @@
 		// Set up nls if the user is not using the default language (English)
 		const nlsConfig = {};
 		const locale = window.localStorage.getItem('vscode.nls.locale') || navigator.language;
 -		if (!locale.startsWith('en')) {
 -			nlsConfig['vs/nls'] = {
 -				availableLanguages: {
 -					'*': locale
 -				},
 -				translationServiceUrl: '{{WORKBENCH_NLS_BASE_URL}}'
 -			};
 -		}
 -
 +		try {
 +			nlsConfig['vs/nls'] = JSON.parse(document.getElementById("vscode-remote-nls-configuration").getAttribute("data-settings"))
 +			if (nlsConfig['vs/nls']._resolvedLanguagePackCoreLocation) {
 +				const bundles = Object.create(null)
 +				nlsConfig['vs/nls'].loadBundle = (bundle, _language, cb) => {
 +					const result = bundles[bundle]
 +					if (result) {
 +						return cb(undefined, result)
 +					}
 +					const path = nlsConfig['vs/nls']._resolvedLanguagePackCoreLocation + "/" + bundle.replace(/\//g, "!") + ".nls.json"
 +					fetch(`{{WORKBENCH_WEB_BASE_URL}}/../vscode-remote-resource?path=${encodeURIComponent(path)}`)
 +						.then((response) => response.json())
 +						.then((json) => {
 +							bundles[bundle] = json
 +							cb(undefined, json)
 +						})
 +						.catch(cb)
 +				}
 +			}
 +		} catch (error) { /* Probably fine. */ }
 		require.config({
 			baseUrl: `${baseUrl}/out`,
 			recordStats: true,
 Index: code-server/lib/vscode/src/vs/platform/environment/common/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/environment/common/environmentService.ts
 +++ code-server/lib/vscode/src/vs/platform/environment/common/environmentService.ts
-@@ -105,7 +105,7 @@ export abstract class AbstractNativeEnvi
+@@ -98,7 +98,7 @@ export abstract class AbstractNativeEnvi
 			return URI.file(join(vscodePortable, 'argv.json'));
 		}
@ -138,31 +45,37 @@ Index: code-server/lib/vscode/src/vs/server/node/remoteLanguagePacks.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/remoteLanguagePacks.ts
 +++ code-server/lib/vscode/src/vs/server/node/remoteLanguagePacks.ts
-@@ -30,6 +30,12 @@ export function getNLSConfiguration(lang
+@@ -3,6 +3,8 @@
- 				if (InternalNLSConfiguration.is(value)) {
+  *  Licensed under the MIT License. See License.txt in the project root for license information.
- 					value._languagePackSupport = true;
+  *--------------------------------------------------------------------------------------------*/
- 				}
+ 
-+				// If the configuration has no results keep trying since code-server
+import { promises as fs } from 'fs';
-+				// doesn't restart when a language is installed so this result would
+import * as path from 'path';
-+				// persist (the plugin might not be installed yet for example).
+ import { FileAccess } from '../../base/common/network.js';
-+				if (value.locale !== 'en' && value.locale !== 'en-us' && Object.keys(value.availableLanguages).length === 0) {
+ import { join } from '../../base/common/path.js';
-+					_cache.delete(key);
+ import type { INLSConfiguration } from '../../nls.js';
-+				}
+@@ -33,7 +35,94 @@ export async function getNLSConfiguratio
- 				return value;
+ 	if (!result) {
- 			});
+ 		result = resolveNLSConfiguration({ userLocale: language, osLocale: language, commit: product.commit, userDataPath, nlsMetadataPath });
- 			_cache.set(key, result);
+ 		nlsConfigurationCache.set(cacheKey, result);
-@@ -44,3 +50,43 @@ export namespace InternalNLSConfiguratio
+		// If the language pack does not yet exist, it defaults to English, which is
- 		return candidate && typeof candidate._languagePackId === 'string';
+		// then cached and you have to restart even if you then install the pack.
 +		result.then((r) => {
 +			if (!language.startsWith('en') && r.resolvedLanguage.startsWith('en')) {
 +				nlsConfigurationCache.delete(cacheKey);
 +			}
 +		})
 	}
 	return result;
 }
 +
 +/**
-+ * The code below is copied from from src/main.js.
+ * Copied from from src/main.js.
 + */
 +
 +export const getLocaleFromConfig = async (argvResource: string): Promise<string> => {
 +	try {
-+		const content = stripComments(await fs.promises.readFile(argvResource, 'utf8'));
+		const content = stripComments(await fs.readFile(argvResource, 'utf8'));
 +		return JSON.parse(content).locale;
 +	} catch (error) {
 +		if (error.code !== "ENOENT") {
@ -172,6 +85,9 @@ Index: code-server/lib/vscode/src/vs/server/node/remoteLanguagePacks.ts
 +	}
 +};
 +
 +/**
 + * Copied from from src/main.js.
 + */
 +const stripComments = (content: string): string => {
 +	const regexp = /('(?:[^\\']*(?:\\.)?)*')|('(?:[^\\']*(?:\\.)?)*')|(\/\*(?:\r?\n|.)*?\*\/)|(\/{2,}.*?(?:(?:\r?\n)|$))/g;
 +
@ -195,106 +111,144 @@ Index: code-server/lib/vscode/src/vs/server/node/remoteLanguagePacks.ts
 +		}
 +	});
 +};
 +
 +/**
 + * Generate translations then return a path to a JavaScript file that sets the
 + * translations into global variables.  This file is loaded by the browser to
 + * set global variables that the loader uses when looking for translations.
 + *
 + * Normally, VS Code pulls these files from a CDN but we want them to be local.
 + */
 +export async function getBrowserNLSConfiguration(locale: string, userDataPath: string): Promise<string> {
 +	if (locale.startsWith('en')) {
 +		return ''; // Use fallback translations.
 +	}
 +
 +	const nlsConfig = await getNLSConfiguration(locale, userDataPath);
 +	const messagesFile = nlsConfig?.languagePack?.messagesFile;
 +	const resolvedLanguage = nlsConfig?.resolvedLanguage;
 +	if (!messagesFile || !resolvedLanguage) {
 +		return ''; // Use fallback translations.
 +	}
 +
 +	const nlsFile = path.join(path.dirname(messagesFile), "nls.messages.js");
 +	try {
 +		await fs.stat(nlsFile);
 +		return nlsFile; // We already generated the file.
 +	} catch (error) {
 +		// ENOENT is fine, that just means we need to generate the file.
 +		if (error.code !== 'ENOENT') {
 +			throw error;
 +		}
 +	}
 +
 +	const messages = (await fs.readFile(messagesFile)).toString();
 +	const content = `globalThis._VSCODE_NLS_MESSAGES=${messages};
 +globalThis._VSCODE_NLS_LANGUAGE=${JSON.stringify(resolvedLanguage)};`
 +	await fs.writeFile(nlsFile, content, "utf-8");
 +
 +	return nlsFile;
 +}
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -26,6 +26,7 @@ import { URI } from 'vs/base/common/uri'
+@@ -25,6 +25,7 @@ import { URI } from '../../base/common/u
- import { streamToBuffer } from 'vs/base/common/buffer';
+ import { streamToBuffer } from '../../base/common/buffer.js';
- import { IProductConfiguration } from 'vs/base/common/product';
+ import { IProductConfiguration } from '../../base/common/product.js';
- import { isString } from 'vs/base/common/types';
+ import { isString, Mutable } from '../../base/common/types.js';
-+import { getLocaleFromConfig, getNLSConfiguration } from 'vs/server/node/remoteLanguagePacks';
+import { getLocaleFromConfig, getBrowserNLSConfiguration } from './remoteLanguagePacks.js';
- import { CharCode } from 'vs/base/common/charCode';
+ import { CharCode } from '../../base/common/charCode.js';
- import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
+ import { IExtensionManifest } from '../../platform/extensions/common/extensions.js';
- 
+ import { ICSSDevelopmentService } from '../../platform/cssDev/node/cssDevService.js';
-@@ -299,6 +300,8 @@ export class WebClientServer {
+@@ -385,14 +386,22 @@ export class WebClientServer {
 		const base = relativeRoot(getOriginalUrl(req))
 		const vscodeBase = relativePath(getOriginalUrl(req))
 +		const locale = this._environmentService.args.locale || await getLocaleFromConfig(this._environmentService.argvResource.fsPath);
 +		const nlsConfiguration = await getNLSConfiguration(locale, this._environmentService.userDataPath)
 		const workbenchWebConfiguration = {
 			remoteAuthority,
@@ -336,6 +339,7 @@ export class WebClientServer {
 			WORKBENCH_NLS_BASE_URL: vscodeBase + (nlsBaseUrl ? `${nlsBaseUrl}${!nlsBaseUrl.endsWith('/') ? '/' : ''}${this._productService.commit}/${this._productService.version}/` : ''),
 			BASE: base,
 			VS_BASE: vscodeBase,
 +			NLS_CONFIGURATION: asJSON(nlsConfiguration),
 		};
 		const cookies = cookie.parse(req.headers.cookie || '');
 -		const locale = cookies['vscode.nls.locale'] || req.headers['accept-language']?.split(',')[0]?.toLowerCase() || 'en';
 +		const locale = this._environmentService.args.locale || await getLocaleFromConfig(this._environmentService.argvResource.fsPath) || cookies['vscode.nls.locale'] || req.headers['accept-language']?.split(',')[0]?.toLowerCase() || 'en';
 		let WORKBENCH_NLS_BASE_URL: string | undefined;
 		let WORKBENCH_NLS_URL: string;
 		if (!locale.startsWith('en') && this._productService.nlsCoreBaseUrl) {
 			WORKBENCH_NLS_BASE_URL = this._productService.nlsCoreBaseUrl;
 			WORKBENCH_NLS_URL = `${WORKBENCH_NLS_BASE_URL}${this._productService.commit}/${this._productService.version}/${locale}/nls.messages.js`;
 		} else {
 -			WORKBENCH_NLS_URL = ''; // fallback will apply
 +			try {
 +				const nlsFile = await getBrowserNLSConfiguration(locale, this._environmentService.userDataPath);
 +				WORKBENCH_NLS_URL = nlsFile
 +					? `${vscodeBase}/vscode-remote-resource?path=${encodeURIComponent(nlsFile)}`
 +					: '';
 +			} catch (error) {
 +				console.error("Failed to generate translations", error);
 +				WORKBENCH_NLS_URL = '';
 +			}
 		}
 		const values: { [key: string]: string } = {
 Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-@@ -15,6 +15,7 @@ export const serverOptions: OptionDescri
+@@ -22,6 +22,7 @@ export const serverOptions: OptionDescri
 	'disable-update-check': { type: 'boolean' },
 	'auth': { type: 'string' },
 	'disable-file-downloads': { type: 'boolean' },
 	'disable-file-uploads': { type: 'boolean' },
 	'disable-getting-started-override': { type: 'boolean' },
 +	'locale': { type: 'string' },
 	/* ----- server setup ----- */
-@@ -96,6 +97,7 @@ export interface ServerParsedArgs {
+@@ -113,6 +114,7 @@ export interface ServerParsedArgs {
 	'disable-update-check'?: boolean;
 	'auth'?: string
 	'disable-file-downloads'?: boolean;
 	'disable-file-uploads'?: boolean;
 	'disable-getting-started-override'?: boolean,
 +	'locale'?: string
 	/* ----- server setup ----- */
 Index: code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/workbench.web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
@@ -123,8 +123,9 @@ import 'vs/workbench/contrib/logs/browse
 // Explorer
 import 'vs/workbench/contrib/files/browser/files.web.contribution';
 -// Localization
 -import 'vs/workbench/contrib/localization/browser/localization.contribution';
 +// Localization.  This does not actually import anything specific to Electron so
 +// it should be safe.
