Breaking changes ❗
There are no breaking changes in 1.20.0.
- web: Alpha. Added the ability to set a site-wide workspace template policy at Manage > Admin > Templates > Template Policy. If not set, Coder uses the provided default.
- web: Added the
annotationsfields to workspace templates.
- other: Added a new JSON schema for writing Coder workspace templates with code completion and syntax checking.
- web: Added a service banner that's displayed to all users of the system. The message can be used with existing messages. It can be dismissed by each user at any point and will not be shown again until there is a new message.
- web: Added text wrapping to system banners.
- infra: Added a
CODER_RUNTIMEenvironment variable that indicates whether a workspace is CVM-enabled or not.
- web: Updated UI to display decommissioned workspaces that are awaiting deletion.
- web: Added ability to filter the audit log by the auto-off action.
Bug fixes 🐛
- web: Fixed bug causing duplicate fetch requests on page load.
- web: Fixed issue causing private dev URLs to load as blank pages for unauthorized users (users will now see an error page).
Security updates 🔐
- web: Require administrative permissions to view workspaces belonging to other users; previously, users could view others' workspace metadata
- web: Added content security policy (CSP) to help protect against cross-site scripting attacks.
- web: Added opt-in for HTTP Strict Transport Security. This setting can be managed at Manage > Admin > Infrastructure > HTTP Strict Transport Security.
- web: Added opt-in for secure cookies. This setting can be managed at Manage > Admin > Infrastructure > Secure Cookie.
- web: Use strong cryptographic APIs to generate client-side tokens.
- infra: Upgraded control plane containers from Red Hat UBI 8.3 to 8.4, and switch from ubi to ubi-minimal to reduce image contents.
- infra: Enable read-only root filesystem for control plane containers, by
default. You can override this with the Helm
- web: Resolved CVE-2021-23364 in browserslist.
- web: Resolved CVE-2021-23358 in underscore.
- web: Resolved CVE-2020-7753 in trim.