Update Code to 1.89.1 (#6796 )

Fix setuptools install on macOS
This is erroring now with "This environment is externally managed".
2026-04-14 06:24:32 -05:00 · 2024-05-13 10:41:25 -08:00 · 2024-05-07 13:41:21 -08:00 · 2024-05-07 11:35:01 -08:00 · 2024-05-06 19:36:52 -08:00 · 2024-05-06 18:39:39 -08:00
60 changed files with 1295 additions and 1046 deletions
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -1,6 +1,5 @@
 name: Bug report
 description: File a bug report
-title: "[Bug]: "
 labels: ["bug", "triage"]
 body:
  - type: checkboxes
@@ -10,6 +9,7 @@ body:
      options:
        - label: I have searched the existing issues
          required: true
+
  - type: textarea
    attributes:
      label: OS/Web Information
@@ -28,55 +28,74 @@ body:
        - `code-server --version`:
    validations:
      required: true
+
  - type: textarea
    attributes:
      label: Steps to Reproduce
      description: |
-        1. open code-server
-        2. install extension
-        3. run command
+        Please describe exactly how to reproduce the bug. For example:
+        1. Open code-server in Firefox
+        2. Install extension `foo.bar` from the extensions sidebar
+        3. Run command `foo.bar.baz`
      value: |
        1.
        2.
        3.
    validations:
      required: true
+
  - type: textarea
    attributes:
      label: Expected
      description: What should happen?
    validations:
      required: true
+
  - type: textarea
    attributes:
      label: Actual
      description: What actually happens?
    validations:
      required: true
+
  - type: textarea
    id: logs
    attributes:
      label: Logs
      description: Run code-server with the --verbose flag and then paste any relevant logs from the server, from the browser console and/or the browser network tab. For issues with installation, include installation logs (i.e. output of `yarn global add code-server`).
+      render: shell
+
  - type: textarea
    attributes:
      label: Screenshot/Video
      description: Please include a screenshot, gif or screen recording of your issue.
    validations:
      required: false
-  - type: checkboxes
+
+  - type: dropdown
    attributes:
-      label: Does this issue happen in VS Code or GitHub Codespaces?
-      description: Please try reproducing this issue in VS Code and GitHub Codespaces.  If the bug reproduces in either VS Code or GitHub Codespaces, please submit the issue upstream instead (https://github.com/microsoft/vscode).
+      label: Does this bug reproduce in native VS Code?
+      description: If the bug reproduces in native VS Code, submit the issue upstream instead (https://github.com/microsoft/vscode).
      options:
-        - label: I tested this in native VS Code.
-          required: false
-        - label: This does not happen in native VS Code.
-          required: false
-        - label: I tested this in GitHub Codespaces.
-          required: false
-        - label: This does not happen in GitHub Codespaces.
-          required: false
+        - Yes, this is also broken in native VS Code
+        - No, this works as expected in native VS Code
+        - This cannot be tested in native VS Code
+        - I did not test native VS Code
+    validations:
+      required: true
+
+  - type: dropdown
+    attributes:
+      label: Does this bug reproduce in GitHub Codespaces?
+      description: If the bug reproduces in GitHub Codespaces, submit the issue upstream instead (https://github.com/microsoft/vscode).
+      options:
+        - Yes, this is also broken in GitHub Codespaces
+        - No, this works as expected in GitHub Codespaces
+        - This cannot be tested in GitHub Codespaces
+        - I did not test GitHub Codespaces
+    validations:
+      required: true
+
  - type: checkboxes
    attributes:
      label: Are you accessing code-server over a secure context?
@@ -84,6 +103,7 @@ body:
      options:
        - label: I am using a secure context.
          required: false
+
  - type: textarea
    attributes:
      label: Notes
--- a/.github/ISSUE_TEMPLATE/doc.md
+++ b/.github/ISSUE_TEMPLATE/doc.md
@@ -1,9 +1,7 @@
 ---
 name: Documentation improvement
 about: Suggest a documentation improvement
-title: "[Docs]: "
 labels: "docs"
-assignees: "@jsjoeio"
 ---

 ## What is your suggestion?
--- a/.github/ISSUE_TEMPLATE/feature-request.md
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -1,9 +1,7 @@
 ---
 name: Feature request
 about: Suggest an idea to improve code-server
-title: "[Feat]: "
 labels: enhancement
-assignees: ""
 ---

 ## What is your suggestion?
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -45,7 +45,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v44
        with:
          files: |
            docs/**
@@ -76,14 +76,14 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v44
        with:
          files: |
            ci/helm-chart/**

      - name: Install helm
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

@@ -107,7 +107,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v44
        with:
          files: |
            **/*.ts
@@ -124,7 +124,7 @@ jobs:
      - name: Fetch dependencies from cache
        if: steps.changed-files.outputs.any_changed == 'true'
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
@@ -163,7 +163,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@v44
        with:
          files: |
            **/*.ts
@@ -179,7 +179,7 @@ jobs:
      - name: Fetch dependencies from cache
        if: steps.changed-files.outputs.any_changed == 'true'
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
@@ -195,7 +195,7 @@ jobs:
        run: yarn test:unit

      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
        if: success()
@@ -229,9 +229,14 @@ jobs:
        with:
          node-version-file: .node-version

+      # node-gyp is missing in (at least) npm 9.8.1.
+      # TODO: Remove once we update to npm>=10?
+      - name: Install node-gyp
+        run: npm install -g node-gyp
+
      - name: Fetch dependencies from cache
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: yarn-build-code-server-${{ hashFiles('**/yarn.lock') }}
@@ -259,7 +264,7 @@ jobs:
      # force a rebuild.
      - name: Fetch prebuilt Code package from cache
        id: cache-vscode
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: lib/vscode-reh-web-*
          key: vscode-reh-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
@@ -281,7 +286,7 @@ jobs:
        run: tar -czf package.tar.gz release

      - name: Upload npm package artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: npm-package
          path: ./package.tar.gz
@@ -305,7 +310,7 @@ jobs:

      - name: Fetch dependencies from cache
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
@@ -313,7 +318,7 @@ jobs:
            yarn-build-

      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-package

@@ -337,7 +342,7 @@ jobs:

      - name: Upload test artifacts
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: failed-test-videos
          path: ./test/test-results
@@ -364,7 +369,7 @@ jobs:

      - name: Fetch dependencies from cache
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
@@ -372,7 +377,7 @@ jobs:
            yarn-build-

      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-package

@@ -392,7 +397,7 @@ jobs:
          ./test/node_modules/.bin/playwright install

      - name: Cache Caddy
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        id: caddy-cache
        with:
          path: |
@@ -420,7 +425,7 @@ jobs:

      - name: Upload test artifacts
        if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: failed-test-videos-proxy
          path: ./test/test-results
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -36,7 +36,7 @@ jobs:
          cache: "yarn"

      - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.8
+        uses: robinraju/release-downloader@v1.10
        with:
          repository: "coder/code-server"
          tag: ${{ github.event.inputs.version || github.ref_name }}
@@ -132,7 +132,7 @@ jobs:
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

      - name: Validate package
-        uses: hapakaien/archlinux-package-action@v2
+        uses: heyhusen/archlinux-package-action@v2.2.1
        env:
          VERSION: ${{ env.VERSION }}
        with:
@@ -183,14 +183,22 @@ jobs:
          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

-      - name: Download release artifacts
-        uses: robinraju/release-downloader@v1.8
+      - name: Download deb artifacts
+        uses: robinraju/release-downloader@v1.10
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
          fileName: "*.deb"
          out-file-path: "release-packages"

+      - name: Download rpm artifacts
+        uses: robinraju/release-downloader@v1.10
+        with:
+          repository: "coder/code-server"
+          tag: v${{ env.VERSION }}
+          fileName: "*.rpm"
+          out-file-path: "release-packages"
+
      - name: Publish to Docker
        run: ./ci/steps/docker-buildx-push.sh
        env:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -60,7 +60,7 @@ jobs:
        run: npm install -g yarn

      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-release-package

@@ -77,10 +77,11 @@ jobs:
        run: yarn test:integration

      - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
        if: success()
+        continue-on-error: true

      # NOTE@jsjoeio - we do this so we can strip out the v
      # i.e. v4.9.1 -> 4.9.1
@@ -94,7 +95,7 @@ jobs:
          VERSION: ${{ env.VERSION }}
        run: yarn package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@v2
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@@ -161,7 +162,7 @@ jobs:
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-release-package

@@ -190,7 +191,7 @@ jobs:
          VERSION: ${{ env.VERSION }}
        run: npm run package ${npm_config_arch}

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@v2
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@@ -221,10 +222,10 @@ jobs:
      # next update Node we can probably remove this.  For now, install
      # setuptools since it contains distutils.
      - name: Install Python utilities
-        run: python3 -m pip install setuptools
+        run: brew install python-setuptools

      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-release-package

@@ -252,7 +253,7 @@ jobs:
          VERSION: ${{ env.VERSION }}
        run: yarn package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@v2
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@@ -265,11 +266,11 @@ jobs:
    needs: npm-version
    steps:
      - name: Download npm package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
        with:
          name: npm-release-package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@v2
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@@ -281,7 +282,7 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
        id: download
        with:
          branch: ${{ github.ref }}
@@ -318,7 +319,7 @@ jobs:
        run: tar -czf package.tar.gz release

      - name: Upload npm package artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: npm-release-package
          path: ./package.tar.gz
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -55,7 +55,7 @@ jobs:
          fetch-depth: 0

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
        with:
          scan-type: "fs"
          scan-ref: "."
@@ -66,7 +66,7 @@ jobs:
          severity: "HIGH,CRITICAL"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-repo-results.sarif"