 +import 'vs/workbench/contrib/localization/electron-sandbox/localization.contribution';
 // Performance
 import 'vs/workbench/contrib/performance/browser/performance.web.contribution';
 Index: code-server/lib/vscode/src/vs/platform/languagePacks/browser/languagePacks.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/languagePacks/browser/languagePacks.ts
 +++ code-server/lib/vscode/src/vs/platform/languagePacks/browser/languagePacks.ts
-@@ -4,10 +4,23 @@
+@@ -5,18 +5,24 @@
  *--------------------------------------------------------------------------------------------*/
- import { ILanguagePackItem, LanguagePackBaseService } from 'vs/platform/languagePacks/common/languagePacks';
+ import { CancellationTokenSource } from '../../../base/common/cancellation.js';
-+import { ProxyChannel } from 'vs/base/parts/ipc/common/ipc';
+ import { URI } from '../../../base/common/uri.js';
-+import { ILanguagePackService } from 'vs/platform/languagePacks/common/languagePacks';
+import { ProxyChannel } from '../../../base/parts/ipc/common/ipc.js';
-+import { IRemoteAgentService } from 'vs/workbench/services/remote/common/remoteAgentService';
+ import { IExtensionGalleryService } from '../../extensionManagement/common/extensionManagement.js';
-+import { IExtensionGalleryService } from 'vs/platform/extensionManagement/common/extensionManagement';
+ import { IExtensionResourceLoaderService } from '../../extensionResourceLoader/common/extensionResourceLoader.js';
 -import { ILanguagePackItem, LanguagePackBaseService } from '../common/languagePacks.js';
 +import { ILanguagePackItem, ILanguagePackService, LanguagePackBaseService } from '../common/languagePacks.js';
 import { ILogService } from '../../log/common/log.js';
 +import { IRemoteAgentService } from '../../../workbench/services/remote/common/remoteAgentService.js';
 export class WebLanguagePacksService extends LanguagePackBaseService {
 -	// Web doesn't have a concept of language packs, so we just return an empty array
 +	private readonly languagePackService: ILanguagePackService;
 +
-+	constructor(
+ 	constructor(
 +		@IRemoteAgentService remoteAgentService: IRemoteAgentService,
-+		@IExtensionGalleryService extensionGalleryService: IExtensionGalleryService
+ 		@IExtensionResourceLoaderService private readonly extensionResourceLoaderService: IExtensionResourceLoaderService,
-+	) {
+ 		@IExtensionGalleryService extensionGalleryService: IExtensionGalleryService,
-+		super(extensionGalleryService)
+ 		@ILogService private readonly logService: ILogService
-+		this.languagePackService = ProxyChannel.toService<ILanguagePackService>(remoteAgentService.getConnection()!.getChannel('languagePacks'));
+ 	) {
-+	}
+ 		super(extensionGalleryService);
-+
+		this.languagePackService = ProxyChannel.toService<ILanguagePackService>(remoteAgentService.getConnection()!.getChannel('languagePacks'))
 	}
 	async getBuiltInExtensionTranslationsUri(id: string, language: string): Promise<URI | undefined> {
@@ -72,6 +78,6 @@ export class WebLanguagePacksService ext
 	// Web doesn't have a concept of language packs, so we just return an empty array
 	getInstalledLanguages(): Promise<ILanguagePackItem[]> {
 -		return Promise.resolve([]);
 +		return this.languagePackService.getInstalledLanguages()
 	}
 }
-Index: code-server/lib/vscode/src/vs/workbench/contrib/localization/electron-sandbox/localeService.ts
+Index: code-server/lib/vscode/src/vs/workbench/services/localization/electron-browser/localeService.ts
 ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/localization/electron-sandbox/localeService.ts
+--- code-server.orig/lib/vscode/src/vs/workbench/services/localization/electron-browser/localeService.ts
-+++ code-server/lib/vscode/src/vs/workbench/contrib/localization/electron-sandbox/localeService.ts
+++ code-server/lib/vscode/src/vs/workbench/services/localization/electron-browser/localeService.ts
-@@ -41,7 +41,8 @@ export class NativeLocaleService impleme
+@@ -51,7 +51,8 @@ class NativeLocaleService implements ILo
 		@IProductService private readonly productService: IProductService
 	) { }
@ -304,7 +258,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/localization/electron-san
 		try {
 			const content = await this.textFileService.read(this.environmentService.argvResource, { encoding: 'utf8' });
-@@ -68,9 +69,6 @@ export class NativeLocaleService impleme
+@@ -78,9 +79,6 @@ class NativeLocaleService implements ILo
 	}
 	private async writeLocaleValue(locale: string | undefined): Promise<boolean> {
@ -314,3 +268,83 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/localization/electron-san
 		await this.jsonEditingService.write(this.environmentService.argvResource, [{ path: ['locale'], value: locale }], true);
 		return true;
 	}
 Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsActions.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsActions.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsActions.ts
@@ -475,9 +475,6 @@ export class InstallAction extends Exten
 		if (this.extension.isBuiltin) {
 			return;
 		}
 -		if (this.extensionsWorkbenchService.canSetLanguage(this.extension)) {
 -			return;
 -		}
 		if (this.extension.state !== ExtensionState.Uninstalled) {
 			return;
 		}
@@ -782,7 +779,7 @@ export abstract class InstallInOtherServ
 		}
 		if (isLanguagePackExtension(this.extension.local.manifest)) {
 -			return true;
 +			return false;
 		}
 		// Prefers to run on UI
@@ -2073,17 +2070,6 @@ export class SetLanguageAction extends E
 	update(): void {
 		this.enabled = false;
 		this.class = SetLanguageAction.DisabledClass;
 -		if (!this.extension) {
 -			return;
 -		}
 -		if (!this.extensionsWorkbenchService.canSetLanguage(this.extension)) {
 -			return;
 -		}
 -		if (this.extension.gallery && language === getLocale(this.extension.gallery)) {
 -			return;
 -		}
 -		this.enabled = true;
 -		this.class = SetLanguageAction.EnabledClass;
 	}
 	override async run(): Promise<any> {
@@ -2100,7 +2086,6 @@ export class ClearLanguageAction extends
 	private static readonly DisabledClass = `${this.EnabledClass} disabled`;
 	constructor(
 -		@IExtensionsWorkbenchService private readonly extensionsWorkbenchService: IExtensionsWorkbenchService,
 		@ILocaleService private readonly localeService: ILocaleService,
 	) {
 		super(ClearLanguageAction.ID, ClearLanguageAction.TITLE.value, ClearLanguageAction.DisabledClass, false);
@@ -2110,17 +2095,6 @@ export class ClearLanguageAction extends
 	update(): void {
 		this.enabled = false;
 		this.class = ClearLanguageAction.DisabledClass;
 -		if (!this.extension) {
 -			return;
 -		}
 -		if (!this.extensionsWorkbenchService.canSetLanguage(this.extension)) {
 -			return;
 -		}
 -		if (this.extension.gallery && language !== getLocale(this.extension.gallery)) {
 -			return;
 -		}
 -		this.enabled = true;
 -		this.class = ClearLanguageAction.EnabledClass;
 	}
 	override async run(): Promise<any> {
 Index: code-server/lib/vscode/src/vs/workbench/workbench.web.main.internal.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/workbench.web.main.internal.ts
 +++ code-server/lib/vscode/src/vs/workbench/workbench.web.main.internal.ts
@@ -54,7 +54,7 @@ import './services/dialogs/browser/fileD
 import './services/host/browser/browserHostService.js';
 import './services/lifecycle/browser/lifecycleService.js';
 import './services/clipboard/browser/clipboardService.js';
 -import './services/localization/browser/localeService.js';
 +import './services/localization/electron-browser/localeService.js';
 import './services/path/browser/pathService.js';
 import './services/themes/browser/browserHostColorSchemeService.js';
 import './services/encryption/browser/encryptionService.js';
--- a/patches/exec-argv.diff
+++ b/patches/exec-argv.diff
@ -1,24 +0,0 @@
 Preserve process.execArgv
 This ensures flags like `--prof` are passed down to the code-server process so
 we can profile everything.
 To test this:
 1. run `./lib/node --prof .` 
 2. in another terminal, run `ps -ejww`
 You should see `--prof` next to every code-server process. 
 Index: code-server/lib/vscode/src/vs/server/node/extensionHostConnection.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/extensionHostConnection.ts
 +++ code-server/lib/vscode/src/vs/server/node/extensionHostConnection.ts
@@ -228,7 +228,7 @@ export class ExtensionHostConnection {
 	public async start(startParams: IRemoteExtensionHostStartParams): Promise<void> {
 		try {
 -			let execArgv: string[] = [];
 +			let execArgv: string[] = process.execArgv ? process.execArgv.filter(a => !/^--inspect(-brk)?=/.test(a)) : [];
 			if (startParams.port && !(<any>process).pkg) {
 				execArgv = [`--inspect${startParams.break ? '-brk' : ''}=${startParams.port}`];
 			}
--- a/patches/external-file-actions.diff
+++ b/patches/external-file-actions.diff
@ -0,0 +1,356 @@
 Add option to disable file downloads and uploads via cli
 This patch adds support for a new CLI flag called `--disable-file-downloads`
 which allows a user to remove the "Download..." option that shows up when you
 right-click files in Code. It also disables the "Show Local" button on the dialog 
 for Save, Save-As and Save Workspace. The default value for this is `false`.
 This patch also add support for a new CLI flag called `--disable-file-uploads`
 which disables the drag to upload functionality and the "Upload..." option when you
 right-click folders in Code. It also disables the "Show Local" button on the dialog 
 for opening a file. The default value for this is `false`.
 This patch also adds trace log statements for when a file is read and written to disk.
 To test disabling downloads, start code-server with `--disable-file-downloads`, open editor,
 right-click on a file (not a folder) and you should **not** see the
 "Download..." option. When saving a file or workspace, the "Show Local" button 
 should **not** appear on the dialog that comes on screen.
 To test disabling uploads, start code-server with `--disable-file-uploads`, open editor,
 right-click on a folder (not a file) and you should **not** see the
 "Upload..." option. If you drag a file into the file navigator, the file should **not** upload 
 and appear in the file navigator. When opening a file, the "Show Local" button 
 should **not** appear on the dialog that comes on screen.
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
@@ -303,6 +303,16 @@ export interface IWorkbenchConstructionO
 	 */
 	readonly userDataPath?: string
 +	/**
 +	 * Whether the "Download..." option is enabled for files.
 +	 */
 +	readonly isEnabledFileDownloads?: boolean
 +
 +	/**
 +	 * Whether the "Upload..." button is enabled.
 +	 */
 +	readonly isEnabledFileUploads?: boolean
 +
 	//#endregion
 	//#region Profile options
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -34,6 +34,16 @@ export interface IBrowserWorkbenchEnviro
 	readonly options?: IWorkbenchConstructionOptions;
 	/**
 +	 * Enable downloading files via menu actions.
 +	 */
 +	readonly isEnabledFileDownloads?: boolean;
 +
 +	/**
 +	 * Enable uploading files via menu actions.
 +	 */
 +	readonly isEnabledFileUploads?: boolean;
 +
 +	/**
 	 * Gets whether a resolver extension is expected for the environment.
 	 */
 	readonly expectsResolverExtension: boolean;
@@ -111,6 +121,20 @@ export class BrowserWorkbenchEnvironment
 		return this.options.userDataPath;
 	}
 +	get isEnabledFileDownloads(): boolean {
 +		if (typeof this.options.isEnabledFileDownloads === "undefined") {
 +			throw new Error('isEnabledFileDownloads was not provided to the browser');
 +		}
 +		return this.options.isEnabledFileDownloads;
 +	}
 +
 +	get isEnabledFileUploads(): boolean {
 +		if (typeof this.options.isEnabledFileUploads === "undefined") {
 +			throw new Error('isEnabledFileUploads was not provided to the browser');
 +		}
 +		return this.options.isEnabledFileUploads;
 +	}
 +
 	@memoize
 	get argvResource(): URI { return joinPath(this.userRoamingDataHome, 'argv.json'); }
 Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
@@ -19,6 +19,8 @@ export const serverOptions: OptionDescri
 	/* ----- code-server ----- */
 	'disable-update-check': { type: 'boolean' },
 	'auth': { type: 'string' },
 +	'disable-file-downloads': { type: 'boolean' },
 +	'disable-file-uploads': { type: 'boolean' },
 	/* ----- server setup ----- */
@@ -107,6 +109,8 @@ export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
 	'auth'?: string;
 +	'disable-file-downloads'?: boolean;
 +	'disable-file-uploads'?: boolean;
 	/* ----- server setup ----- */
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
@@ -369,6 +369,8 @@ export class WebClientServer {
 			serverBasePath: basePath,
 			webviewEndpoint: staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 			userDataPath: this._environmentService.userDataPath,
 +			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
 +			isEnabledFileUploads: !this._environmentService.args['disable-file-uploads'],
 			_wrapWebWorkerExtHostInIframe,
 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
 			settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
 Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
@@ -6,10 +6,10 @@
 import { Disposable } from '../../base/common/lifecycle.js';
 import { IContextKeyService, IContextKey, setConstant as setConstantContextKey } from '../../platform/contextkey/common/contextkey.js';
 import { IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from '../../platform/contextkey/common/contextkeys.js';
 -import { SplitEditorsVertically, InEditorZenModeContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, MainEditorAreaVisibleContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, TitleBarVisibleContext, TitleBarStyleContext, IsAuxiliaryWindowFocusedContext, ActiveEditorGroupEmptyContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorGroupLockedContext, MultipleEditorGroupsContext, EditorsVisibleContext, AuxiliaryBarMaximizedContext, InAutomationContext } from '../common/contextkeys.js';
 +import { SplitEditorsVertically, InEditorZenModeContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, MainEditorAreaVisibleContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, TitleBarVisibleContext, TitleBarStyleContext, IsAuxiliaryWindowFocusedContext, ActiveEditorGroupEmptyContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorGroupLockedContext, MultipleEditorGroupsContext, EditorsVisibleContext, AuxiliaryBarMaximizedContext, InAutomationContext, IsEnabledFileDownloads, IsEnabledFileUploads } from '../common/contextkeys.js';
 import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from '../services/editor/common/editorGroupsService.js';
 import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
 -import { IWorkbenchEnvironmentService } from '../services/environment/common/environmentService.js';
 +import { IBrowserWorkbenchEnvironmentService } from '../services/environment/browser/environmentService.js';
 import { WorkbenchState, IWorkspaceContextService, isTemporaryWorkspace } from '../../platform/workspace/common/workspace.js';
 import { IWorkbenchLayoutService, Parts, positionToString } from '../services/layout/browser/layoutService.js';
 import { getRemoteName } from '../../platform/remote/common/remoteHosts.js';
@@ -69,7 +69,7 @@ export class WorkbenchContextKeysHandler
 		@IContextKeyService private readonly contextKeyService: IContextKeyService,
 		@IWorkspaceContextService private readonly contextService: IWorkspaceContextService,
 		@IConfigurationService private readonly configurationService: IConfigurationService,
 -		@IWorkbenchEnvironmentService private readonly environmentService: IWorkbenchEnvironmentService,
 +		@IBrowserWorkbenchEnvironmentService private readonly environmentService: IBrowserWorkbenchEnvironmentService,
 		@IProductService private readonly productService: IProductService,
 		@IEditorGroupsService private readonly editorGroupService: IEditorGroupsService,
 		@IEditorService private readonly editorService: IEditorService,
@@ -199,6 +199,10 @@ export class WorkbenchContextKeysHandler
 		this.auxiliaryBarMaximizedContext = AuxiliaryBarMaximizedContext.bindTo(this.contextKeyService);
 		this.auxiliaryBarMaximizedContext.set(this.layoutService.isAuxiliaryBarMaximized());
 +		// code-server
 +		IsEnabledFileDownloads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileDownloads ?? true)
 +		IsEnabledFileUploads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileUploads ?? true)
 +
 		this.registerListeners();
 	}
 Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions.contribution.ts
@@ -20,7 +20,7 @@ import { CLOSE_SAVED_EDITORS_COMMAND_ID,
 import { AutoSaveAfterShortDelayContext } from '../../../services/filesConfiguration/common/filesConfigurationService.js';
 import { WorkbenchListDoubleSelection } from '../../../../platform/list/browser/listService.js';
 import { Schemas } from '../../../../base/common/network.js';
 -import { DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
 +import { IsEnabledFileDownloads, IsEnabledFileUploads, DirtyWorkingCopiesContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, WorkbenchStateContext, WorkspaceFolderCountContext, SidebarFocusContext, ActiveEditorCanRevertContext, ActiveEditorContext, ResourceContextKey, ActiveEditorAvailableEditorIdsContext, MultipleEditorsSelectedInGroupContext, TwoEditorsSelectedInGroupContext, SelectedEditorsInGroupFileOrUntitledResourceContextKey } from '../../../common/contextkeys.js';
 import { IsWebContext } from '../../../../platform/contextkey/common/contextkeys.js';
 import { ServicesAccessor } from '../../../../platform/instantiation/common/instantiation.js';
 import { ThemeIcon } from '../../../../base/common/themables.js';
@@ -571,13 +571,16 @@ MenuRegistry.appendMenuItem(MenuId.Explo
 		id: DOWNLOAD_COMMAND_ID,
 		title: DOWNLOAD_LABEL
 	},
 -	when: ContextKeyExpr.or(
 -		// native: for any remote resource
 -		ContextKeyExpr.and(IsWebContext.toNegated(), ResourceContextKey.Scheme.notEqualsTo(Schemas.file)),
 -		// web: for any files
 -		ContextKeyExpr.and(IsWebContext, ExplorerFolderContext.toNegated(), ExplorerRootContext.toNegated()),
 -		// web: for any folders if file system API support is provided
 -		ContextKeyExpr.and(IsWebContext, HasWebFileSystemAccess)
 +	when: ContextKeyExpr.and(
 +		IsEnabledFileDownloads,
 +		ContextKeyExpr.or(
 +			// native: for any remote resource
 +			ContextKeyExpr.and(IsWebContext.toNegated(), ResourceContextKey.Scheme.notEqualsTo(Schemas.file)),
 +			// web: for any files
 +			ContextKeyExpr.and(IsWebContext, ExplorerFolderContext.toNegated(), ExplorerRootContext.toNegated()),
 +			// web: for any folders if file system API support is provided
 +			ContextKeyExpr.and(IsWebContext, HasWebFileSystemAccess)
 +		)
 	)
 }));
@@ -589,6 +592,7 @@ MenuRegistry.appendMenuItem(MenuId.Explo
 		title: UPLOAD_LABEL,
 	},
 	when: ContextKeyExpr.and(
 +		IsEnabledFileUploads,
 		// only in web
 		IsWebContext,
 		// only on folders
 Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
@@ -39,6 +39,9 @@ export const EmbedderIdentifierContext =
 export const InAutomationContext = new RawContextKey<boolean>('inAutomation', false, localize('inAutomation', "Whether VS Code is running under automation/smoke test"));
 +export const IsEnabledFileDownloads = new RawContextKey<boolean>('isEnabledFileDownloads', true, true);
 +export const IsEnabledFileUploads = new RawContextKey<boolean>('isEnabledFileUploads', true, true);
 +
 //#endregion
 //#region < --- Window --- >
 Index: code-server/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFileDialog.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFileDialog.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFileDialog.ts
@@ -18,7 +18,7 @@ import { IModelService } from '../../../
 import { ILanguageService } from '../../../../editor/common/languages/language.js';
 import { getIconClasses } from '../../../../editor/common/services/getIconClasses.js';
 import { Schemas } from '../../../../base/common/network.js';
 -import { IWorkbenchEnvironmentService } from '../../environment/common/environmentService.js';
 +import { IBrowserWorkbenchEnvironmentService } from '../../environment/browser/environmentService.js';
 import { IRemoteAgentService } from '../../remote/common/remoteAgentService.js';
 import { IContextKeyService, IContextKey, RawContextKey } from '../../../../platform/contextkey/common/contextkey.js';
 import { equalsIgnoreCase, format, startsWithIgnoreCase } from '../../../../base/common/strings.js';
@@ -144,7 +144,7 @@ export class SimpleFileDialog extends Di
 		@IFileDialogService private readonly fileDialogService: IFileDialogService,
 		@IModelService private readonly modelService: IModelService,
 		@ILanguageService private readonly languageService: ILanguageService,
 -		@IWorkbenchEnvironmentService protected readonly environmentService: IWorkbenchEnvironmentService,
 +		@IBrowserWorkbenchEnvironmentService protected readonly environmentService: IBrowserWorkbenchEnvironmentService,
 		@IRemoteAgentService private readonly remoteAgentService: IRemoteAgentService,
 		@IPathService protected readonly pathService: IPathService,
 		@IKeybindingService private readonly keybindingService: IKeybindingService,
@@ -311,20 +311,22 @@ export class SimpleFileDialog extends Di
 			this.filePickBox.placeholder = nls.localize('remoteFileDialog.placeholder', "Folder path");
 			this.filePickBox.ok = true;
 			this.filePickBox.okLabel = typeof this.options.openLabel === 'string' ? this.options.openLabel : this.options.openLabel?.withoutMnemonic;
 -			if ((this.scheme !== Schemas.file) && this.options && this.options.availableFileSystems && (this.options.availableFileSystems.length > 1) && (this.options.availableFileSystems.indexOf(Schemas.file) > -1)) {
 -				this.filePickBox.customButton = true;
 -				this.filePickBox.customLabel = nls.localize('remoteFileDialog.local', 'Show Local');
 -				let action;
 -				if (isSave) {
 -					action = SaveLocalFileCommand;
 -				} else {
 -					action = this.allowFileSelection ? (this.allowFolderSelection ? OpenLocalFileFolderCommand : OpenLocalFileCommand) : OpenLocalFolderCommand;
 -				}
 -				const keybinding = this.keybindingService.lookupKeybinding(action.ID);
 -				if (keybinding) {
 -					const label = keybinding.getLabel();
 -					if (label) {
 -						this.filePickBox.customHover = format('{0} ({1})', action.LABEL, label);
 +			if ((isSave && this.environmentService.isEnabledFileDownloads) || (!isSave && this.environmentService.isEnabledFileUploads)) {
 +				if ((this.scheme !== Schemas.file) && this.options && this.options.availableFileSystems && (this.options.availableFileSystems.length > 1) && (this.options.availableFileSystems.indexOf(Schemas.file) > -1)) {
 +					this.filePickBox.customButton = true;
 +					this.filePickBox.customLabel = nls.localize('remoteFileDialog.local', 'Show Local');
 +					let action;
 +					if (isSave) {
 +						action = SaveLocalFileCommand;
 +					} else {
 +						action = this.allowFileSelection ? (this.allowFolderSelection ? OpenLocalFileFolderCommand : OpenLocalFileCommand) : OpenLocalFolderCommand;
 +					}
 +					const keybinding = this.keybindingService.lookupKeybinding(action.ID);
 +					if (keybinding) {
 +						const label = keybinding.getLabel();
 +						if (label) {
 +							this.filePickBox.customHover = format('{0} ({1})', action.LABEL, label);
 +						}
 					}
 				}
 			}
 Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/views/explorerViewer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/files/browser/views/explorerViewer.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/files/browser/views/explorerViewer.ts
@@ -65,6 +65,7 @@ import { timeout } from '../../../../../
 import { IFilesConfigurationService } from '../../../../services/filesConfiguration/common/filesConfigurationService.js';
 import { mainWindow } from '../../../../../base/browser/window.js';
 import { IExplorerFileContribution, explorerFileContribRegistry } from '../explorerFileContrib.js';
 +import { IBrowserWorkbenchEnvironmentService } from '../../../../services/environment/browser/environmentService.js';
 import { WorkbenchCompressibleAsyncDataTree } from '../../../../../platform/list/browser/listService.js';
 import { ISearchService, QueryType, getExcludes, ISearchConfiguration, ISearchComplete, IFileQuery } from '../../../../services/search/common/search.js';
 import { CancellationToken } from '../../../../../base/common/cancellation.js';
@@ -1594,7 +1595,8 @@ export class FileDragAndDrop implements
 		@IConfigurationService private configurationService: IConfigurationService,
 		@IInstantiationService private instantiationService: IInstantiationService,
 		@IWorkspaceEditingService private workspaceEditingService: IWorkspaceEditingService,
 -		@IUriIdentityService private readonly uriIdentityService: IUriIdentityService
 +		@IUriIdentityService private readonly uriIdentityService: IUriIdentityService,
 +		@IBrowserWorkbenchEnvironmentService protected readonly environmentService: IBrowserWorkbenchEnvironmentService
 	) {
 		const updateDropEnablement = (e: IConfigurationChangeEvent | undefined) => {
 			if (!e || e.affectsConfiguration('explorer.enableDragAndDrop')) {
@@ -1819,15 +1821,17 @@ export class FileDragAndDrop implements
 			// External file DND (Import/Upload file)
 			if (data instanceof NativeDragAndDropData) {
 -				// Use local file import when supported
 -				if (!isWeb || (isTemporaryWorkspace(this.contextService.getWorkspace()) && WebFileSystemAccess.supported(mainWindow))) {
 -					const fileImport = this.instantiationService.createInstance(ExternalFileImport);
 -					await fileImport.import(resolvedTarget, originalEvent, mainWindow);
 -				}
 -				// Otherwise fallback to browser based file upload
 -				else {
 -					const browserUpload = this.instantiationService.createInstance(BrowserFileUpload);
 -					await browserUpload.upload(target, originalEvent);
 +				if (this.environmentService.isEnabledFileUploads) {
 +					// Use local file import when supported
 +					if (!isWeb || (isTemporaryWorkspace(this.contextService.getWorkspace()) && WebFileSystemAccess.supported(mainWindow))) {
 +						const fileImport = this.instantiationService.createInstance(ExternalFileImport);
 +						await fileImport.import(resolvedTarget, originalEvent, mainWindow);
 +					}
 +					// Otherwise fallback to browser based file upload
 +					else {
 +						const browserUpload = this.instantiationService.createInstance(BrowserFileUpload);
 +						await browserUpload.upload(target, originalEvent);
 +					}
 				}
 			}
 Index: code-server/lib/vscode/src/vs/platform/files/node/diskFileSystemProviderServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/files/node/diskFileSystemProviderServer.ts
 +++ code-server/lib/vscode/src/vs/platform/files/node/diskFileSystemProviderServer.ts
@@ -99,6 +99,7 @@ export abstract class AbstractDiskFileSy
 	private async readFile(uriTransformer: IURITransformer, _resource: UriComponents, opts?: IFileAtomicReadOptions): Promise<VSBuffer> {
 		const resource = this.transformIncoming(uriTransformer, _resource, true);
 +		this.logService.trace(`File action: readFile ${resource.path}`);
 		const buffer = await this.provider.readFile(resource, opts);
 		return VSBuffer.wrap(buffer);
@@ -117,6 +118,7 @@ export abstract class AbstractDiskFileSy
 			}
 		});
 +		this.logService.trace(`File action: readFileStream ${resource.path}`);
 		const fileStream = this.provider.readFileStream(resource, opts, cts.token);
 		listenStream(fileStream, {
 			onData: chunk => emitter.fire(VSBuffer.wrap(chunk)),
@@ -137,7 +139,7 @@ export abstract class AbstractDiskFileSy
 	private writeFile(uriTransformer: IURITransformer, _resource: UriComponents, content: VSBuffer, opts: IFileWriteOptions): Promise<void> {
 		const resource = this.transformIncoming(uriTransformer, _resource);
 -
 +		this.logService.trace(`File action: writeFile ${resource.path}`);
 		return this.provider.writeFile(resource, content.buffer, opts);
 	}
--- a/patches/getting-started.diff
+++ b/patches/getting-started.diff
@ -10,16 +10,25 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/gettingStarted.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/gettingStarted.ts
-@@ -62,7 +62,7 @@ import { GettingStartedIndexList } from
+@@ -3,7 +3,7 @@
- import { StandardKeyboardEvent } from 'vs/base/browser/keyboardEvent';
+  *  Licensed under the MIT License. See License.txt in the project root for license information.