@@ -84,13 +84,13 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
        with:
          config-file: ./.github/codeql-config.yml
          languages: javascript

      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -51,7 +51,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
        with:
          image-ref: "docker.io/codercom/code-server:latest"
          ignore-unfixed: true
@@ -60,6 +60,6 @@ jobs:
          severity: "HIGH,CRITICAL"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-image-results.sarif"
--- a/.node-version
+++ b/.node-version
@@ -1 +1 @@
-18.15.0
+18.18.2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,106 @@ Code v99.99.999

 ## Unreleased

+## [4.23.1](https://github.com/coder/code-server/releases/tag/v4.23.1) - 2024-04-15
+
+Code v1.88.1
+
+## Changed
+
+- Updated to Code 1.88.1.
+
+## [4.23.0](https://github.com/coder/code-server/releases/tag/v4.23.0) - 2024-04-08
+
+Code v1.88.0
+
+## Changed
+
+- Updated to Code 1.88.0.
+- Updated Node to 18.18.2.
+
+## Fixed
+
+- Fix masking the exit code when failing to install extensions on the command
+  line outside the integrated terminal. Installing extensions inside the
+  integrated terminal still masks the exit code and is an upstream bug.
+
+## [4.22.1](https://github.com/coder/code-server/releases/tag/v4.22.1) - 2024-03-14
+
+Code v1.87.2
+
+## Changed
+
+- Updated to Code 1.87.2.
+- Enable keep-alive for proxy agent.
+
+## [4.22.0](https://github.com/coder/code-server/releases/tag/v4.22.0) - 2024-03-03
+
+Code v1.87.0
+
+## Changed
+
+- Updated to Code 1.87.0.
+
+## [4.21.2](https://github.com/coder/code-server/releases/tag/v4.21.2) - 2024-02-28
+
+Code v1.86.2
+
+## Changed
+
+- Updated to Code 1.86.2.
+
+## [4.21.1](https://github.com/coder/code-server/releases/tag/v4.21.1) - 2024-02-09
+
+Code v1.86.1
+
+## Changed
+
+- Updated to Code 1.86.1.
+- Updated to Node 18.17.1.
+
+## Added
+
+- Docker images for Fedora and openSUSE.
+
+## [4.21.0](https://github.com/coder/code-server/releases/tag/v4.21.0) - 2024-02-05
+
+Code v1.86.0
+
+## Changed
+
+- Updated to Code 1.86.0.
+
+## [4.20.1](https://github.com/coder/code-server/releases/tag/v4.20.1) - 2024-01-22
+
+Code v1.85.2
+
+## Changed
+
+- Updated to Code 1.85.2.
+
+## Fixed
+
+- Query variables are no longer double-encoded when going over the path proxy.
+
+## [4.20.0](https://github.com/coder/code-server/releases/tag/v4.20.0) - 2023-12-21
+
+Code v1.85.1
+
+### Added
+
+- New flag `--disable-file-uploads` to disable uploading files to the remote by
+  drag and drop and to disable opening local files via the "show local" button
+  in the file open prompt. Note that you can still open local files by drag and
+  dropping the file onto the editor pane.
+- Added `wget` to the release image.
+
+### Changed
+
+- Updated to Code 1.85.1.
+- The `--disable-file-downloads` flag will now disable the "show local" button
+  in the file save prompt as well.
+- Debian release image updated to use Bookworm.
+
 ## [4.19.1](https://github.com/coder/code-server/releases/tag/v4.19.1) - 2023-11-29

 Code v1.84.2
--- a/ci/build/npm-postinstall.sh
+++ b/ci/build/npm-postinstall.sh
@@ -51,6 +51,18 @@ symlink_bin_script() {
  cd "$oldpwd"
 }

+command_exists() {
+  if [ ! "$1" ]; then return 1; fi
+  command -v "$@" > /dev/null
+}
+
+is_root() {
+  if command_exists id && [ "$(id -u)" = 0 ]; then
+    return 0
+  fi
+  return 1
+}
+
 OS="$(os)"

 main() {
@@ -75,17 +87,20 @@ main() {
    exit 1
  fi

-  case "${npm_config_user_agent-}" in npm*)
-    # We are running under npm.
-    if [ "${npm_config_unsafe_perm-}" != "true" ]; then
-      echo "Please pass --unsafe-perm to npm to install code-server"
-      echo "Otherwise the postinstall script does not have permissions to run"
-      echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
-      echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
-      exit 1
-    fi
-    ;;
-  esac
+  # Under npm, if we are running as root, we need --unsafe-perm otherwise
+  # post-install scripts will not have sufficient permissions to do their thing.
+  if is_root; then
+    case "${npm_config_user_agent-}" in npm*)
+      if [ "${npm_config_unsafe_perm-}" != "true" ]; then
+        echo "Please pass --unsafe-perm to npm to install code-server"
+        echo "Otherwise post-install scripts will not have permissions to run"
+        echo "See https://docs.npmjs.com/misc/config#unsafe-perm"
+        echo "See https://stackoverflow.com/questions/49084929/npm-sudo-global-installation-unsafe-perm"
+        exit 1
+      fi
+      ;;
+    esac
+  fi

  if ! vscode_install; then
    echo "You may not have the required dependencies to build the native modules."
--- a/ci/helm-chart/Chart.yaml
+++ b/ci/helm-chart/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.15.1
+version: 3.19.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.19.1
+appVersion: 4.23.1
--- a/ci/helm-chart/values.yaml
+++ b/ci/helm-chart/values.yaml
@@ -6,7 +6,7 @@ replicaCount: 1

 image:
  repository: codercom/code-server
-  tag: '4.19.1'
+  tag: '4.23.1'
  pullPolicy: Always

 # Specifies one or more secrets to be used when pulling images from a
--- a/ci/release-image/Dockerfile.fedora
+++ b/ci/release-image/Dockerfile.fedora
@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:experimental
+
+ARG BASE=fedora:39
+FROM scratch AS packages
+COPY release-packages/code-server*.rpm /tmp/
+
+FROM $BASE
+
+RUN dnf update -y \
+    && dnf install -y \
+    curl \
+    git \
+    git-lfs \
+    htop \
+    nano \
+    openssh-clients \
+    procps \
+    wget \
+    zsh \
+    dumb-init \
+    glibc-langpack-en \
+    && rm -rf /var/cache/dnf
+RUN git lfs install
+
+ENV LANG=en_US.UTF-8
+RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
+
+RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+
+COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
+RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+ENV ENTRYPOINTD=${HOME}/entrypoint.d
+
+EXPOSE 8080
+# This way, if someone sets $DOCKER_USER, docker-exec will still work as
+# the uid will remain the same. note: only relevant if -u isn't passed to
+# docker-run.
+USER 1000
+ENV USER=coder
+WORKDIR /home/coder
+ENTRYPOINT ["/usr/bin/entrypoint.sh", "--bind-addr", "0.0.0.0:8080", "."]
--- a/ci/release-image/Dockerfile.opensuse
+++ b/ci/release-image/Dockerfile.opensuse
@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:experimental
+
+ARG BASE=opensuse/tumbleweed
+FROM scratch AS packages
+COPY release-packages/code-server*.rpm /tmp/
+
+FROM $BASE
+
+RUN zypper dup -y \
+    && zypper in -y \
+    curl \
+    git \
+    git-lfs \
+    htop \
+    nano \
+    openssh-clients \
+    procps \
+    wget \
+    zsh \
+    sudo \
+    catatonit \
+    && rm -rf /var/cache/zypp /var/cache/zypper
+RUN git lfs install
+
+ENV LANG=en_US.UTF-8
+RUN echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
+
+RUN useradd -u 1000 coder && echo "coder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/nopasswd
+
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g')" \
+  && curl -fsSL "https://github.com/boxboat/fixuid/releases/download/v0.6.0/fixuid-0.6.0-linux-$ARCH.tar.gz" | tar -C /usr/local/bin -xzf - \
+  && chown root:root /usr/local/bin/fixuid \
+  && chmod 4755 /usr/local/bin/fixuid \
+  && mkdir -p /etc/fixuid \
+  && printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
+
+COPY ci/release-image/entrypoint-catatonit.sh /usr/bin/entrypoint-catatonit.sh
+RUN --mount=from=packages,src=/tmp,dst=/tmp/packages rpm -i /tmp/packages/code-server*$(uname -m | sed 's/x86_64/amd64/g' | sed 's/aarch64/arm64/g').rpm
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+ENV ENTRYPOINTD=${HOME}/entrypoint.d
+
+EXPOSE 8080
+# This way, if someone sets $DOCKER_USER, docker-exec will still work as
+# the uid will remain the same. note: only relevant if -u isn't passed to
+# docker-run.
+USER 1000
+ENV USER=coder
+WORKDIR /home/coder
+ENTRYPOINT ["/usr/bin/entrypoint-catatonit.sh", "--bind-addr", "0.0.0.0:8080", "."]
--- a/ci/release-image/docker-bake.hcl
+++ b/ci/release-image/docker-bake.hcl
@@ -18,6 +18,8 @@ group "default" {
    targets = [
        "code-server-debian-12",
        "code-server-ubuntu-focal",
+        "code-server-fedora-39",
+        "code-server-opensuse-tumbleweed",
    ]
 }

@@ -66,3 +68,27 @@ target "code-server-ubuntu-focal" {
    }
    platforms = ["linux/amd64", "linux/arm64"]
 }
+
+target "code-server-fedora-39" {
+    dockerfile = "ci/release-image/Dockerfile.fedora"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr("fedora"),
+        gen_tags_for_docker_and_ghcr("39"),
+    )
+    args = {
+        BASE = "fedora:39"
+    }
+    platforms = ["linux/amd64", "linux/arm64"]
+}
+
+target "code-server-opensuse-tumbleweed" {
+    dockerfile = "ci/release-image/Dockerfile.opensuse"
+    tags = concat(
+        gen_tags_for_docker_and_ghcr("opensuse"),
+        gen_tags_for_docker_and_ghcr("tumbleweed"),
+    )
+    args = {
+        BASE = "opensuse/tumbleweed"
+    }
+    platforms = ["linux/amd64", "linux/arm64"]
+}
--- a/ci/release-image/entrypoint-catatonit.sh
+++ b/ci/release-image/entrypoint-catatonit.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eu
+
+# We do this first to ensure sudo works below when renaming the user.
+# Otherwise the current container UID may not exist in the passwd database.
+eval "$(fixuid -q)"
+
+if [ "${DOCKER_USER-}" ]; then
+  USER="$DOCKER_USER"
+  if [ "$DOCKER_USER" != "$(whoami)" ]; then
+    echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd > /dev/null
+    # Unfortunately we cannot change $HOME as we cannot move any bind mounts
+    # nor can we bind mount $HOME into a new home as that requires a privileged container.
+    sudo usermod --login "$DOCKER_USER" coder
+    sudo groupmod -n "$DOCKER_USER" coder
+
+    sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd
+  fi
+fi
+
+# Allow users to have scripts run on container startup to prepare workspace.
+# https://github.com/coder/code-server/issues/5177
+if [ -d "${ENTRYPOINTD}" ]; then
+  find "${ENTRYPOINTD}" -type f -executable -print -exec {} \;
+fi
+
+exec catatonit -- /usr/bin/code-server "$@"
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -356,6 +356,12 @@ hashed-password: "$argon2i$v=19$m=4096,t=3,p=1$wST5QhBgk2lu1ih4DMuxvg$LS1alrVdIW

 The `hashed-password` field takes precedence over `password`.

+If you're using Docker Compose file, in order to make this work, you need to change all the single $ to $$. For example:
+
+```yaml
+- HASHED_PASSWORD=$$argon2i$$v=19$$m=4096,t=3,p=1$$wST5QhBgk2lu1ih4DMuxvg$$LS1alrVdIWtvZHwnzCM1DUGg+5DTO3Dt1d5v9XtLws4
+```
+
 ## Is multi-tenancy possible?

 If you want to run multiple code-servers on shared infrastructure, we recommend
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@@ -171,7 +171,7 @@ We publish to AUR as a package [here](https://aur.archlinux.org/packages/code-se

 #### Docker

-We publish code-server as a Docker image [here](https://registry.hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.
+We publish code-server as a Docker image [here](https://hub.docker.com/r/codercom/code-server), tagging it both with the version and latest.

 This is currently automated with the release process.

--- a/docs/android.md
+++ b/docs/android.md
@@ -18,7 +18,7 @@ nvm install 18
 nvm use 18
 ```

-8. Install code-server globally on device with: `npm install --global code-server --unsafe-perm`
+8. Install code-server globally on device with: `npm install --global code-server`
 9. Run code-server with `code-server`
 10. Access on localhost:8080 in your browser

--- a/docs/coder.md
+++ b/docs/coder.md
@@ -33,5 +33,16 @@ resource "coder_app" "code-server" {
 }
 ```

+Or use our official [`code-server`](https://registry.coder.com/modules/code-server) module from the Coder [module registry](htpps://registry.coder.com/modules):
+
+```terraform
+module "code-server" {
+  source     = "registry.coder.com/modules/code-server/coder"
+  version    = "1.0.5"
+  agent_id   = coder_agent.example.id
+  extensions = ["dracula-theme.theme-dracula", "ms-azuretools.vscode-docker"]
+}
+```
+
 If you run into issues, ask for help on the `coder/coder` [Discussions
 here](https://github.com/coder/coder/discussions).
--- a/docs/npm.md
+++ b/docs/npm.md
@@ -92,7 +92,7 @@ Installing code-server requires all of the [prerequisites for VS Code developmen
 Next, install code-server with:

 ```bash
-npm install --global code-server --unsafe-perm
+npm install --global code-server
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@@ -112,7 +112,7 @@ For help and additional troubleshooting, see [#1397](https://github.com/coder/co
 After adding the dependencies for your OS, install the code-server package globally:

 ```bash
-npm install --global code-server --unsafe-perm
+npm install --global code-server
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
@@ -144,8 +144,8 @@ To debug installation issues, install with `npm`:

 ```shell
 # Uninstall
-npm uninstall --global --unsafe-perm code-server > /dev/null 2>&1
+npm uninstall --global code-server > /dev/null 2>&1

 # Install with logging
-npm install --loglevel verbose --global --unsafe-perm code-server
+npm install --loglevel verbose --global code-server
 ```
--- a/docs/termux.md
+++ b/docs/termux.md
@@ -70,7 +70,7 @@ code-server --auth none
 7. If already installed then use the following command for upgradation.

 ```
-npm update --global code-server --unsafe-perm
+npm update --global code-server
 ```

 ## Upgrade
--- a/lib/vscode
+++ b/lib/vscode
--- a/package.json
+++ b/package.json
@@ -61,7 +61,7 @@
    "eslint-plugin-import": "^2.28.1",
    "eslint-plugin-prettier": "^5.0.0",
    "prettier": "^3.0.3",
-    "prettier-plugin-sh": "^0.13.1",
+    "prettier-plugin-sh": "^0.14.0",
    "ts-node": "^10.9.1",
    "typescript": "^5.2.2"
  },
@@ -71,7 +71,7 @@
    "compression": "^1.7.4",
    "cookie-parser": "^1.4.6",
    "env-paths": "^2.2.1",
-    "express": "5.0.0-alpha.8",
+    "express": "5.0.0-beta.3",
    "http-proxy": "^1.18.1",
    "httpolyglot": "^0.1.2",
    "i18next": "^23.5.1",
@@ -79,7 +79,7 @@
    "limiter": "^2.1.0",
    "pem": "^1.14.8",
    "proxy-agent": "^6.3.1",
-    "qs": "6.9.7",
+    "qs": "6.12.1",
    "rotating-file-stream": "^3.1.1",
    "safe-buffer": "^5.2.1",
    "safe-compare": "^1.1.4",
@@ -88,11 +88,7 @@
    "xdg-basedir": "^4.0.0"
  },
  "resolutions": {
-    "@types/node": "^18.0.0",
-    "qs": "6.9.7"
-  },
-  "overrides": {
-    "qs": "6.9.7"
+    "@types/node": "^18.0.0"
  },
  "bin": {
    "code-server": "out/node/entry.js"
--- a/patches/base-path.diff
+++ b/patches/base-path.diff
@@ -10,7 +10,7 @@ Index: code-server/lib/vscode/src/vs/base/common/network.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/base/common/network.ts
 +++ code-server/lib/vscode/src/vs/base/common/network.ts
-@@ -181,7 +181,9 @@ class RemoteAuthoritiesImpl {
+@@ -205,7 +205,9 @@ class RemoteAuthoritiesImpl {
 		return URI.from({
 			scheme: platform.isWeb ? this._preferredWebSchema : Schemas.vscodeRemoteResource,
 			authority: `${host}:${port}`,
@@ -111,7 +111,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -269,16 +269,15 @@ export class WebClientServer {
+@@ -270,16 +270,15 @@ export class WebClientServer {
 			return void res.end();
 		}
 
@@ -133,7 +133,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 		);
 		if (!remoteAuthority) {
 			return serveError(req, res, 400, `Bad request.`);
-@@ -305,8 +304,12 @@ export class WebClientServer {
+@@ -306,8 +305,12 @@ export class WebClientServer {
 			scopes: [['user:email'], ['repo']]
 		} : undefined;
 
@@ -146,7 +146,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 			embedderIdentifier: 'server-distro',
 			extensionsGallery: this._webExtensionResourceUrlTemplate ? {
 				...this._productService.extensionsGallery,
-@@ -341,8 +344,10 @@ export class WebClientServer {
+@@ -343,8 +346,10 @@ export class WebClientServer {
 		const values: { [key: string]: string } = {
 			WORKBENCH_WEB_CONFIGURATION: asJSON(workbenchWebConfiguration),
 			WORKBENCH_AUTH_SESSION: authSessionInfo ? asJSON(authSessionInfo) : '',
@@ -159,7 +159,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 		};
 
 		if (useTestResolver) {
-@@ -369,7 +374,7 @@ export class WebClientServer {
+@@ -371,7 +376,7 @@ export class WebClientServer {
 			'default-src \'self\';',
 			'img-src \'self\' https: data: blob:;',
 			'media-src \'self\';',
@@ -168,7 +168,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 			'child-src \'self\';',
 			`frame-src 'self' https://*.vscode-cdn.net data:;`,
 			'worker-src \'self\' data: blob:;',
-@@ -442,3 +447,70 @@ export class WebClientServer {
+@@ -444,3 +449,70 @@ export class WebClientServer {
 		return void res.end(data);
 	}
 }
@@ -303,10 +303,10 @@ Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/ext
 import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';
 import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';
 -import { RemoteAuthorities } from 'vs/base/common/network';
- import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
 import { TargetPlatform } from 'vs/platform/extensions/common/extensions';
 