- import { KeyCode } from 'vs/base/common/keyCodes';
+  *--------------------------------------------------------------------------------------------*/
- import { getTelemetryLevel } from 'vs/platform/telemetry/common/telemetryUtils';
+ 
-import { WorkbenchStateContext } from 'vs/workbench/common/contextkeys';
+-import { $, Dimension, addDisposableListener, append, clearNode, reset } from '../../../../base/browser/dom.js';
-+import { IsEnabledCoderGettingStarted, WorkbenchStateContext } from 'vs/workbench/common/contextkeys';
+import { $, Dimension, addDisposableListener, append, clearNode, reset, prepend } from '../../../../base/browser/dom.js';
- import { OpenFolderViaWorkspaceAction } from 'vs/workbench/browser/actions/workspaceActions';
+ import { renderFormattedText } from '../../../../base/browser/formattedTextRenderer.js';
- import { OpenRecentAction } from 'vs/workbench/browser/actions/windowActions';
+ import { StandardKeyboardEvent } from '../../../../base/browser/keyboardEvent.js';
- import { Toggle } from 'vs/base/browser/ui/toggle/toggle';
+ import { Button } from '../../../../base/browser/ui/button/button.js';
-@@ -758,6 +758,72 @@ export class GettingStartedPage extends
+@@ -53,7 +53,7 @@ import { IRecentFolder, IRecentWorkspace
 import { OpenRecentAction } from '../../../browser/actions/windowActions.js';
 import { OpenFileFolderAction, OpenFolderAction, OpenFolderViaWorkspaceAction } from '../../../browser/actions/workspaceActions.js';
 import { EditorPane } from '../../../browser/parts/editor/editorPane.js';
 -import { WorkbenchStateContext } from '../../../common/contextkeys.js';
 +import { IsEnabledCoderGettingStarted, WorkbenchStateContext } from '../../../common/contextkeys.js';
 import { IEditorOpenContext, IEditorSerializer } from '../../../common/editor.js';
 import { IWebviewElement, IWebviewService } from '../../webview/browser/webview.js';
 import './gettingStartedColors.js';
@@ -916,6 +916,72 @@ export class GettingStartedPage extends
 			$('p.subtitle.description', {}, localize({ key: 'gettingStarted.editingEvolved', comment: ['Shown as subtitle on the Welcome page.'] }, "Editing evolved"))
 		);
@ -55,7 +64,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +							'font-size: 13px',
 +							'color: #dcdee2',
 +						].join(';'),
-+					}, 'Provision remote development environments on your infrastructure with Coder.'),
+					}, 'Provision software development environments on your infrastructure with Coder.'),
 +					$('p', {
 +						style: [
 +							'margin-top: 8px',
@ -72,7 +81,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +							'align-items: center',
 +						].join(';'),
 +					}, 'Get started ', $('span', {
-+						class: Codicon.arrowRight.classNames,
+						class: ThemeIcon.asClassName(Codicon.arrowRight),
 +						style: [
 +							'color: white',
 +							'margin-left: 8px',
@ -87,38 +96,21 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +					),
 +				),
 +			);
-+	   }
+		}
 +
 		const leftColumn = $('.categories-column.categories-column-left', {},);
 		const rightColumn = $('.categories-column.categories-column-right', {},);
-@@ -775,13 +841,23 @@ export class GettingStartedPage extends
+ 
- 		const layoutLists = () => {
+@@ -951,6 +1017,9 @@ export class GettingStartedPage extends
 			if (gettingStartedList.itemCount) {
 				this.container.classList.remove('noWalkthroughs');
 -				reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
 -				reset(rightColumn, gettingStartedList.getDomElement());
 +				if (this.contextService.contextMatchesRules(IsEnabledCoderGettingStarted)) {
 +					reset(leftColumn, startList.getDomElement(), recentList.getDomElement(), gettingStartedList.getDomElement());
 +					reset(rightColumn, gettingStartedCoder);
 +				} else {
 +					reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
 +					reset(rightColumn, gettingStartedList.getDomElement());
 +				}
 +
 				recentList.setLimit(5);
 				reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
 			}
- 			else {
+			if (this.contextService.contextMatchesRules(IsEnabledCoderGettingStarted)) {
- 				this.container.classList.add('noWalkthroughs');
+				prepend(rightColumn, gettingStartedCoder)
-				reset(leftColumn, startList.getDomElement());
+			}
-+				if (this.contextService.contextMatchesRules(IsEnabledCoderGettingStarted)) {
+ 		};
-+					reset(leftColumn, startList.getDomElement(), gettingStartedCoder);
+ 
-+				} else {
+ 		gettingStartedList.onDidChange(layoutLists);
 +					reset(leftColumn, startList.getDomElement());
 +				}
 				reset(rightColumn, recentList.getDomElement());
 				recentList.setLimit(10);
 			}
 Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/media/gettingStarted.css
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/media/gettingStarted.css
@ -131,21 +123,21 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +	margin-bottom: 0.2em;
 +}
 +
-+.monaco-workbench .part.editor>.content .gettingStartedContainer .coder-coder {
+.monaco-workbench .part.editor > .content .gettingStartedContainer .coder-coder {
 +	font-size: 1em;
 +	margin-top: 0.2em;
 +}
 +
- .monaco-workbench.hc-black .part.editor>.content .gettingStartedContainer .subtitle,
+ .monaco-workbench.hc-black .part.editor > .content .gettingStartedContainer .subtitle,
- .monaco-workbench.hc-light .part.editor>.content .gettingStartedContainer .subtitle {
+ .monaco-workbench.hc-light .part.editor > .content .gettingStartedContainer .subtitle {
 	font-weight: 200;
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -276,6 +276,11 @@ export interface IWorkbenchConstructionO
+@@ -313,6 +313,11 @@ export interface IWorkbenchConstructionO
 	 */
- 	readonly isEnabledFileDownloads?: boolean
+ 	readonly isEnabledFileUploads?: boolean
 +	/**
 +	 * Whether to use Coder's custom Getting Started text.
@ -154,25 +146,25 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 +
 	//#endregion
- 
+ 	//#region Profile options
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
-@@ -36,6 +36,11 @@ export interface IBrowserWorkbenchEnviro
+@@ -44,6 +44,11 @@ export interface IBrowserWorkbenchEnviro
- 	 * Enable downloading files via menu actions.
+ 	readonly isEnabledFileUploads?: boolean;
- 	 */
+ 
- 	readonly isEnabledFileDownloads?: boolean;
+ 	/**
 +
 +	/**
 +	 * Enable Coder's custom getting started text.
 +	 */
 +	readonly isEnabledCoderGettingStarted?: boolean;
- }
+
- 
+	/**
- export class BrowserWorkbenchEnvironmentService implements IBrowserWorkbenchEnvironmentService {
+ 	 * Gets whether a resolver extension is expected for the environment.
-@@ -74,6 +79,13 @@ export class BrowserWorkbenchEnvironment
+ 	 */
- 		return this.options.isEnabledFileDownloads;
+ 	readonly expectsResolverExtension: boolean;
@@ -135,6 +140,13 @@ export class BrowserWorkbenchEnvironment
 		return this.options.isEnabledFileUploads;
 	}
 +	get isEnabledCoderGettingStarted(): boolean {
@ -189,19 +181,19 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-@@ -16,6 +16,7 @@ export const serverOptions: OptionDescri
+@@ -21,6 +21,7 @@ export const serverOptions: OptionDescri
 	'auth': { type: 'string' },
 	'disable-file-downloads': { type: 'boolean' },
- 	'locale': { type: 'string' },
+ 	'disable-file-uploads': { type: 'boolean' },
 +	'disable-getting-started-override': { type: 'boolean' },
 	/* ----- server setup ----- */
-@@ -98,6 +99,7 @@ export interface ServerParsedArgs {
+@@ -111,6 +112,7 @@ export interface ServerParsedArgs {
- 	'auth'?: string
+ 	'auth'?: string;
 	'disable-file-downloads'?: boolean;
- 	'locale'?: string
+ 	'disable-file-uploads'?: boolean;
-+	'disable-getting-started-override'?: boolean;
+	'disable-getting-started-override'?: boolean,
 	/* ----- server setup ----- */
@ -209,10 +201,10 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -308,6 +308,7 @@ export class WebClientServer {
+@@ -373,6 +373,7 @@ export class WebClientServer {
 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 			userDataPath: this._environmentService.userDataPath,
 			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
 			isEnabledFileUploads: !this._environmentService.args['disable-file-uploads'],
 +			isEnabledCoderGettingStarted: !this._environmentService.args['disable-getting-started-override'],
 			_wrapWebWorkerExtHostInIframe,
 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
@ -221,19 +213,19 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
-@@ -7,7 +7,7 @@ import { Event } from 'vs/base/common/ev
+@@ -6,7 +6,7 @@
- import { Disposable } from 'vs/base/common/lifecycle';
+ import { Disposable } from '../../base/common/lifecycle.js';
- import { IContextKeyService, IContextKey } from 'vs/platform/contextkey/common/contextkey';
+ import { IContextKeyService, IContextKey, setConstant as setConstantContextKey } from '../../platform/contextkey/common/contextkey.js';
- import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from 'vs/platform/contextkey/common/contextkeys';
+ import { IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from '../../platform/contextkey/common/contextkeys.js';
-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, IsEnabledFileDownloads } from 'vs/workbench/common/contextkeys';
+-import { SplitEditorsVertically, InEditorZenModeContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, MainEditorAreaVisibleContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, TitleBarVisibleContext, TitleBarStyleContext, IsAuxiliaryWindowFocusedContext, ActiveEditorGroupEmptyContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorGroupLockedContext, MultipleEditorGroupsContext, EditorsVisibleContext, AuxiliaryBarMaximizedContext, InAutomationContext, IsEnabledFileDownloads, IsEnabledFileUploads } from '../common/contextkeys.js';
-+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, MultipleEditorGroupsContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, EditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, IsEnabledFileDownloads, IsEnabledCoderGettingStarted } from 'vs/workbench/common/contextkeys';
+import { SplitEditorsVertically, InEditorZenModeContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, MainEditorAreaVisibleContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, TitleBarVisibleContext, TitleBarStyleContext, IsAuxiliaryWindowFocusedContext, ActiveEditorGroupEmptyContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorGroupLockedContext, MultipleEditorGroupsContext, EditorsVisibleContext, AuxiliaryBarMaximizedContext, InAutomationContext, IsEnabledFileDownloads, IsEnabledFileUploads, IsEnabledCoderGettingStarted, } from '../common/contextkeys.js';
- import { TEXT_DIFF_EDITOR_ID, EditorInputCapabilities, SIDE_BY_SIDE_EDITOR_ID, DEFAULT_EDITOR_ASSOCIATION } from 'vs/workbench/common/editor';
+ import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from '../services/editor/common/editorGroupsService.js';
- import { trackFocus, addDisposableListener, EventType } from 'vs/base/browser/dom';
+ import { IConfigurationService } from '../../platform/configuration/common/configuration.js';
- import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from 'vs/workbench/services/editor/common/editorGroupsService';
+ import { IBrowserWorkbenchEnvironmentService } from '../services/environment/browser/environmentService.js';
-@@ -204,6 +204,7 @@ export class WorkbenchContextKeysHandler
+@@ -202,6 +202,7 @@ export class WorkbenchContextKeysHandler
 		// code-server
 		IsEnabledFileDownloads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileDownloads ?? true)
 		IsEnabledFileUploads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileUploads ?? true)
 +		IsEnabledCoderGettingStarted.bindTo(this.contextKeyService).set(this.environmentService.isEnabledCoderGettingStarted ?? true)
 		this.registerListeners();
@ -242,10 +234,10 @@ Index: code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/common/contextkeys.ts
 +++ code-server/lib/vscode/src/vs/workbench/common/contextkeys.ts
-@@ -33,6 +33,7 @@ export const IsFullscreenContext = new R
+@@ -41,6 +41,7 @@ export const InAutomationContext = new R
 export const HasWebFileSystemAccess = new RawContextKey<boolean>('hasWebFileSystemAccess', false, true); // Support for FileSystemAccess web APIs (https://wicg.github.io/file-system-access)
 export const IsEnabledFileDownloads = new RawContextKey<boolean>('isEnabledFileDownloads', true, true);
 export const IsEnabledFileUploads = new RawContextKey<boolean>('isEnabledFileUploads', true, true);
 +export const IsEnabledCoderGettingStarted = new RawContextKey<boolean>('isEnabledCoderGettingStarted', true, true);
 //#endregion
--- a/patches/github-auth.diff
+++ b/patches/github-auth.diff
@ -1,106 +0,0 @@
 Add the ability to provide a GitHub token
 To test install the GitHub PR extension and start code-server with GITHUB_TOKEN
 or set github-auth in the config file.  The extension should be authenticated.