-@@ -102,7 +101,7 @@ export abstract class AbstractExtensionR
+ const WEB_EXTENSION_RESOURCE_END_POINT_SEGMENT = '/web-extension-resource/';
+@@ -99,7 +98,7 @@ export abstract class AbstractExtensionR
 					: version,
 				path: 'extension'
 			}));
--- a/patches/cli-window-open.diff
+++ b/patches/cli-window-open.diff
@@ -17,7 +17,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTe
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/browser/remoteTerminalBackend.ts
-@@ -104,10 +104,14 @@ class RemoteTerminalBackend extends Base
+@@ -106,10 +106,14 @@ class RemoteTerminalBackend extends Base
 			}
 			const reqId = e.reqId;
 			const commandId = e.commandId;
--- a/patches/disable-builtin-ext-update.diff
+++ b/patches/disable-builtin-ext-update.diff
@@ -7,7 +7,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts
-@@ -245,6 +245,10 @@ export class Extension implements IExten
+@@ -284,6 +284,10 @@ export class Extension implements IExten
 			if (this.type === ExtensionType.System && this.productService.quality === 'stable') {
 				return false;
 			}
--- a/patches/display-language.diff
+++ b/patches/display-language.diff
@@ -30,7 +30,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 import { ProtocolConstants } from 'vs/base/parts/ipc/common/ipc.net';
 import { IConfigurationService } from 'vs/platform/configuration/common/configuration';
 import { ConfigurationService } from 'vs/platform/configuration/common/configurationService';
-@@ -228,6 +228,9 @@ export async function setupServerService
+@@ -237,6 +237,9 @@ export async function setupServerService
 		const channel = new ExtensionManagementChannel(extensionManagementService, (ctx: RemoteAgentConnectionContext) => getUriTransformer(ctx.remoteAuthority));
 		socketServer.registerChannel('extensions', channel);
 
@@ -53,7 +53,7 @@ Index: code-server/lib/vscode/src/vs/base/common/platform.ts
 export const LANGUAGE_DEFAULT = 'en';
 
 let _isWindows = false;
-@@ -85,17 +83,21 @@ if (typeof navigator === 'object' && !is
+@@ -112,17 +110,21 @@ else if (typeof navigator === 'object' &
 	_isMobile = _userAgent?.indexOf('Mobi') >= 0;
 	_isWeb = true;
 
@@ -83,7 +83,7 @@ Index: code-server/lib/vscode/src/vs/base/common/platform.ts
 +	}
 }
 
- // Native environment
+ // Unknown environment
 Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.html
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/code/browser/workbench/workbench.html
@@ -218,9 +218,9 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 import { isString } from 'vs/base/common/types';
 +import { getLocaleFromConfig, getNLSConfiguration } from 'vs/server/node/remoteLanguagePacks';
 import { CharCode } from 'vs/base/common/charCode';
- import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
 import { IExtensionManifest } from 'vs/platform/extensions/common/extensions';
-@@ -345,6 +346,8 @@ export class WebClientServer {
+ 
+@@ -348,6 +349,8 @@ export class WebClientServer {
 			callbackRoute: this._callbackRoute
 		};
 
@@ -229,7 +229,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 		const nlsBaseUrl = this._productService.extensionsGallery?.nlsBaseUrl;
 		const values: { [key: string]: string } = {
 			WORKBENCH_WEB_CONFIGURATION: asJSON(workbenchWebConfiguration),
-@@ -353,6 +356,7 @@ export class WebClientServer {
+@@ -356,6 +359,7 @@ export class WebClientServer {
 			WORKBENCH_NLS_BASE_URL: vscodeBase + (nlsBaseUrl ? `${nlsBaseUrl}${!nlsBaseUrl.endsWith('/') ? '/' : ''}${this._productService.commit}/${this._productService.version}/` : ''),
 			BASE: base,
 			VS_BASE: vscodeBase,
@@ -249,8 +249,8 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 
 	/* ----- server setup ----- */
 
-@@ -101,6 +102,7 @@ export interface ServerParsedArgs {
- 	'auth'?: string
+@@ -103,6 +104,7 @@ export interface ServerParsedArgs {
+ 	'auth'?: string;
 	'disable-file-downloads'?: boolean;
 	'disable-file-uploads'?: boolean;
 +	'locale'?: string
@@ -261,7 +261,7 @@ Index: code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/workbench.web.main.ts
 +++ code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
-@@ -50,7 +50,7 @@ import 'vs/workbench/services/dialogs/br
+@@ -52,7 +52,7 @@ import 'vs/workbench/services/dialogs/br
 import 'vs/workbench/services/host/browser/browserHostService';
 import 'vs/workbench/services/lifecycle/browser/lifecycleService';
 import 'vs/workbench/services/clipboard/browser/clipboardService';
@@ -270,7 +270,7 @@ Index: code-server/lib/vscode/src/vs/workbench/workbench.web.main.ts
 import 'vs/workbench/services/path/browser/pathService';
 import 'vs/workbench/services/themes/browser/browserHostColorSchemeService';
 import 'vs/workbench/services/encryption/browser/encryptionService';
-@@ -116,8 +116,9 @@ registerSingleton(ILanguagePackService,
+@@ -118,8 +118,9 @@ registerSingleton(ILanguagePackService,
 // Logs
 import 'vs/workbench/contrib/logs/browser/logs.contribution';
 
@@ -348,7 +348,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsActions.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extensionsActions.ts
-@@ -321,9 +321,6 @@ export class InstallAction extends Exten
+@@ -342,9 +342,6 @@ export class InstallAction extends Exten
 		if (this.extension.isBuiltin) {
 			return;
 		}
@@ -358,7 +358,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 		if (this.extension.state === ExtensionState.Uninstalled && await this.extensionsWorkbenchService.canInstall(this.extension)) {
 			this.enabled = this.options.installPreReleaseVersion ? this.extension.hasPreReleaseVersion : this.extension.hasReleaseVersion;
 			this.updateLabel();
-@@ -591,7 +588,7 @@ export abstract class InstallInOtherServ
+@@ -615,7 +612,7 @@ export abstract class InstallInOtherServ
 		}
 
 		if (isLanguagePackExtension(this.extension.local.manifest)) {
@@ -367,7 +367,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 		}
 
 		// Prefers to run on UI
-@@ -1751,17 +1748,6 @@ export class SetLanguageAction extends E
+@@ -1843,17 +1840,6 @@ export class SetLanguageAction extends E
 	update(): void {
 		this.enabled = false;
 		this.class = SetLanguageAction.DisabledClass;
@@ -385,7 +385,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 	}
 
 	override async run(): Promise<any> {
-@@ -1778,7 +1764,6 @@ export class ClearLanguageAction extends
+@@ -1870,7 +1856,6 @@ export class ClearLanguageAction extends
 	private static readonly DisabledClass = `${ClearLanguageAction.EnabledClass} disabled`;
 
 	constructor(
@@ -393,7 +393,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/extensions/browser/extens
 		@ILocaleService private readonly localeService: ILocaleService,
 	) {
 		super(ClearLanguageAction.ID, ClearLanguageAction.TITLE.value, ClearLanguageAction.DisabledClass, false);
-@@ -1788,17 +1773,6 @@ export class ClearLanguageAction extends
+@@ -1880,17 +1865,6 @@ export class ClearLanguageAction extends
 	update(): void {
 		this.enabled = false;
 		this.class = ClearLanguageAction.DisabledClass;
--- a/patches/external-file-actions.diff
+++ b/patches/external-file-actions.diff
@@ -27,7 +27,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -281,6 +281,16 @@ export interface IWorkbenchConstructionO
+@@ -303,6 +303,16 @@ export interface IWorkbenchConstructionO
 	 */
 	readonly userDataPath?: string
 
@@ -99,10 +99,10 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 
 	/* ----- server setup ----- */
 
-@@ -97,6 +99,8 @@ export interface ServerParsedArgs {
+@@ -99,6 +101,8 @@ export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
- 	'auth'?: string
+ 	'auth'?: string;
 +	'disable-file-downloads'?: boolean;
 +	'disable-file-uploads'?: boolean;
 
@@ -112,8 +112,8 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -332,6 +332,8 @@ export class WebClientServer {
- 			remoteAuthority,
+@@ -334,6 +334,8 @@ export class WebClientServer {
+ 			serverBasePath: this._basePath,
 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 			userDataPath: this._environmentService.userDataPath,
 +			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
@@ -129,8 +129,8 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 import { Disposable } from 'vs/base/common/lifecycle';
 import { IContextKeyService, IContextKey, setConstant as setConstantContextKey } from 'vs/platform/contextkey/common/contextkey';
 import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from 'vs/platform/contextkey/common/contextkeys';
-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext } from 'vs/workbench/common/contextkeys';
-+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, IsEnabledFileDownloads, IsEnabledFileUploads } from 'vs/workbench/common/contextkeys';
+-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, ActiveCompareEditorCanSwapContext } from 'vs/workbench/common/contextkeys';
+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, ActiveCompareEditorCanSwapContext, IsEnabledFileDownloads, IsEnabledFileUploads } from 'vs/workbench/common/contextkeys';
 import { TEXT_DIFF_EDITOR_ID, EditorInputCapabilities, SIDE_BY_SIDE_EDITOR_ID, EditorResourceAccessor, SideBySideEditor } from 'vs/workbench/common/editor';
 import { trackFocus, addDisposableListener, EventType, onDidRegisterWindow, getActiveWindow } from 'vs/base/browser/dom';
 import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from 'vs/workbench/services/editor/common/editorGroupsService';
@@ -140,7 +140,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 import { IEditorService } from 'vs/workbench/services/editor/common/editorService';
 import { WorkbenchState, IWorkspaceContextService, isTemporaryWorkspace } from 'vs/platform/workspace/common/workspace';
 import { IWorkbenchLayoutService, Parts, positionToString } from 'vs/workbench/services/layout/browser/layoutService';
-@@ -84,7 +84,7 @@ export class WorkbenchContextKeysHandler
+@@ -88,7 +88,7 @@ export class WorkbenchContextKeysHandler
 		@IContextKeyService private readonly contextKeyService: IContextKeyService,
 		@IWorkspaceContextService private readonly contextService: IWorkspaceContextService,
 		@IConfigurationService private readonly configurationService: IConfigurationService,
@@ -149,7 +149,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 		@IProductService private readonly productService: IProductService,
 		@IEditorService private readonly editorService: IEditorService,
 		@IEditorResolverService private readonly editorResolverService: IEditorResolverService,
-@@ -220,6 +220,10 @@ export class WorkbenchContextKeysHandler
+@@ -225,6 +225,10 @@ export class WorkbenchContextKeysHandler
 		this.auxiliaryBarVisibleContext = AuxiliaryBarVisibleContext.bindTo(this.contextKeyService);
 		this.auxiliaryBarVisibleContext.set(this.layoutService.isVisible(Parts.AUXILIARYBAR_PART));
 
@@ -173,7 +173,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions
 import { IsWebContext } from 'vs/platform/contextkey/common/contextkeys';
 import { ServicesAccessor } from 'vs/platform/instantiation/common/instantiation';
 import { ThemeIcon } from 'vs/base/common/themables';
-@@ -550,13 +550,16 @@ MenuRegistry.appendMenuItem(MenuId.Explo
+@@ -553,13 +553,16 @@ MenuRegistry.appendMenuItem(MenuId.Explo
 		id: DOWNLOAD_COMMAND_ID,
 		title: DOWNLOAD_LABEL
 	},
@@ -197,7 +197,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/fileActions
 	)
 }));
 
-@@ -568,6 +571,7 @@ MenuRegistry.appendMenuItem(MenuId.Explo
+@@ -571,6 +574,7 @@ MenuRegistry.appendMenuItem(MenuId.Explo
 		title: UPLOAD_LABEL,
 	},
 	when: ContextKeyExpr.and(
@@ -241,8 +241,8 @@ Index: code-server/lib/vscode/src/vs/workbench/services/dialogs/browser/simpleFi
 		@IRemoteAgentService private readonly remoteAgentService: IRemoteAgentService,
 		@IPathService protected readonly pathService: IPathService,
 		@IKeybindingService private readonly keybindingService: IKeybindingService,
-@@ -287,20 +287,22 @@ export class SimpleFileDialog implements
- 			this.filePickBox.autoFocusOnList = false;
+@@ -286,20 +286,22 @@ export class SimpleFileDialog implements
+ 			this.filePickBox.sortByLabel = false;
 			this.filePickBox.ignoreFocusOut = true;
 			this.filePickBox.ok = true;
 -			if ((this.scheme !== Schemas.file) && this.options && this.options.availableFileSystems && (this.options.availableFileSystems.length > 1) && (this.options.availableFileSystems.indexOf(Schemas.file) > -1)) {
@@ -287,10 +287,10 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/views/explo
 import { mainWindow } from 'vs/base/browser/window';
 import { IExplorerFileContribution, explorerFileContribRegistry } from 'vs/workbench/contrib/files/browser/explorerFileContrib';
 +import { IBrowserWorkbenchEnvironmentService } from 'vs/workbench/services/environment/browser/environmentService';
+ import type { IHoverWidget } from 'vs/base/browser/ui/hover/hover';
 
 export class ExplorerDelegate implements IListVirtualDelegate<ExplorerItem> {
- 
-@@ -1079,7 +1080,8 @@ export class FileDragAndDrop implements
+@@ -1080,7 +1081,8 @@ export class FileDragAndDrop implements
 		@IConfigurationService private configurationService: IConfigurationService,
 		@IInstantiationService private instantiationService: IInstantiationService,
 		@IWorkspaceEditingService private workspaceEditingService: IWorkspaceEditingService,
@@ -300,7 +300,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/files/browser/views/explo
 	) {
 		const updateDropEnablement = (e: IConfigurationChangeEvent | undefined) => {
 			if (!e || e.affectsConfiguration('explorer.enableDragAndDrop')) {
-@@ -1283,15 +1285,17 @@ export class FileDragAndDrop implements
+@@ -1305,15 +1307,17 @@ export class FileDragAndDrop implements
 
 			// External file DND (Import/Upload file)
 			if (data instanceof NativeDragAndDropData) {
--- a/patches/getting-started.diff
+++ b/patches/getting-started.diff
@@ -14,12 +14,12 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import { $, Dimension, addDisposableListener, append, clearNode, getWindow, reset } from 'vs/base/browser/dom';
-+import { $, Dimension, addDisposableListener, append, clearNode, getWindow, reset, prepend } from 'vs/base/browser/dom';
+-import { $, Dimension, addDisposableListener, append, clearNode, reset } from 'vs/base/browser/dom';
+import { $, Dimension, addDisposableListener, append, clearNode, reset, prepend } from 'vs/base/browser/dom';
 import { renderFormattedText } from 'vs/base/browser/formattedTextRenderer';
 import { StandardKeyboardEvent } from 'vs/base/browser/keyboardEvent';
 import { Button } from 'vs/base/browser/ui/button/button';
-@@ -58,7 +58,7 @@ import { IRecentFolder, IRecentWorkspace
+@@ -54,7 +54,7 @@ import { IRecentFolder, IRecentWorkspace
 import { OpenRecentAction } from 'vs/workbench/browser/actions/windowActions';
 import { OpenFileFolderAction, OpenFolderAction, OpenFolderViaWorkspaceAction } from 'vs/workbench/browser/actions/workspaceActions';
 import { EditorPane } from 'vs/workbench/browser/parts/editor/editorPane';
@@ -27,8 +27,8 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +import { IsEnabledCoderGettingStarted, WorkbenchStateContext } from 'vs/workbench/common/contextkeys';
 import { IEditorOpenContext, IEditorSerializer } from 'vs/workbench/common/editor';
 import { IWebviewElement, IWebviewService } from 'vs/workbench/contrib/webview/browser/webview';
- import { IFeaturedExtensionsService } from 'vs/workbench/contrib/welcomeGettingStarted/browser/featuredExtensionService';
-@@ -793,6 +793,72 @@ export class GettingStartedPage extends
+ import 'vs/workbench/contrib/welcomeGettingStarted/browser/gettingStartedColors';
+@@ -816,6 +816,72 @@ export class GettingStartedPage extends
 			$('p.subtitle.description', {}, localize({ key: 'gettingStarted.editingEvolved', comment: ['Shown as subtitle on the Welcome page.'] }, "Editing evolved"))
 		);
 
@@ -101,7 +101,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 		const leftColumn = $('.categories-column.categories-column-left', {},);
 		const rightColumn = $('.categories-column.categories-column-right', {},);
 
-@@ -842,6 +908,9 @@ export class GettingStartedPage extends
+@@ -887,6 +953,9 @@ export class GettingStartedPage extends
 				recentList.setLimit(5);
 				reset(leftColumn, startList.getDomElement(), recentList.getDomElement());
 			}
@@ -110,7 +110,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +			}
 		};
 
- 		featuredExtensionList.onDidChange(layoutFeaturedExtension);
+ 		gettingStartedList.onDidChange(layoutLists);
 Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/media/gettingStarted.css
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/browser/media/gettingStarted.css
@@ -123,19 +123,19 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/welcomeGettingStarted/bro
 +	margin-bottom: 0.2em;
 +}
 +
-+.monaco-workbench .part.editor>.content .gettingStartedContainer .coder-coder {
+.monaco-workbench .part.editor > .content .gettingStartedContainer .coder-coder {
 +	font-size: 1em;
 +	margin-top: 0.2em;
 +}
 +
- .monaco-workbench.hc-black .part.editor>.content .gettingStartedContainer .subtitle,
- .monaco-workbench.hc-light .part.editor>.content .gettingStartedContainer .subtitle {
+ .monaco-workbench.hc-black .part.editor > .content .gettingStartedContainer .subtitle,
+ .monaco-workbench.hc-light .part.editor > .content .gettingStartedContainer .subtitle {
 	font-weight: 200;
 Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -291,6 +291,11 @@ export interface IWorkbenchConstructionO
+@@ -313,6 +313,11 @@ export interface IWorkbenchConstructionO
 	 */
 	readonly isEnabledFileUploads?: boolean
 
@@ -189,7 +189,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 
 	/* ----- server setup ----- */
 