 Index: code-server/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
 +++ code-server/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
@@ -5,9 +5,18 @@
 import { InMemoryCredentialsProvider } from 'vs/platform/credentials/common/credentials';
 import { ILogService } from 'vs/platform/log/common/log';
 -import { INativeEnvironmentService } from 'vs/platform/environment/common/environment';
 +import { IServerEnvironmentService } from 'vs/server/node/serverEnvironmentService';
 import { IProductService } from 'vs/platform/product/common/productService';
 import { BaseCredentialsMainService, KeytarModule } from 'vs/platform/credentials/common/credentialsMainService';
 +import { generateUuid } from 'vs/base/common/uuid';
 +import { equals as arrayEquals } from 'vs/base/common/arrays';
 +
 +interface IToken {
 +	accessToken: string
 +	account?: { label: string }
 +	id: string
 +	scopes: string[]
 +}
 export class CredentialsWebMainService extends BaseCredentialsMainService {
 	// Since we fallback to the in-memory credentials provider, we do not need to surface any Keytar load errors
@@ -16,10 +25,15 @@ export class CredentialsWebMainService e
 	constructor(
 		@ILogService logService: ILogService,
 -		@INativeEnvironmentService private readonly environmentMainService: INativeEnvironmentService,
 +		@IServerEnvironmentService private readonly environmentMainService: IServerEnvironmentService,
 		@IProductService private readonly productService: IProductService,
 	) {
 		super(logService);
 +		if (this.environmentMainService.args["github-auth"]) {
 +			this.storeGitHubToken(this.environmentMainService.args["github-auth"]).catch((error) => {
 +				this.logService.error('Failed to store provided GitHub token', error)
 +			})
 +		}
 	}
 	// If the credentials service is running on the server, we add a suffix -server to differentiate from the location that the
@@ -48,4 +62,59 @@ export class CredentialsWebMainService e
 		}
 		return this._keytarCache;
 	}
 +
 +	private async storeGitHubToken(githubToken: string): Promise<void> {
 +		const extensionId = 'vscode.github-authentication';
 +		const service = `${await this.getSecretStoragePrefix()}${extensionId}`;
 +		const account = 'github.auth';
 +		const scopes = [['read:user', 'user:email', 'repo']]
 +
 +		// Oddly the scopes need to match exactly so we cannot just have one token
 +		// with all the scopes, instead we have to duplicate the token for each
 +		// expected set of scopes.
 +		const tokens: IToken[] = scopes.map((scopes) => ({
 +			id: generateUuid(),
 +			scopes: scopes.sort(), // Sort for comparing later.
 +			accessToken: githubToken,
 +		}));
 +
 +		const raw = await this.getPassword(service, account)
 +
 +		let existing: {
 +			content: IToken[]
 +		} | undefined;
 +
 +		if (raw) {
 +			try {
 +				const json = JSON.parse(raw);
 +				json.content = JSON.parse(json.content);
 +				existing = json;
 +			} catch (error) {
 +				this.logService.error('Failed to parse existing GitHub credentials', error)
 +			}
 +		}
 +
 +		// Keep tokens for account and scope combinations we do not have in case
 +		// there is an extension that uses scopes we have not accounted for (in
 +		// these cases the user will need to manually authenticate the extension
 +		// through the UI) or the user has tokens for other accounts.
 +		if (existing?.content) {
 +			existing.content = existing.content.filter((existingToken) => {
 +				const scopes = existingToken.scopes.sort();
 +				return !(tokens.find((token) => {
 +					return arrayEquals(scopes, token.scopes)
 +						&& token.account?.label === existingToken.account?.label;
 +				}))
 +			})
 +		}
 +
 +		return this.setPassword(service, account, JSON.stringify({
 +			extensionId,
 +			...(existing || {}),
 +			content: JSON.stringify([
 +				...tokens,
 +				...(existing?.content || []),
 +			])
 +		}));
 +	}
 }
--- a/patches/insecure-notification.diff
+++ b/patches/insecure-notification.diff
@ -17,9 +17,9 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/client.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/client.ts
@@ -1,7 +1,10 @@
- import { Disposable } from 'vs/base/common/lifecycle';
+ import { Disposable } from "../../base/common/lifecycle.js";
-+import { localize } from 'vs/nls';
+import { localize } from '../../nls.js';
-+import { INotificationService, Severity } from 'vs/platform/notification/common/notification';
+import { INotificationService, Severity } from '../../platform/notification/common/notification.js';
 export class CodeServerClient extends Disposable {
 	constructor (
--- a/patches/integration.diff
+++ b/patches/integration.diff
@ -3,26 +3,28 @@ Prepare Code for integration with code-server
 1. We already have the arguments so allow passing them in.  There is also a
   slight change in a few directories to preserve the directory structure we
   have been using and to not override passed-in arguments.
-2. Modify the terminal environment to filter out code-server environment variables.
+2. Modify the entry point to allow importing the code, instead of just running
-3. Add the code-server version to the help dialog.
+   the server immediately.
-4. Add ready events for use in an iframe.
+3. Modify the terminal environment to filter out code-server environment variables.
-5. Add our icons.
+4. Add the code-server version to the help dialog.
-6. Use our own manifest.
+5. Add ready events for use in an iframe.
 6. Add our icons and remove the existing ones.
 7. Use our own manifest.
 Index: code-server/lib/vscode/src/vs/server/node/server.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/server.main.ts
 +++ code-server/lib/vscode/src/vs/server/node/server.main.ts
@@ -12,7 +12,7 @@ import { createServer as doCreateServer,
- import { parseArgs, ErrorReporter } from 'vs/platform/environment/node/argv';
+ import { parseArgs, ErrorReporter } from '../../platform/environment/node/argv.js';
- import { join, dirname } from 'vs/base/common/path';
+ import { join, dirname } from '../../base/common/path.js';
 import { performance } from 'perf_hooks';
-import { serverOptions } from 'vs/server/node/serverEnvironmentService';
+-import { serverOptions } from './serverEnvironmentService.js';
-+import { serverOptions, ServerParsedArgs } from 'vs/server/node/serverEnvironmentService';
+import { serverOptions, ServerParsedArgs } from './serverEnvironmentService.js';
- import product from 'vs/platform/product/common/product';
+ import product from '../../platform/product/common/product.js';
- import * as perf from 'vs/base/common/performance';
+ import * as perf from '../../base/common/performance.js';
-@@ -34,38 +34,43 @@ const errorReporter: ErrorReporter = {
+@@ -34,38 +34,47 @@ const errorReporter: ErrorReporter = {
 	}
 };
@ -38,7 +40,7 @@ Index: code-server/lib/vscode/src/vs/server/node/server.main.ts
 -const LOCAL_HISTORY_HOME = join(APP_SETTINGS_HOME, 'History');
 -const MACHINE_SETTINGS_HOME = join(USER_DATA_PATH, 'Machine');
 -args['user-data-dir'] = USER_DATA_PATH;
-const APP_ROOT = dirname(FileAccess.asFileUri('', require).fsPath);
+-const APP_ROOT = dirname(FileAccess.asFileUri('').fsPath);
 -const BUILTIN_EXTENSIONS_FOLDER_PATH = join(APP_ROOT, 'extensions');
 -args['builtin-extensions-dir'] = BUILTIN_EXTENSIONS_FOLDER_PATH;
 -args['extensions-dir'] = args['extensions-dir'] || join(REMOTE_DATA_FOLDER, 'extensions');
@ -58,7 +60,7 @@ Index: code-server/lib/vscode/src/vs/server/node/server.main.ts
 +	const LOCAL_HISTORY_HOME = join(APP_SETTINGS_HOME, 'History');
 +	const MACHINE_SETTINGS_HOME = join(USER_DATA_PATH, 'Machine');
 +	args['user-data-dir'] = USER_DATA_PATH;
-+	const APP_ROOT = dirname(FileAccess.asFileUri('', require).fsPath);
+	const APP_ROOT = dirname(FileAccess.asFileUri('').fsPath);
 +	const BUILTIN_EXTENSIONS_FOLDER_PATH = args['builtin-extensions-dir'] || join(APP_ROOT, 'extensions');
 +	args['builtin-extensions-dir'] = BUILTIN_EXTENSIONS_FOLDER_PATH;
 +	args['extensions-dir'] = args['extensions-dir'] || join(REMOTE_DATA_FOLDER, 'extensions');
@ -78,7 +80,7 @@ Index: code-server/lib/vscode/src/vs/server/node/server.main.ts
  */
 -export function spawnCli() {
 -	runCli(args, REMOTE_DATA_FOLDER, serverOptions);
-+export function spawnCli(args = parse()): Promise<void> {
+function spawnCli(args = parse()): Promise<void> {
 +	return runCli(args, createDirs(args), serverOptions);
 }
@ -87,15 +89,19 @@ Index: code-server/lib/vscode/src/vs/server/node/server.main.ts
  */
 -export function createServer(address: string | net.AddressInfo | null): Promise<IServerAPI> {
 -	return doCreateServer(address, args, REMOTE_DATA_FOLDER);
-+export function createServer(address: string | net.AddressInfo | null, args = parse()): Promise<IServerAPI> {
+function createServer(address: string | net.AddressInfo | null, args = parse()): Promise<IServerAPI> {
 +	return doCreateServer(address, args, createDirs(args));
 }
 +
 +// The aliases prevent the names getting mangled during minification which would
 +// make it difficult to import.
 +export { spawnCli as spawnCli, createServer as createServer };
 Index: code-server/lib/vscode/src/vs/base/common/processes.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/processes.ts
 +++ code-server/lib/vscode/src/vs/base/common/processes.ts
@@ -111,6 +111,8 @@ export function sanitizeProcessEnvironme
- 		/^VSCODE_(?!SHELL_LOGIN).+$/,
+ 		/^VSCODE_(?!(PORTABLE|SHELL_LOGIN|ENV_REPLACE|ENV_APPEND|ENV_PREPEND)).+$/,
 		/^SNAP(|_.*)$/,
 		/^GDK_PIXBUF_.+$/,
 +		/^CODE_SERVER_.+$/,
@ -103,30 +109,12 @@ Index: code-server/lib/vscode/src/vs/base/common/processes.ts
 	];
 	const envKeys = Object.keys(env);
 	envKeys
 Index: code-server/lib/vscode/src/vs/workbench/browser/parts/dialogs/dialogHandler.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/parts/dialogs/dialogHandler.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/parts/dialogs/dialogHandler.ts
@@ -143,8 +143,11 @@ export class BrowserDialogHandler implem
 	async about(): Promise<void> {
 		const detailString = (useAgo: boolean): string => {
 -			return localize('aboutDetail',
 -				"Version: {0}\nCommit: {1}\nDate: {2}\nBrowser: {3}",
 +			return localize('aboutCodeServerDetail',
 +				"code-server: {0}",
 +				this.productService.codeServerVersion ? `v${this.productService.codeServerVersion}` : 'Unknown'
 +			) + '\n' + localize('aboutDetail',
 +				"Code: {0}\nCommit: {1}\nDate: {2}\nBrowser: {3}",
 				this.productService.version || 'Unknown',
 				this.productService.commit || 'Unknown',
 				this.productService.date ? `${this.productService.date}${useAgo ? ' (' + fromNow(new Date(this.productService.date), true) + ')' : ''}` : 'Unknown',
 Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 ===================================================================
 --- /dev/null
 +++ code-server/lib/vscode/src/vs/workbench/browser/client.ts
@@ -0,0 +1,46 @@
-+import { Disposable } from 'vs/base/common/lifecycle';
+import { Disposable } from "../../base/common/lifecycle.js";
 +
 +export class CodeServerClient extends Disposable {
 +	constructor (
@ -176,15 +164,15 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
-@@ -69,6 +69,7 @@ import { IndexedDB } from 'vs/base/brows
+@@ -64,6 +64,7 @@ import { IOpenerService } from '../../pl
- import { BrowserCredentialsService } from 'vs/workbench/services/credentials/browser/credentialsService';
+ import { mixin, safeStringify } from '../../base/common/objects.js';
- import { IWorkspace } from 'vs/workbench/services/host/browser/browserHostService';
+ import { IndexedDB } from '../../base/browser/indexedDB.js';
- import { WebFileSystemAccess } from 'vs/platform/files/browser/webFileSystemAccess';
+ import { WebFileSystemAccess } from '../../platform/files/browser/webFileSystemAccess.js';
-+import { CodeServerClient } from 'vs/workbench/browser/client';
+import { CodeServerClient } from '../../workbench/browser/client.js';
- import { ITelemetryService } from 'vs/platform/telemetry/common/telemetry';
+ import { IProgressService } from '../../platform/progress/common/progress.js';
- import { IProgressService } from 'vs/platform/progress/common/progress';
+ import { DelayedLogChannel } from '../services/output/common/delayedLogChannel.js';
- import { DelayedLogChannel } from 'vs/workbench/services/output/common/delayedLogChannel';
+ import { dirname, joinPath } from '../../base/common/resources.js';
-@@ -116,6 +117,9 @@ export class BrowserMain extends Disposa
+@@ -133,6 +134,9 @@ export class BrowserMain extends Disposa
 		// Startup
 		const instantiationService = workbench.startup();
@ -198,7 +186,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
 +++ code-server/lib/vscode/src/vs/base/common/product.ts
-@@ -31,6 +31,8 @@ export type ExtensionVirtualWorkspaceSup
+@@ -65,6 +65,8 @@ export type ExtensionVirtualWorkspaceSup
 };
 export interface IProductConfiguration {
@ -221,19 +209,18 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench-dev.html
 		<!-- Disable pinch zooming -->
 		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
-@@ -26,9 +27,9 @@
+@@ -26,8 +27,9 @@
 		<meta id="vscode-workbench-builtin-extensions" data-settings="{{WORKBENCH_BUILTIN_EXTENSIONS}}">
 		<!-- Workbench Icon/Manifest/CSS -->
 -		<link rel="icon" href="{{WORKBENCH_WEB_BASE_URL}}/resources/server/favicon.ico" type="image/x-icon" />
 -		<link rel="manifest" href="{{WORKBENCH_WEB_BASE_URL}}/resources/server/manifest.json" crossorigin="use-credentials" />
 -
 +		<link rel="icon" href="/_static/src/browser/media/favicon-dark-support.svg" />
 +		<link rel="alternate icon" href="/_static/src/browser/media/favicon.ico" type="image/x-icon" />
 +		<link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />
- 	</head>
+ 		<style id="vscode-css-modules" type="text/css" media="screen"></style>
- 	<body aria-label="">
+ 	</head>
 Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.html
@ -257,18 +244,81 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 +		<link rel="icon" href="/_static/src/browser/media/favicon-dark-support.svg" />
 +		<link rel="alternate icon" href="/_static/src/browser/media/favicon.ico" type="image/x-icon" />
 +		<link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />
- 		<link data-name="vs/workbench/workbench.web.main" rel="stylesheet" href="{{WORKBENCH_WEB_BASE_URL}}/out/vs/workbench/workbench.web.main.css">
+ 		<link rel="stylesheet" href="{{WORKBENCH_WEB_BASE_URL}}/out/vs/code/browser/workbench/workbench.css">
 	</head>
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -308,6 +308,7 @@ export class WebClientServer {
+@@ -333,6 +333,7 @@ export class WebClientServer {
- 			folderUri: resolveWorkspaceURI(this._environmentService.args['default-folder']),
+ 		} : undefined;
- 			workspaceUri: resolveWorkspaceURI(this._environmentService.args['default-workspace']),
+ 
- 			productConfiguration: <Partial<IProductConfiguration>>{
+ 		const productConfiguration: Partial<Mutable<IProductConfiguration>> = {
-+				codeServerVersion: this._productService.codeServerVersion,
+			codeServerVersion: this._productService.codeServerVersion,
- 				embedderIdentifier: 'server-distro',
+ 			embedderIdentifier: 'server-distro',
- 				extensionsGallery: this._webExtensionResourceUrlTemplate ? {
+ 			extensionsGallery: this._webExtensionResourceUrlTemplate && this._productService.extensionsGallery ? {
- 					...this._productService.extensionsGallery,
+ 				...this._productService.extensionsGallery,
 Index: code-server/lib/vscode/src/server-main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/server-main.ts
 +++ code-server/lib/vscode/src/server-main.ts
@@ -22,6 +22,9 @@ import { IServerAPI } from './vs/server/
 perf.mark('code/server/start');
 (globalThis as { vscodeServerStartTime?: number }).vscodeServerStartTime = performance.now();
 +// This is not indented to make the diff less noisy.  We need to move this out
 +// of the top-level so it will not run immediately and we can control the start.
 +async function start() {
 // Do a quick parse to determine if a server or the cli needs to be started
 const parsedArgs = minimist(process.argv.slice(2), {
 	boolean: ['start-server', 'list-extensions', 'print-ip-address', 'help', 'version', 'accept-server-license-terms', 'update-extensions'],
@@ -150,6 +153,7 @@ if (shouldSpawnCli) {
 		}
 	});
 }
 +}
 function sanitizeStringArg(val: unknown): string | undefined {
 	if (Array.isArray(val)) { // if an argument is passed multiple times, minimist creates an array
@@ -283,3 +287,22 @@ function prompt(question: string): Promi
 		});
 	});
 }
 +
 +async function loadCodeWithNls() {
 +	const nlsConfiguration = await resolveNLSConfiguration({
 +		userLocale: 'en',
 +		osLocale: 'en',
 +		commit: product.commit,
 +		userDataPath: '',
 +		nlsMetadataPath: import.meta.dirname,
 +	});
 +	return loadCode(nlsConfiguration);
 +}
 +
 +// This alias prevents the name getting mangled during minification which would
 +// make it difficult to import.
 +export { loadCodeWithNls as loadCodeWithNls };
 +
 +if (!process.env.CODE_SERVER_PARENT_PID) {
 +	start();
 +}
 Index: code-server/lib/vscode/src/vs/platform/dialogs/browser/dialog.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/dialogs/browser/dialog.ts
 +++ code-server/lib/vscode/src/vs/platform/dialogs/browser/dialog.ts
@@ -45,8 +45,11 @@ export function createWorkbenchDialogOpt
 export function createBrowserAboutDialogDetails(productService: IProductService): { title: string; details: string; detailsToCopy: string } {
 	const detailString = (useAgo: boolean): string => {
 -		return localize('aboutDetail',
 -			"Version: {0}\nCommit: {1}\nDate: {2}\nBrowser: {3}",
 +		return localize('aboutCodeServerDetail',
 +			"code-server: {0}",
 +			productService.codeServerVersion ? `v${productService.codeServerVersion}` : 'Unknown'
 +		) + '\n' + localize('aboutDetail',
 +			"Code: {0}\nCommit: {1}\nDate: {2}\nBrowser: {3}",
 			productService.version || 'Unknown',
 			productService.commit || 'Unknown',
 			productService.date ? `${productService.date}${useAgo ? ' (' + fromNow(new Date(productService.date), true) + ')' : ''}` : 'Unknown',
--- a/patches/keepalive.diff
+++ b/patches/keepalive.diff
@ -0,0 +1,15 @@
 This can be removed after upgrading to Node >= 19 as keepAlive is defaulted to
 true after 19.
 Index: code-server/lib/vscode/src/vs/platform/request/node/proxy.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/request/node/proxy.ts
 +++ code-server/lib/vscode/src/vs/platform/request/node/proxy.ts
@@ -42,6 +42,7 @@ export async function getProxyAgent(rawR
 		port: (proxyEndpoint.port ? +proxyEndpoint.port : 0) || (proxyEndpoint.protocol === 'https' ? 443 : 80),
 		auth: proxyEndpoint.auth,
 		rejectUnauthorized: isBoolean(options.strictSSL) ? options.strictSSL : true,
 +		keepAlive: true,
 	};
 	if (requestURL.protocol === 'http:') {
--- a/patches/local-storage.diff
+++ b/patches/local-storage.diff
@ -1,29 +1,27 @@
 Make storage local to the remote server
-This solves two problems:
+This makes user settings will be stored in the file system instead of in browser
-  1. Extensions running in the browser (like Vim) might use these paths
+storage. Using browser storage makes sharing or seeding settings between
-     directly instead of using the file service and most likely can't write
+browsers difficult and remote settings is not a sufficient replacement because
-     to `/User` on disk.
+some settings are only allowed to be set on the user level.
  2. Settings will be stored in the file system instead of in browser
     storage. Using browser storage makes sharing or seeding settings
     between browsers difficult. We may want to revisit this once/if we get
     settings sync.
 Unfortunately this does not affect state which uses a separate method with
 IndexedDB and does not appear nearly as easy to redirect to disk.
-To test install the Vim extension and make sure something that uses file storage
+To test change settings from the UI and on disk while making sure they appear on
-works (history recall for example) and change settings from the UI and on disk
+the other side.
-while making sure they appear on the other side.
+
 This patch also resolves a bug where a global value for workspace initialization
 is used in a non async-safe way.
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -303,6 +303,7 @@ export class WebClientServer {
+@@ -364,6 +364,7 @@ export class WebClientServer {
 		const workbenchWebConfiguration = {
 			remoteAuthority,
- 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
+ 			serverBasePath: basePath,
 			webviewEndpoint: staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 +			userDataPath: this._environmentService.userDataPath,
 			_wrapWebWorkerExtHostInIframe,
 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
@ -32,9 +30,9 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -266,6 +266,11 @@ export interface IWorkbenchConstructionO
+@@ -298,6 +298,11 @@ export interface IWorkbenchConstructionO
 	 */
- 	readonly configurationDefaults?: Record<string, any>;
+ 	readonly configurationDefaults?: Record<string, unknown>;
 +	/**
 +	 * Path to the user data directory.
@ -43,13 +41,13 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 +
 	//#endregion
- 
+ 	//#region Profile options
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
-@@ -53,7 +53,14 @@ export class BrowserWorkbenchEnvironment
+@@ -102,7 +102,14 @@ export class BrowserWorkbenchEnvironment
- 	get logFile(): URI { return joinPath(this.logsHome, 'window.log'); }
+ 	get logFile(): URI { return joinPath(this.windowLogsPath, 'window.log'); }
 	@memoize
 -	get userRoamingDataHome(): URI { return URI.file('/User').with({ scheme: Schemas.vscodeUserData }); }
@ -64,3 +62,33 @@ Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/envi
 	@memoize
 	get argvResource(): URI { return joinPath(this.userRoamingDataHome, 'argv.json'); }
 Index: code-server/lib/vscode/src/vs/workbench/services/configuration/browser/configurationService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/configuration/browser/configurationService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/configuration/browser/configurationService.ts
@@ -147,8 +147,10 @@ export class WorkspaceService extends Di
 		this.workspaceConfiguration = this._register(new WorkspaceConfiguration(configurationCache, fileService, uriIdentityService, logService));
 		this._register(this.workspaceConfiguration.onDidUpdateConfiguration(fromCache => {
 			this.onWorkspaceConfigurationChanged(fromCache).then(() => {
 -				this.workspace.initialized = this.workspaceConfiguration.initialized;
 -				this.checkAndMarkWorkspaceComplete(fromCache);
 +				if (this.workspace) { // The workspace may not have been created yet.
 +					this.workspace.initialized = this.workspaceConfiguration.initialized;
 +					this.checkAndMarkWorkspaceComplete(fromCache);
 +				}
 			});
 		}));
@@ -556,6 +558,12 @@ export class WorkspaceService extends Di
 			previousFolders = this.workspace.folders;
 			this.workspace.update(workspace);
 		} else {
 +			// It is possible for the configuration to become initialized in between
 +			// when the workspace was created and this function was called, so check
 +			// the configuration again now.
 +			if (!workspace.initialized && this.workspaceConfiguration.initialized) {
 +				workspace.initialized = true;
 +			}
 			this.workspace = workspace;
 		}
--- a/patches/logout.diff
+++ b/patches/logout.diff
@ -8,7 +8,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
 +++ code-server/lib/vscode/src/vs/base/common/product.ts
-@@ -34,6 +34,7 @@ export interface IProductConfiguration {
+@@ -68,6 +68,7 @@ export interface IProductConfiguration {
 	readonly codeServerVersion?: string
 	readonly rootEndpoint?: string
 	readonly updateEndpoint?: string
@ -20,19 +20,19 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 +++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
-@@ -13,6 +13,7 @@ import { IEnvironmentService, INativeEnv
+@@ -18,6 +18,7 @@ import { ProtocolConstants } from '../..
- export const serverOptions: OptionDescriptions<ServerParsedArgs> = {
+ export const serverOptions: OptionDescriptions<Required<ServerParsedArgs>> = {
 	/* ----- code-server ----- */
 	'disable-update-check': { type: 'boolean' },
 +	'auth': { type: 'string' },
 	/* ----- server setup ----- */
-@@ -92,6 +93,7 @@ export const serverOptions: OptionDescri
+@@ -105,6 +106,7 @@ export const serverOptions: OptionDescri
 export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
-+	'auth'?: string
+	'auth'?: string;
 	/* ----- server setup ----- */
@ -40,27 +40,27 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -313,6 +313,7 @@ export class WebClientServer {
+@@ -341,6 +341,7 @@ export class WebClientServer {
- 				codeServerVersion: this._productService.codeServerVersion,
+ 			codeServerVersion: this._productService.codeServerVersion,
- 				rootEndpoint: base,
+ 			rootEndpoint: rootBase,
- 				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
+ 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? rootBase + '/update/check' : undefined,
-+				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
+			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? rootBase + '/logout' : undefined,
- 				embedderIdentifier: 'server-distro',
+ 			embedderIdentifier: 'server-distro',
- 				extensionsGallery: this._productService.extensionsGallery,
+ 			extensionsGallery: this._productService.extensionsGallery,
- 			},
+ 		};
 Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/client.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/client.ts
@@ -1,11 +1,15 @@
- import { Disposable } from 'vs/base/common/lifecycle';
+ import { Disposable } from "../../base/common/lifecycle.js";
- import { localize } from 'vs/nls';
+ import { localize } from '../../nls.js';
-+import { MenuId, MenuRegistry } from 'vs/platform/actions/common/actions';
+import { MenuId, MenuRegistry } from '../../platform/actions/common/actions.js';
-+import { CommandsRegistry } from 'vs/platform/commands/common/commands';
+import { CommandsRegistry } from '../../platform/commands/common/commands.js';
- import { ILogService } from 'vs/platform/log/common/log';
+ import { ILogService } from '../../platform/log/common/log.js';
- import { INotificationService, Severity } from 'vs/platform/notification/common/notification';
+ import { INotificationService, Severity } from '../../platform/notification/common/notification.js';
- import { IProductService } from 'vs/platform/product/common/productService';
+ import { IProductService } from '../../platform/product/common/productService.js';
- import { IStorageService, StorageScope, StorageTarget } from 'vs/platform/storage/common/storage';
+ import { IStorageService, StorageScope, StorageTarget } from '../../platform/storage/common/storage.js';
 export class CodeServerClient extends Disposable {
 +	static LOGOUT_COMMAND_ID = 'code-server.logout';
--- a/patches/marketplace.diff
+++ b/patches/marketplace.diff
@ -12,14 +12,14 @@ in-between and has web extensions install directly from the marketplace.