-@@ -103,6 +104,7 @@ export interface ServerParsedArgs {
+@@ -105,6 +106,7 @@ export interface ServerParsedArgs {
 	'disable-file-downloads'?: boolean;
 	'disable-file-uploads'?: boolean;
 	'locale'?: string
@@ -201,7 +201,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -336,6 +336,7 @@ export class WebClientServer {
+@@ -339,6 +339,7 @@ export class WebClientServer {
 			userDataPath: this._environmentService.userDataPath,
 			isEnabledFileDownloads: !this._environmentService.args['disable-file-downloads'],
 			isEnabledFileUploads: !this._environmentService.args['disable-file-uploads'],
@@ -217,12 +217,12 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/contextkeys.ts
 import { Disposable } from 'vs/base/common/lifecycle';
 import { IContextKeyService, IContextKey, setConstant as setConstantContextKey } from 'vs/platform/contextkey/common/contextkey';
 import { InputFocusedContext, IsMacContext, IsLinuxContext, IsWindowsContext, IsWebContext, IsMacNativeContext, IsDevelopmentContext, IsIOSContext, ProductQualityContext, IsMobileContext } from 'vs/platform/contextkey/common/contextkeys';
-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, IsEnabledFileDownloads, IsEnabledFileUploads } from 'vs/workbench/common/contextkeys';
-+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, IsEnabledFileDownloads, IsEnabledFileUploads, IsEnabledCoderGettingStarted, } from 'vs/workbench/common/contextkeys';
+-import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, ActiveCompareEditorCanSwapContext, IsEnabledFileDownloads, IsEnabledFileUploads } from 'vs/workbench/common/contextkeys';
+import { SplitEditorsVertically, InEditorZenModeContext, ActiveEditorCanRevertContext, ActiveEditorGroupLockedContext, ActiveEditorCanSplitInGroupContext, SideBySideEditorActiveContext, AuxiliaryBarVisibleContext, SideBarVisibleContext, PanelAlignmentContext, PanelMaximizedContext, PanelVisibleContext, ActiveEditorContext, EditorsVisibleContext, TextCompareEditorVisibleContext, TextCompareEditorActiveContext, ActiveEditorGroupEmptyContext, EmbedderIdentifierContext, EditorTabsVisibleContext, IsMainEditorCenteredLayoutContext, ActiveEditorGroupIndexContext, ActiveEditorGroupLastContext, ActiveEditorReadonlyContext, MainEditorAreaVisibleContext, ActiveEditorAvailableEditorIdsContext, DirtyWorkingCopiesContext, EmptyWorkspaceSupportContext, EnterMultiRootWorkspaceSupportContext, HasWebFileSystemAccess, IsMainWindowFullscreenContext, OpenFolderWorkspaceSupportContext, RemoteNameContext, VirtualWorkspaceContext, WorkbenchStateContext, WorkspaceFolderCountContext, PanelPositionContext, TemporaryWorkspaceContext, ActiveEditorCanToggleReadonlyContext, applyAvailableEditorIds, TitleBarVisibleContext, TitleBarStyleContext, MultipleEditorGroupsContext, IsAuxiliaryWindowFocusedContext, ActiveCompareEditorCanSwapContext, IsEnabledFileDownloads, IsEnabledFileUploads, IsEnabledCoderGettingStarted, } from 'vs/workbench/common/contextkeys';
 import { TEXT_DIFF_EDITOR_ID, EditorInputCapabilities, SIDE_BY_SIDE_EDITOR_ID, EditorResourceAccessor, SideBySideEditor } from 'vs/workbench/common/editor';
 import { trackFocus, addDisposableListener, EventType, onDidRegisterWindow, getActiveWindow } from 'vs/base/browser/dom';
 import { preferredSideBySideGroupDirection, GroupDirection, IEditorGroupsService } from 'vs/workbench/services/editor/common/editorGroupsService';
-@@ -223,6 +223,7 @@ export class WorkbenchContextKeysHandler
+@@ -228,6 +228,7 @@ export class WorkbenchContextKeysHandler
 		// code-server
 		IsEnabledFileDownloads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileDownloads ?? true)
 		IsEnabledFileUploads.bindTo(this.contextKeyService).set(this.environmentService.isEnabledFileUploads ?? true)
--- a/patches/integration.diff
+++ b/patches/integration.diff
@@ -184,7 +184,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.main.ts
 import { ITelemetryService } from 'vs/platform/telemetry/common/telemetry';
 import { IProgressService } from 'vs/platform/progress/common/progress';
 import { DelayedLogChannel } from 'vs/workbench/services/output/common/delayedLogChannel';
-@@ -130,6 +131,9 @@ export class BrowserMain extends Disposa
+@@ -131,6 +132,9 @@ export class BrowserMain extends Disposa
 		// Startup
 		const instantiationService = workbench.startup();
 
@@ -264,7 +264,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -306,6 +306,7 @@ export class WebClientServer {
+@@ -307,6 +307,7 @@ export class WebClientServer {
 		} : undefined;
 
 		const productConfiguration = <Partial<IProductConfiguration>>{
--- a/patches/keepalive.diff
+++ b/patches/keepalive.diff
@@ -0,0 +1,15 @@
+This can be removed after upgrading to Node >= 19 as keepAlive is defaulted to
+true after 19.
+
+Index: code-server/lib/vscode/src/vs/platform/request/node/proxy.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/platform/request/node/proxy.ts
+++ code-server/lib/vscode/src/vs/platform/request/node/proxy.ts
+@@ -42,6 +42,7 @@ export async function getProxyAgent(rawR
+ 		port: (proxyEndpoint.port ? +proxyEndpoint.port : 0) || (proxyEndpoint.protocol === 'https' ? 443 : 80),
+ 		auth: proxyEndpoint.auth,
+ 		rejectUnauthorized: isBoolean(options.strictSSL) ? options.strictSSL : true,
+		keepAlive: true,
+ 	};
+ 
+ 	return requestURL.protocol === 'http:'
--- a/patches/local-storage.diff
+++ b/patches/local-storage.diff
@@ -18,9 +18,9 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -327,6 +327,7 @@ export class WebClientServer {
- 		const workbenchWebConfiguration = {
+@@ -329,6 +329,7 @@ export class WebClientServer {
 			remoteAuthority,
+ 			serverBasePath: this._basePath,
 			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 +			userDataPath: this._environmentService.userDataPath,
 			_wrapWebWorkerExtHostInIframe,
@@ -30,7 +30,7 @@ Index: code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/browser/web.api.ts
 +++ code-server/lib/vscode/src/vs/workbench/browser/web.api.ts
-@@ -276,6 +276,11 @@ export interface IWorkbenchConstructionO
+@@ -298,6 +298,11 @@ export interface IWorkbenchConstructionO
 	 */
 	readonly configurationDefaults?: Record<string, any>;
 
--- a/patches/logout.diff
+++ b/patches/logout.diff
@@ -28,11 +28,11 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 
 	/* ----- server setup ----- */
 
-@@ -95,6 +96,7 @@ export const serverOptions: OptionDescri
+@@ -97,6 +98,7 @@ export const serverOptions: OptionDescri
 export interface ServerParsedArgs {
 	/* ----- code-server ----- */
 	'disable-update-check'?: boolean;
-+	'auth'?: string
+	'auth'?: string;
 
 	/* ----- server setup ----- */
 
@@ -40,7 +40,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -311,6 +311,7 @@ export class WebClientServer {
+@@ -312,6 +312,7 @@ export class WebClientServer {
 			codeServerVersion: this._productService.codeServerVersion,
 			rootEndpoint: base,
 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
--- a/patches/marketplace.diff
+++ b/patches/marketplace.diff
@@ -40,8 +40,8 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -113,7 +113,7 @@ export class WebClientServer {
- 		const serverRootPath = getRemoteServerRootPath(_productService);
+@@ -114,7 +114,7 @@ export class WebClientServer {
+ 
 		this._staticRoute = `${serverRootPath}/static`;
 		this._callbackRoute = `${serverRootPath}/callback`;
 -		this._webExtensionRoute = `${serverRootPath}/web-extension-resource`;
@@ -49,7 +49,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 	}
 
 	/**
-@@ -311,14 +311,7 @@ export class WebClientServer {
+@@ -312,14 +312,7 @@ export class WebClientServer {
 			codeServerVersion: this._productService.codeServerVersion,
 			rootEndpoint: base,
 			embedderIdentifier: 'server-distro',
@@ -69,20 +69,16 @@ Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/ext
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 +++ code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
-@@ -16,7 +16,6 @@ import { getServiceMachineId } from 'vs/
- import { IStorageService } from 'vs/platform/storage/common/storage';
- import { TelemetryLevel } from 'vs/platform/telemetry/common/telemetry';
- import { getTelemetryLevel, supportsTelemetry } from 'vs/platform/telemetry/common/telemetryUtils';
-import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
- import { TargetPlatform } from 'vs/platform/extensions/common/extensions';
+@@ -140,9 +140,9 @@ export abstract class AbstractExtensionR
+ 	}
 
- const WEB_EXTENSION_RESOURCE_END_POINT = 'web-extension-resource';
-@@ -77,7 +76,7 @@ export abstract class AbstractExtensionR
- 		private readonly _environmentService: IEnvironmentService,
- 		private readonly _configurationService: IConfigurationService,
- 	) {
-		this._webExtensionResourceEndPoint = `${getRemoteServerRootPath(_productService)}/${WEB_EXTENSION_RESOURCE_END_POINT}/`;
-+		this._webExtensionResourceEndPoint = `/${WEB_EXTENSION_RESOURCE_END_POINT}/`;
- 		if (_productService.extensionsGallery) {
- 			this._extensionGalleryResourceUrlTemplate = _productService.extensionsGallery.resourceUrlTemplate;
- 			this._extensionGalleryAuthority = this._extensionGalleryResourceUrlTemplate ? this._getExtensionGalleryAuthority(URI.parse(this._extensionGalleryResourceUrlTemplate)) : undefined;
+ 	protected _isWebExtensionResourceEndPoint(uri: URI): boolean {
+-		const uriPath = uri.path, serverRootPath = RemoteAuthorities.getServerRootPath();
+-		// test if the path starts with the server root path followed by the web extension resource end point segment
+-		return uriPath.startsWith(serverRootPath) && uriPath.startsWith(WEB_EXTENSION_RESOURCE_END_POINT_SEGMENT, serverRootPath.length);
+		const uriPath = uri.path;
+		// test if the path starts with the web extension resource end point segment
+		return uriPath.startsWith(WEB_EXTENSION_RESOURCE_END_POINT_SEGMENT);
+ 	}
+ 
+ }
--- a/patches/proxy-uri.diff
+++ b/patches/proxy-uri.diff
@@ -42,16 +42,16 @@ Index: code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityReso
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityResolverService.ts
 +++ code-server/lib/vscode/src/vs/platform/remote/browser/remoteAuthorityResolverService.ts
-@@ -34,7 +34,7 @@ export class RemoteAuthorityResolverServ
- 		isWorkbenchOptionsBasedResolution: boolean,
+@@ -35,7 +35,7 @@ export class RemoteAuthorityResolverServ
 		connectionToken: Promise<string> | string | undefined,
 		resourceUriProvider: ((uri: URI) => URI) | undefined,
+ 		serverBasePath: string | undefined,
 -		@IProductService productService: IProductService,
 +		@IProductService private readonly productService: IProductService,
 		@ILogService private readonly _logService: ILogService,
 	) {
 		super();
-@@ -85,9 +85,14 @@ export class RemoteAuthorityResolverServ
+@@ -86,9 +86,14 @@ export class RemoteAuthorityResolverServ
 		const connectionToken = await Promise.resolve(this._connectionTokens.get(authority) || this._connectionToken);
 		performance.mark(`code/didResolveConnectionToken/${authorityPrefix}`);
 		this._logService.info(`Resolved connection token (${authorityPrefix}) after ${sw.elapsed()} ms`);
@@ -71,7 +71,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -312,6 +312,7 @@ export class WebClientServer {
+@@ -313,6 +313,7 @@ export class WebClientServer {
 			rootEndpoint: base,
 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
 			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
@@ -83,7 +83,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalE
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/terminal/common/terminalEnvironment.ts
-@@ -271,7 +271,7 @@ export async function createTerminalEnvi
+@@ -291,7 +291,7 @@ export async function createTerminalEnvi
 