 This can be tested by setting EXTENSIONS_GALLERY set to:
-    '{"serviceUrl": "https://extensions.coder.com/api"}'
+    '{"serviceUrl": "https://my-extensions/api"}'
 Index: code-server/lib/vscode/src/vs/platform/product/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/product/common/product.ts
 +++ code-server/lib/vscode/src/vs/platform/product/common/product.ts
-@@ -53,6 +53,16 @@ else if (typeof require?.__$__nodeRequir
+@@ -49,6 +49,17 @@ else if (globalThis._VSCODE_PRODUCT_JSON
 			version: pkg.version
 		});
 	}
@ -28,6 +28,7 @@ Index: code-server/lib/vscode/src/vs/platform/product/common/product.ts
 +		extensionsGallery: env.EXTENSIONS_GALLERY ? JSON.parse(env.EXTENSIONS_GALLERY) : (product.extensionsGallery || {
 +			serviceUrl: "https://open-vsx.org/vscode/gallery",
 +			itemUrl: "https://open-vsx.org/vscode/item",
 +			extensionUrlTemplate: "https://open-vsx.org/vscode/gallery/{publisher}/{name}/latest",
 +			resourceUrlTemplate: "https://open-vsx.org/vscode/asset/{publisher}/{name}/{version}/Microsoft.VisualStudio.Code.WebResources/{path}",
 +			controlUrl: "",
 +			recommendationsUrl: "",
@ -40,49 +41,67 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -111,7 +111,7 @@ export class WebClientServer {
+@@ -326,7 +326,6 @@ export class WebClientServer {
- 		const serverRootPath = getRemoteServerRootPath(_productService);
+ 
- 		this._staticRoute = `${serverRootPath}/static`;
+ 		const staticRoute = posix.join(basePath, this._productPath, STATIC_PATH);
- 		this._callbackRoute = `${serverRootPath}/callback`;
+ 		const callbackRoute = posix.join(basePath, this._productPath, CALLBACK_PATH);
-		this._webExtensionRoute = `${serverRootPath}/web-extension-resource`;
+-		const webExtensionRoute = posix.join(basePath, this._productPath, WEB_EXTENSION_PATH);
-+		this._webExtensionRoute = `/web-extension-resource`;
+ 
 		const resolveWorkspaceURI = (defaultLocation?: string) => defaultLocation && URI.file(resolve(defaultLocation)).with({ scheme: Schemas.vscodeRemote, authority: remoteAuthority });
@@ -342,14 +341,7 @@ export class WebClientServer {
 			codeServerVersion: this._productService.codeServerVersion,
 			rootEndpoint: rootBase,
 			embedderIdentifier: 'server-distro',
 -			extensionsGallery: this._webExtensionResourceUrlTemplate && this._productService.extensionsGallery ? {
 -				...this._productService.extensionsGallery,
 -				resourceUrlTemplate: this._webExtensionResourceUrlTemplate.with({
 -					scheme: 'http',
 -					authority: remoteAuthority,
 -					path: `${webExtensionRoute}/${this._webExtensionResourceUrlTemplate.authority}${this._webExtensionResourceUrlTemplate.path}`
 -				}).toString(true)
 -			} : undefined
 +			extensionsGallery: this._productService.extensionsGallery,
 		};
 		const proposedApi = this._environmentService.args['enable-proposed-api'];
 Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 +++ code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
@@ -15,7 +15,6 @@ import { getServiceMachineId } from '../
 import { IStorageService } from '../../storage/common/storage.js';
 import { TelemetryLevel } from '../../telemetry/common/telemetry.js';
 import { getTelemetryLevel, supportsTelemetry } from '../../telemetry/common/telemetryUtils.js';
 -import { RemoteAuthorities } from '../../../base/common/network.js';
 import { TargetPlatform } from '../../extensions/common/extensions.js';
 import { ExtensionGalleryResourceType, getExtensionGalleryManifestResourceUri, IExtensionGalleryManifest, IExtensionGalleryManifestService } from '../../extensionManagement/common/extensionGalleryManifest.js';
 import { ILogService } from '../../log/common/log.js';
@@ -163,9 +162,9 @@ export abstract class AbstractExtensionR
 	}
- 	/**
+ 	protected _isWebExtensionResourceEndPoint(uri: URI): boolean {
-@@ -312,14 +312,7 @@ export class WebClientServer {
+-		const uriPath = uri.path, serverRootPath = RemoteAuthorities.getServerRootPath();
- 				codeServerVersion: this._productService.codeServerVersion,
+-		// test if the path starts with the server root path followed by the web extension resource end point segment
- 				rootEndpoint: base,
+-		return uriPath.startsWith(serverRootPath) && uriPath.startsWith(WEB_EXTENSION_RESOURCE_END_POINT_SEGMENT, serverRootPath.length);
- 				embedderIdentifier: 'server-distro',
+		const uriPath = uri.path;
-				extensionsGallery: this._webExtensionResourceUrlTemplate ? {
+		// test if the path starts with the web extension resource end point segment
-					...this._productService.extensionsGallery,
+		return uriPath.startsWith(WEB_EXTENSION_RESOURCE_END_POINT_SEGMENT);
-					'resourceUrlTemplate': this._webExtensionResourceUrlTemplate.with({
+ 	}
-						scheme: 'http',
+ 
-						authority: remoteAuthority,
+ }
-						path: `${this._webExtensionRoute}/${this._webExtensionResourceUrlTemplate.authority}${this._webExtensionResourceUrlTemplate.path}`
+Index: code-server/lib/vscode/src/vs/platform/externalServices/common/marketplace.ts
 -					}).toString(true)
 -				} : undefined
 +				extensionsGallery: this._productService.extensionsGallery,
 			},
 			callbackRoute: this._callbackRoute
 		};
 Index: code-server/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
 ===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
+--- code-server.orig/lib/vscode/src/vs/platform/externalServices/common/marketplace.ts
-+++ code-server/lib/vscode/src/vs/workbench/services/extensionResourceLoader/common/extensionResourceLoader.ts
+++ code-server/lib/vscode/src/vs/platform/externalServices/common/marketplace.ts
-@@ -16,7 +16,6 @@ import { getServiceMachineId } from 'vs/
+@@ -26,6 +26,10 @@ export async function resolveMarketplace
- import { IStorageService } from 'vs/platform/storage/common/storage';
+ 		'User-Agent': `VSCode ${version} (${productService.nameShort})`
- import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';
+ 	};
 import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';
 -import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
- export const WEB_EXTENSION_RESOURCE_END_POINT = 'web-extension-resource';
+	if (productService.extensionsGallery?.authorizationHeaderToken) {
- 
+		headers['Authorization'] = `Bearer ${productService.extensionsGallery.authorizationHeaderToken}`;
-@@ -60,7 +59,7 @@ export abstract class AbstractExtensionR
+	}
- 		private readonly _environmentService: IEnvironmentService,
+
- 		private readonly _configurationService: IConfigurationService,
+ 	if (supportsTelemetry(productService, environmentService) && getTelemetryLevel(configurationService) === TelemetryLevel.USAGE) {
- 	) {
+ 		const serviceMachineId = await getServiceMachineId(environmentService, fileService, storageService);
-		this._webExtensionResourceEndPoint = `${getRemoteServerRootPath(_productService)}/${WEB_EXTENSION_RESOURCE_END_POINT}/`;
+ 		headers['X-Market-User-Id'] = serviceMachineId;
 +		this._webExtensionResourceEndPoint = `/${WEB_EXTENSION_RESOURCE_END_POINT}/`;
 		if (_productService.extensionsGallery) {
 			this._extensionGalleryResourceUrlTemplate = _productService.extensionsGallery.resourceUrlTemplate;
 			this._extensionGalleryAuthority = this._extensionGalleryResourceUrlTemplate ? this._getExtensionGalleryAuthority(URI.parse(this._extensionGalleryResourceUrlTemplate)) : undefined;
--- a/patches/proposed-api.diff
+++ b/patches/proposed-api.diff
@ -1,28 +1,16 @@
 Unconditionally enable the proposed API
-To test run an extension that uses the proposed API.
+To test run an extension that uses the proposed API (i.e.
 https://github.com/microsoft/vscode-extension-samples/tree/ddae6c0c9ff203b4ed6f6b43bfacdd0834215f83/proposed-api-sample)
 We also override isProposedApiEnabled in case an extension does not declare the
 APIs it needs correctly (the Jupyter extension had this issue).
 Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/abstractExtensionService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/abstractExtensionService.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/abstractExtensionService.ts
@@ -1462,7 +1462,7 @@ class ProposedApiController {
 		this._envEnabledExtensions = new Set((_environmentService.extensionEnabledProposedApi ?? []).map(id => ExtensionIdentifier.toKey(id)));
 -		this._envEnablesProposedApiForAll =
 +		this._envEnablesProposedApiForAll = true ||
 			!_environmentService.isBuilt || // always allow proposed API when running out of sources
 			(_environmentService.isExtensionDevelopment && productService.quality !== 'stable') || // do not allow proposed API against stable builds when developing an extension
 			(this._envEnabledExtensions.size === 0 && Array.isArray(_environmentService.extensionEnabledProposedApi)); // always allow proposed API if --enable-proposed-api is provided without extension ID
 Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensions.ts
-@@ -359,10 +359,7 @@ function extensionDescriptionArrayToMap(
+@@ -321,10 +321,7 @@ function extensionDescriptionArrayToMap(
 }
 export function isProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): boolean {
@ -34,3 +22,16 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extens
 }
 export function checkProposedApiEnabled(extension: IExtensionDescription, proposal: ApiProposalName): void {
 Index: code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
 +++ code-server/lib/vscode/src/vs/workbench/services/extensions/common/extensionsProposedApi.ts
@@ -31,7 +31,7 @@ export class ExtensionsProposedApi {
 		this._envEnabledExtensions = new Set((_environmentService.extensionEnabledProposedApi ?? []).map(id => ExtensionIdentifier.toKey(id)));
 -		this._envEnablesProposedApiForAll =
 +		this._envEnablesProposedApiForAll = true ||
 			!_environmentService.isBuilt || // always allow proposed API when running out of sources
 			(_environmentService.isExtensionDevelopment && productService.quality !== 'stable') || // do not allow proposed API against stable builds when developing an extension
 			(this._envEnabledExtensions.size === 0 && Array.isArray(_environmentService.extensionEnabledProposedApi)); // always allow proposed API if --enable-proposed-api is provided without extension ID
--- a/patches/proxy-uri.diff
+++ b/patches/proxy-uri.diff
@ -30,7 +30,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
 +++ code-server/lib/vscode/src/vs/base/common/product.ts
-@@ -35,6 +35,7 @@ export interface IProductConfiguration {
+@@ -69,6 +69,7 @@ export interface IProductConfiguration {
 	readonly rootEndpoint?: string
 	readonly updateEndpoint?: string
 	readonly logoutEndpoint?: string
@ -42,70 +42,48 @@ Index: code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityReso
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityResolverService.ts
 +++ code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityResolverService.ts
-@@ -8,7 +8,7 @@ import { Disposable } from 'vs/base/comm
+@@ -35,7 +35,7 @@ export class RemoteAuthorityResolverServ
- import { RemoteAuthorities } from 'vs/base/common/network';
+ 		connectionToken: Promise<string> | string | undefined,
- import { URI } from 'vs/base/common/uri';
+ 		resourceUriProvider: ((uri: URI) => URI) | undefined,
- import { IProductService } from 'vs/platform/product/common/productService';
+ 		serverBasePath: string | undefined,
-import { IRemoteAuthorityResolverService, IRemoteConnectionData, ResolvedAuthority, ResolverResult } from 'vs/platform/remote/common/remoteAuthorityResolver';
+-		@IProductService productService: IProductService,
-+import { IRemoteAuthorityResolverService, IRemoteConnectionData, ResolvedAuthority, ResolvedOptions, ResolverResult } from 'vs/platform/remote/common/remoteAuthorityResolver';
+		@IProductService private readonly productService: IProductService,
- import { getRemoteServerRootPath, parseAuthorityWithOptionalPort } from 'vs/platform/remote/common/remoteHosts';
+ 		@ILogService private readonly _logService: ILogService,
- 
+ 	) {
 export class RemoteAuthorityResolverService extends Disposable implements IRemoteAuthorityResolverService {
@@ -23,7 +23,7 @@ export class RemoteAuthorityResolverServ
 	private readonly _connectionToken: Promise<string> | string | undefined;
 	private readonly _connectionTokens: Map<string, string>;
 -	constructor(@IProductService productService: IProductService, connectionToken: Promise<string> | string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined) {
 +	constructor(@IProductService productService: IProductService, connectionToken: Promise<string> | string | undefined, resourceUriProvider: ((uri: URI) => URI) | undefined, private readonly proxyEndpointTemplate?: string) {
 		super();
- 		this._connectionToken = connectionToken;
+@@ -86,9 +86,14 @@ export class RemoteAuthorityResolverServ
 		this._connectionTokens = new Map<string, string>();
@@ -61,9 +61,14 @@ export class RemoteAuthorityResolverServ
 	private async _doResolveAuthority(authority: string): Promise<ResolverResult> {
 		const connectionToken = await Promise.resolve(this._connectionTokens.get(authority) || this._connectionToken);
 		performance.mark(`code/didResolveConnectionToken/${authorityPrefix}`);
 		this._logService.info(`Resolved connection token (${authorityPrefix}) after ${sw.elapsed()} ms`);
 +		let options: ResolvedOptions | undefined;
-+		if (this.proxyEndpointTemplate) {
+		if (this.productService.proxyEndpointTemplate) {
-+			const proxyUrl = new URL(this.proxyEndpointTemplate, window.location.href);
+			const proxyUrl = new URL(this.productService.proxyEndpointTemplate, mainWindow.location.href);
 +			options = { extensionHostEnv: { VSCODE_PROXY_URI: decodeURIComponent(proxyUrl.toString()) }}
 +		}
- 		const defaultPort = (/^https:/.test(window.location.href) ? 443 : 80);
+ 		const defaultPort = (/^https:/.test(mainWindow.location.href) ? 443 : 80);
 		const { host, port } = parseAuthorityWithOptionalPort(authority, defaultPort);
-		const result: ResolverResult = { authority: { authority, host: host, port: port, connectionToken } };
+-		const result: ResolverResult = { authority: { authority, connectTo: new WebSocketRemoteConnection(host, port), connectionToken } };
-+		const result: ResolverResult = { authority: { authority, host: host, port: port, connectionToken }, options };
+		const result: ResolverResult = { authority: { authority, connectTo: new WebSocketRemoteConnection(host, port), connectionToken }, options };
- 		RemoteAuthorities.set(authority, result.authority.host, result.authority.port);
+ 		RemoteAuthorities.set(authority, host, port);
 		this._cache.set(authority, result);
 		this._onDidChangeConnectionData.fire();
 Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -314,6 +314,7 @@ export class WebClientServer {
+@@ -342,6 +342,7 @@ export class WebClientServer {
- 				rootEndpoint: base,
+ 			rootEndpoint: rootBase,
- 				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
+ 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? rootBase + '/update/check' : undefined,
- 				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
+ 			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? rootBase + '/logout' : undefined,
-+				proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
+			proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? rootBase + '/proxy/{{port}}/',
- 				embedderIdentifier: 'server-distro',
+ 			embedderIdentifier: 'server-distro',
- 				extensionsGallery: this._productService.extensionsGallery,
+ 			extensionsGallery: this._productService.extensionsGallery,
- 			},
+ 		};
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
@@ -247,7 +247,7 @@ export class BrowserMain extends Disposa
 		// Remote
 		const connectionToken = environmentService.options.connectionToken || getCookieValue(connectionTokenCookieName);
 -		const remoteAuthorityResolverService = new RemoteAuthorityResolverService(productService, connectionToken, this.configuration.resourceUriProvider);
 +		const remoteAuthorityResolverService = new RemoteAuthorityResolverService(productService, connectionToken, this.configuration.resourceUriProvider, this.configuration.productConfiguration?.proxyEndpointTemplate);
 		serviceCollection.set(IRemoteAuthorityResolverService, remoteAuthorityResolverService);
 		// Signing
 Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
-@@ -392,7 +392,7 @@ export async function createTerminalEnvi
+@@ -292,7 +292,7 @@ export async function createTerminalEnvi
 		// Sanitize the environment, removing any undesirable VS Code and Electron environment
 		// variables
@ -118,33 +96,32 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 +++ code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
-@@ -21,6 +21,7 @@ import type { ICredentialsProvider } fro
+@@ -20,6 +20,7 @@ import { ISecretStorageProvider } from '
- import type { IURLCallbackProvider } from 'vs/workbench/services/url/browser/urlService';
+ import { isFolderToOpen, isWorkspaceToOpen } from '../../../platform/window/common/window.js';
- import type { IWorkbenchConstructionOptions } from 'vs/workbench/browser/web.api';
+ import type { IWorkbenchConstructionOptions, IWorkspace, IWorkspaceProvider } from '../../../workbench/browser/web.api.js';
- import type { IWorkspace, IWorkspaceProvider } from 'vs/workbench/services/host/browser/browserHostService';
+ import { AuthenticationSessionInfo } from '../../../workbench/services/authentication/browser/authenticationService.js';
-+import { extractLocalHostUriMetaDataForPortMapping, TunnelOptions, TunnelCreationOptions } from 'vs/platform/tunnel/common/tunnel';
+import { extractLocalHostUriMetaDataForPortMapping, TunnelOptions, TunnelCreationOptions } from '../../../platform/tunnel/common/tunnel.js';
 import type { IURLCallbackProvider } from '../../../workbench/services/url/browser/urlService.js';
 import { create } from '../../../workbench/workbench.web.main.internal.js';
- interface ICredential {
+@@ -606,6 +607,39 @@ class WorkspaceProvider implements IWork
- 	service: string;
+ 		settingsSyncOptions: config.settingsSyncOptions ? { enabled: config.settingsSyncOptions.enabled, } : undefined,
@@ -511,6 +512,38 @@ function doCreateUri(path: string, query
 		} : undefined,
 		workspaceProvider: WorkspaceProvider.create(config),
 		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),
 -		credentialsProvider: config.remoteAuthority ? undefined : new LocalStorageCredentialsProvider() // with a remote, we don't use a local credentials provider
 +		credentialsProvider: config.remoteAuthority ? undefined : new LocalStorageCredentialsProvider(), // with a remote, we don't use a local credentials provider
 +		resolveExternalUri: (uri: URI): Promise<URI> => {
 +			let resolvedUri = uri
 +			const localhostMatch = extractLocalHostUriMetaDataForPortMapping(resolvedUri)
 +
 +			if (localhostMatch && resolvedUri.authority !== location.host) {
 +				if (config.productConfiguration && config.productConfiguration.proxyEndpointTemplate) {
-+					resolvedUri = URI.parse(new URL(config.productConfiguration.proxyEndpointTemplate.replace('{{port}}', localhostMatch.port.toString()), window.location.href).toString())
+					const renderedTemplate = config.productConfiguration.proxyEndpointTemplate
 +						.replace('{{port}}', localhostMatch.port.toString())
 +						.replace('{{host}}', window.location.host)
 +					resolvedUri = URI.parse(new URL(renderedTemplate, window.location.href).toString())
 +				} else {
 +					throw new Error(`Failed to resolve external URI: ${uri.toString()}. Could not determine base url because productConfiguration missing.`)
 +				}
 +			}
-+
+			// If not localhost, return unmodified.
 +			// If not localhost, return unmodified
 +			return Promise.resolve(resolvedUri)
 +		},
 +		tunnelProvider: {
@ -163,19 +140,22 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
 +					}
 +				})
 +			}
-+		}
+		},
- 	});
+ 		secretStorageProvider: config.remoteAuthority && !secretStorageKeyPath
- })();
+ 			? undefined /* with a remote without embedder-preferred storage, store on the remote */
 			: new LocalStorageSecretStorageProvider(secretStorageCrypto),
 Index: code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
-@@ -73,7 +73,7 @@ export class ForwardedPortsView extends 
+@@ -83,8 +83,8 @@ export class ForwardedPortsView extends
- 			this.contextKeyListener = undefined;
+ 	private async enableForwardedPortsFeatures() {
- 		}
+ 		this.contextKeyListener.clear();
 -		const featuresEnabled: boolean = !!forwardedPortsFeaturesEnabled.getValue(this.contextKeyService);
 -		const viewEnabled: boolean = !!forwardedPortsViewEnabled.getValue(this.contextKeyService);
 +		const featuresEnabled: boolean = true;
 +		const viewEnabled: boolean = true;
- 		if (this.environmentService.remoteAuthority && viewEnabled) {
+ 		if (featuresEnabled || viewEnabled) {
- 			const viewContainer = await this.getViewContainer();
+ 			// Also enable the view if it isn't already.
--- a/patches/series
+++ b/patches/series
@ -9,14 +9,16 @@ update-check.diff
 logout.diff
 store-socket.diff
 proxy-uri.diff
 github-auth.diff
 unique-db.diff
 local-storage.diff
 service-worker.diff
 sourcemaps.diff
-disable-downloads.diff
+external-file-actions.diff
 telemetry.diff
 display-language.diff
 cli-window-open.diff
 exec-argv.diff
 getting-started.diff
 keepalive.diff
 clipboard.diff
 display-language.diff
 trusted-domains.diff
 signature-verification.diff
--- a/patches/service-worker.diff
+++ b/patches/service-worker.diff
@ -6,7 +6,7 @@ Index: code-server/lib/vscode/src/vs/base/common/product.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/product.ts
 +++ code-server/lib/vscode/src/vs/base/common/product.ts
-@@ -36,6 +36,10 @@ export interface IProductConfiguration {
+@@ -70,6 +70,10 @@ export interface IProductConfiguration {
 	readonly updateEndpoint?: string
 	readonly logoutEndpoint?: string
 	readonly proxyEndpointTemplate?: string
@ -54,14 +54,14 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -316,6 +316,10 @@ export class WebClientServer {
+@@ -343,6 +343,10 @@ export class WebClientServer {
- 				updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
+ 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? rootBase + '/update/check' : undefined,
- 				logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
+ 			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? rootBase + '/logout' : undefined,
- 				proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
+ 			proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? rootBase + '/proxy/{{port}}/',
-+				serviceWorker: {
+			serviceWorker: {
-+					scope: vscodeBase + '/',
+				scope: vscodeBase + '/',
-+					path: base + '/_static/out/browser/serviceWorker.js',
+				path: rootBase + '/_static/out/browser/serviceWorker.js',
-+				},
+			},
- 				embedderIdentifier: 'server-distro',
+ 			embedderIdentifier: 'server-distro',
- 				extensionsGallery: this._productService.extensionsGallery,
+ 			extensionsGallery: this._productService.extensionsGallery,
- 			},
+ 		};
--- a/patches/signature-verification.diff
+++ b/patches/signature-verification.diff
@ -0,0 +1,34 @@
 Disable signature verification.
 Extension signature verification is now mandatory for all platforms and needs to be disabled.
 Index: code-server/lib/vscode/src/vs/platform/extensionManagement/node/extensionManagementService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/extensionManagement/node/extensionManagementService.ts
 +++ code-server/lib/vscode/src/vs/platform/extensionManagement/node/extensionManagementService.ts
@@ -34,6 +34,7 @@ import {
 	ExtensionSignatureVerificationCode,
 	computeSize,
 	IAllowedExtensionsService,
 +	// @ts-expect-error no-unused-variable
 	VerifyExtensionSignatureConfigKey,
 	shouldRequireRepositorySignatureFor,
 } from '../common/extensionManagement.js';
@@ -87,6 +88,7 @@ export class ExtensionManagementService
 		@IDownloadService private downloadService: IDownloadService,
 		@IInstantiationService private readonly instantiationService: IInstantiationService,
 		@IFileService private readonly fileService: IFileService,
 +		// @ts-expect-error no-unused-variable
 		@IConfigurationService private readonly configurationService: IConfigurationService,
 		@IExtensionGalleryManifestService protected readonly extensionGalleryManifestService: IExtensionGalleryManifestService,
 		@IProductService productService: IProductService,
@@ -339,8 +341,7 @@ export class ExtensionManagementService
 	private async downloadExtension(extension: IGalleryExtension, operation: InstallOperation, verifySignature: boolean, clientTargetPlatform?: TargetPlatform): Promise<{ readonly location: URI; readonly verificationStatus: ExtensionSignatureVerificationCode | undefined }> {
 		if (verifySignature) {
 -			const value = this.configurationService.getValue(VerifyExtensionSignatureConfigKey);
 -			verifySignature = isBoolean(value) ? value : true;
 +			verifySignature = false;
 		}
 		const { location, verificationStatus } = await this.extensionsDownloader.download(extension, operation, verifySignature, clientTargetPlatform);
 		const shouldRequireSignature = shouldRequireRepositorySignatureFor(extension.private, await this.extensionGalleryManifestService.getExtensionGalleryManifest());
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,2 @@`
							`# Prettier 3.4.2`
							`9b0340a09276f93c054d705d1b9a5f24cc5dbc97`
		`@ -1 +1 @@`
			`Subproject commit 129500ee4c8ab7263461ffe327268ba56b9f210d`				`Subproject commit 302ff6a2e235c95b88e587d4a4b6eeb1b6613297`