 		// Sanitize the environment, removing any undesirable VS Code and Electron environment
 		// variables
@@ -148,9 +148,9 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExpl
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
 +++ code-server/lib/vscode/src/vs/workbench/contrib/remote/browser/remoteExplorer.ts
-@@ -81,7 +81,7 @@ export class ForwardedPortsView extends
- 			this.contextKeyListener = undefined;
- 		}
+@@ -77,7 +77,7 @@ export class ForwardedPortsView extends
+ 	private async enableForwardedPortsView() {
+ 		this.contextKeyListener.clear();
 
 -		const viewEnabled: boolean = !!forwardedPortsViewEnabled.getValue(this.contextKeyService);
 +		const viewEnabled: boolean = true;
--- a/patches/series
+++ b/patches/series
@@ -19,3 +19,4 @@ display-language.diff
 cli-window-open.diff
 getting-started.diff
 safari.diff
+keepalive.diff
--- a/patches/service-worker.diff
+++ b/patches/service-worker.diff
@@ -54,7 +54,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -313,6 +313,10 @@ export class WebClientServer {
+@@ -314,6 +314,10 @@ export class WebClientServer {
 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
 			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
 			proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
--- a/patches/sourcemaps.diff
+++ b/patches/sourcemaps.diff
@@ -10,7 +10,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
 ===================================================================
 --- code-server.orig/lib/vscode/build/gulpfile.reh.js
 +++ code-server/lib/vscode/build/gulpfile.reh.js
-@@ -235,8 +235,7 @@ function packageTask(type, platform, arc
+@@ -236,8 +236,7 @@ function packageTask(type, platform, arc
 
 		const src = gulp.src(sourceFolderName + '/**', { base: '.' })
 			.pipe(rename(function (path) { path.dirname = path.dirname.replace(new RegExp('^' + sourceFolderName), 'out'); }))
@@ -20,7 +20,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
 
 		const workspaceExtensionPoints = ['debuggers', 'jsonValidation'];
 		const isUIExtension = (manifest) => {
-@@ -275,9 +274,9 @@ function packageTask(type, platform, arc
+@@ -276,9 +275,9 @@ function packageTask(type, platform, arc
 			.map(name => `.build/extensions/${name}/**`);
 
 		const extensions = gulp.src(extensionPaths, { base: '.build', dot: true });
@@ -32,7 +32,7 @@ Index: code-server/lib/vscode/build/gulpfile.reh.js
 
 		let version = packageJson.version;
 		const quality = product.quality;
-@@ -424,7 +423,7 @@ function tweakProductForServerWeb(produc
+@@ -439,7 +438,7 @@ function tweakProductForServerWeb(produc
 	const minifyTask = task.define(`minify-vscode-${type}`, task.series(
 		optimizeTask,
 		util.rimraf(`out-vscode-${type}-min`),
--- a/patches/store-socket.diff
+++ b/patches/store-socket.diff
@@ -97,7 +97,7 @@ Index: code-server/lib/vscode/src/vs/workbench/api/node/extensionHostProcess.ts
 import * as nativeWatchdog from 'native-watchdog';
 import * as net from 'net';
 import * as minimist from 'minimist';
-@@ -400,7 +401,28 @@ async function startExtensionHostProcess
+@@ -418,7 +419,28 @@ async function startExtensionHostProcess
 	);
 
 	// rewrite onTerminate-function to be a proper shutdown
--- a/patches/telemetry.diff
+++ b/patches/telemetry.diff
@@ -20,30 +20,47 @@ Index: code-server/lib/vscode/src/vs/server/node/serverServices.ts
 import { NullPolicyService } from 'vs/platform/policy/common/policy';
 import { OneDataSystemAppender } from 'vs/platform/telemetry/node/1dsAppender';
 import { LoggerService } from 'vs/platform/log/node/loggerService';
-@@ -149,7 +150,10 @@ export async function setupServerService
+@@ -146,11 +147,23 @@ export async function setupServerService
+ 	const requestService = new RequestService(configurationService, environmentService, logService, loggerService);
+ 	services.set(IRequestService, requestService);
+ 
+	let isContainer = undefined;
+	try {
+		await Promises.stat('/run/.containerenv');
+		isContainer = true;
+	} catch (error) { /* Does not exist, probably. */ }
+	if (!isContainer) {
+		try {
+			const content = await Promises.readFile('/proc/self/cgroup', 'utf8')
+			isContainer = content.includes('docker');
+		} catch (error) { /* Permission denied, probably. */ }
+	}
+
 	let oneDsAppender: ITelemetryAppender = NullAppender;
 	const isInternal = isInternalTelemetry(productService, configurationService);
 	if (supportsTelemetry(productService, environmentService)) {
 -		if (!isLoggingOnly(productService, environmentService) && productService.aiConfig?.ariaKey) {
-+		const telemetryEndpoint = process.env.CS_TELEMETRY_URL || "https://v1.telemetry.coder.com/track";
-+		if (telemetryEndpoint) {
-+			oneDsAppender = new OneDataSystemAppender(requestService, false, eventPrefix, null, () => new TelemetryClient(telemetryEndpoint));
-+		} else if (!isLoggingOnly(productService, environmentService) && productService.aiConfig?.ariaKey) {
- 			oneDsAppender = new OneDataSystemAppender(requestService, isInternal, eventPrefix, null, productService.aiConfig.ariaKey);
+-			oneDsAppender = new OneDataSystemAppender(requestService, isInternal, eventPrefix, null, productService.aiConfig.ariaKey);
+		if (!isLoggingOnly(productService, environmentService) && productService.telemetryEndpoint) {
+			oneDsAppender = new OneDataSystemAppender(requestService, isInternal, eventPrefix, null, () => new TelemetryClient(productService.telemetryEndpoint!, machineId, isContainer));
 			disposables.add(toDisposable(() => oneDsAppender?.flush())); // Ensure the AI appender is disposed so that it flushes remaining data
 		}
+ 
 Index: code-server/lib/vscode/src/vs/server/node/telemetryClient.ts
 ===================================================================
 --- /dev/null
 +++ code-server/lib/vscode/src/vs/server/node/telemetryClient.ts
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,55 @@
 +import { AppInsightsCore, IExtendedTelemetryItem, ITelemetryItem } from '@microsoft/1ds-core-js';
 +import * as https from 'https';
 +import * as http from 'http';
 +import * as os from 'os';
 +
 +export class TelemetryClient extends AppInsightsCore {
-+	public constructor(private readonly endpoint: string) {
+	public constructor(
+		private readonly endpoint: string,
+		private readonly machineId: string,
+		private readonly isContainer: Boolean | undefined) {
 +		super();
 +	}
 +
@@ -73,6 +90,9 @@ Index: code-server/lib/vscode/src/vs/server/node/telemetryClient.ts
 +			options.properties['common.arch'] = os.arch();
 +		} catch (error) {}
 +
+		options.properties['common.remoteMachineId'] = this.machineId;
+		options.properties['common.isContainer'] = this.isContainer;
+
 +		try {
 +			const request = (/^http:/.test(this.endpoint) ? http : https).request(this.endpoint, {
 +				method: 'POST',
@@ -90,11 +110,38 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -317,6 +317,7 @@ export class WebClientServer {
+@@ -318,6 +318,8 @@ export class WebClientServer {
 				scope: vscodeBase + '/',
 				path: base + '/_static/out/browser/serviceWorker.js',
 			},
 +			enableTelemetry: this._productService.enableTelemetry,
+			telemetryEndpoint: this._productService.telemetryEndpoint,
 			embedderIdentifier: 'server-distro',
 			extensionsGallery: this._productService.extensionsGallery,
 		};
+Index: code-server/lib/vscode/src/vs/base/common/product.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/base/common/product.ts
+++ code-server/lib/vscode/src/vs/base/common/product.ts
+@@ -64,6 +64,7 @@ export interface IProductConfiguration {
+ 		readonly path: string;
+ 		readonly scope: string;
+ 	}
+	readonly telemetryEndpoint?: string
+ 
+ 	readonly version: string;
+ 	readonly date?: string;
+Index: code-server/lib/vscode/src/vs/platform/product/common/product.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/platform/product/common/product.ts
+++ code-server/lib/vscode/src/vs/platform/product/common/product.ts
+@@ -55,7 +55,8 @@ else if (globalThis._VSCODE_PRODUCT_JSON
+ 			resourceUrlTemplate: "https://open-vsx.org/vscode/asset/{publisher}/{name}/{version}/Microsoft.VisualStudio.Code.WebResources/{path}",
+ 			controlUrl: "",
+ 			recommendationsUrl: "",
+-		})
+		}),
+		telemetryEndpoint: env.CS_TELEMETRY_URL || product.telemetryEndpoint || "https://v1.telemetry.coder.com/track",
+ 	});
+ }
+ 
--- a/patches/update-check.diff
+++ b/patches/update-check.diff
@@ -105,7 +105,7 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -310,6 +310,7 @@ export class WebClientServer {
+@@ -311,6 +311,7 @@ export class WebClientServer {
 		const productConfiguration = <Partial<IProductConfiguration>>{
 			codeServerVersion: this._productService.codeServerVersion,
 			rootEndpoint: base,
@@ -126,7 +126,7 @@ Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
 
 	/* ----- server setup ----- */
 
-@@ -91,6 +93,8 @@ export const serverOptions: OptionDescri
+@@ -93,6 +95,8 @@ export const serverOptions: OptionDescri
 };
 
 export interface ServerParsedArgs {
--- a/patches/webview.diff
+++ b/patches/webview.diff
@@ -54,10 +54,10 @@ Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
 +++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
-@@ -323,6 +323,7 @@ export class WebClientServer {
- 
+@@ -325,6 +325,7 @@ export class WebClientServer {
 		const workbenchWebConfiguration = {
 			remoteAuthority,
+ 			serverBasePath: this._basePath,
 +			webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
 			_wrapWebWorkerExtHostInIframe,
 			developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
@@ -70,12 +70,12 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 	<meta charset="UTF-8">
 
 	<meta http-equiv="Content-Security-Policy"
-		content="default-src 'none'; script-src 'sha256-frEVWVmmI4TWHGHXZaCTWqGQI9jv+i8hv+sOa87Gqlc=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
-+		content="default-src 'none'; script-src 'sha256-1BNp/IJ0Swu9k0gYe2BJz18zVYJ4emIdN3fjPgGScQI=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+-		content="default-src 'none'; script-src 'sha256-bQPwjO6bLiyf6v9eDVtAI67LrfonA1w49aFkRXBy4/g=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+		content="default-src 'none'; script-src 'sha256-R3BsSkqy7qFbvWSmwr7WqT1eg6Sq4zSe0uIlrUQ4EKE=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"
-@@ -339,6 +339,12 @@
+@@ -344,6 +344,12 @@
 
 				const hostname = location.hostname;
 
@@ -92,7 +92,7 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
 +++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
-@@ -338,6 +338,12 @@
+@@ -343,6 +343,12 @@
 
 				const hostname = location.hostname;
 
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@@ -833,8 +833,8 @@ export interface CodeArgs extends UserProvidedCodeArgs {
  version: boolean
  "without-connection-token"?: boolean
  "without-browser-env-var"?: boolean
-  compatibility: string
-  log: string[] | undefined
+  compatibility?: string
+  log?: string[]
 }

 /**
@@ -843,15 +843,12 @@ export interface CodeArgs extends UserProvidedCodeArgs {
 export type SpawnCodeCli = (args: CodeArgs) => Promise<void>

 /**
- * Convert our arguments to VS Code server arguments.
+ * Convert our arguments to equivalent VS Code server arguments.
+ * Does not add any extra arguments.
 */
 export const toCodeArgs = async (args: DefaultedArgs): Promise<CodeArgs> => {
  return {
    ...args,
-    "accept-server-license-terms": true,
-    // This seems to be used to make the connection token flags optional (when
-    // set to 1.63) but we have always included them.
-    compatibility: "1.64",
    /** Type casting. */
    help: !!args.help,
    version: !!args.version,
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -319,8 +319,8 @@ export const getCookieOptions = (req: express.Request): express.CookieOptions =>
  // URL of that page) and the relative path to the root as given to it by the
  // backend.  Using these two we can determine the true absolute root.
  const url = new URL(
-    req.query.base || req.body.base || "/",
-    req.query.href || req.body.href || "http://" + (req.headers.host || "localhost"),
+    req.query.base || req.body?.base || "/",
+    req.query.href || req.body?.href || "http://" + (req.headers.host || "localhost"),
  )
  return {
    domain: getCookieDomain(url.host, req.args["proxy-domain"]),
--- a/src/node/main.ts
+++ b/src/node/main.ts
@@ -52,11 +52,17 @@ export const runCodeCli = async (args: DefaultedArgs): Promise<void> => {

  try {
    await spawnCli(await toCodeArgs(args))
+    // Rather than have the caller handle errors and exit, spawnCli will exit
+    // itself.  Additionally, it does this on a timeout set to 0.  So, try
+    // waiting for VS Code to exit before giving up and doing it ourselves.
+    await new Promise((r) => setTimeout(r, 1000))
+    logger.warn("Code never exited")
+    process.exit(0)
  } catch (error: any) {
+    // spawnCli catches all errors, but just in case that changes.
    logger.error("Got error from Code", error)
+    process.exit(1)
  }
-
-  process.exit(0)
 }

 export const openInExistingInstance = async (args: DefaultedArgs, socketPath: string): Promise<void> => {
--- a/src/node/routes/domainProxy.ts
+++ b/src/node/routes/domainProxy.ts
@@ -53,7 +53,7 @@ const maybeProxy = (req: Request): string | undefined => {
  return undefined
 }

-router.all("*", async (req, res, next) => {
+router.all(/.*/, async (req, res, next) => {
  const port = maybeProxy(req)
  if (!port) {
    return next()
@@ -97,7 +97,7 @@ router.all("*", async (req, res, next) => {

 export const wsRouter = WsRouter()

-wsRouter.ws("*", async (req, _, next) => {
+wsRouter.ws(/.*/, async (req, _, next) => {
  const port = maybeProxy(req)
  if (!port) {
    return next()
--- a/src/node/routes/index.ts
+++ b/src/node/routes/index.ts
@@ -25,7 +25,7 @@ import * as login from "./login"
 import * as logout from "./logout"
 import * as pathProxy from "./pathProxy"
 import * as update from "./update"
-import { CodeServerRouteWrapper } from "./vscode"
+import * as vscode from "./vscode"

 /**
 * Register all routes and middleware.
@@ -109,21 +109,21 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
  app.router.use("/", domainProxy.router)
  app.wsRouter.use("/", domainProxy.wsRouter.router)

-  app.router.all("/proxy/(:port)(/*)?", async (req, res) => {
+  app.router.all("/proxy/:port/:path(.*)?", async (req, res) => {
    await pathProxy.proxy(req, res)
  })
-  app.wsRouter.get("/proxy/(:port)(/*)?", async (req) => {
+  app.wsRouter.get("/proxy/:port/:path(.*)?", async (req) => {
    await pathProxy.wsProxy(req as pluginapi.WebsocketRequest)
  })
  // These two routes pass through the path directly.
  // So the proxied app must be aware it is running
  // under /absproxy/<someport>/
-  app.router.all("/absproxy/(:port)(/*)?", async (req, res) => {
+  app.router.all("/absproxy/:port/:path(.*)?", async (req, res) => {
    await pathProxy.proxy(req, res, {
      passthroughPath: true,
    })
  })
-  app.wsRouter.get("/absproxy/(:port)(/*)?", async (req) => {
+  app.wsRouter.get("/absproxy/:port/:path(.*)?", async (req) => {
    await pathProxy.wsProxy(req as pluginapi.WebsocketRequest, {
      passthroughPath: true,
    })
@@ -170,12 +170,10 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl

  app.router.use("/update", update.router)

-  const vsServerRouteHandler = new CodeServerRouteWrapper()
-
  // Note that the root route is replaced in Coder Enterprise by the plugin API.
  for (const routePrefix of ["/vscode", "/"]) {
-    app.router.use(routePrefix, vsServerRouteHandler.router)
-    app.wsRouter.use(routePrefix, vsServerRouteHandler.wsRouter)
+    app.router.use(routePrefix, vscode.router)
+    app.wsRouter.use(routePrefix, vscode.wsRouter.router)
  }

  app.router.use(() => {
@@ -188,6 +186,6 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
  return () => {
    heart.dispose()
    pluginApi?.dispose()
-    vsServerRouteHandler.dispose()
+    vscode.dispose()
  }
 }
--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@@ -68,8 +68,8 @@ router.get("/", async (req, res) => {
  res.send(await getRoot(req))
 })

-router.post<{}, string, { password: string; base?: string }, { to?: string }>("/", async (req, res) => {
-  const password = sanitizeString(req.body.password)
+router.post<{}, string, { password?: string; base?: string } | undefined, { to?: string }>("/", async (req, res) => {
+  const password = sanitizeString(req.body?.password)
  const hashedPasswordFromArgs = req.args["hashed-password"]

  try {
--- a/src/node/routes/pathProxy.ts
+++ b/src/node/routes/pathProxy.ts
@@ -1,17 +1,14 @@
 import { Request, Response } from "express"
 import * as path from "path"
-import * as qs from "qs"
 import * as pluginapi from "../../../typings/pluginapi"
 import { HttpCode, HttpError } from "../../common/http"
 import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy as _proxy } from "../proxy"

-const getProxyTarget = (req: Request, passthroughPath?: boolean): string => {
-  if (passthroughPath) {
-    return `http://0.0.0.0:${req.params.port}/${req.originalUrl}`
-  }
-  const query = qs.stringify(req.query)
-  return encodeURI(`http://0.0.0.0:${req.params.port}${req.params[0] || ""}${query ? `?${query}` : ""}`)
+const getProxyTarget = (req: Request): string => {
+  // If there is a base path, strip it out.
+  const base = (req as any).base || ""
+  return `http://0.0.0.0:${req.params.port}/${req.originalUrl.slice(base.length)}`
 }

 export async function proxy(
@@ -25,7 +22,7 @@ export async function proxy(

  if (!(await authenticated(req))) {
    // If visiting the root (/:port only) redirect to the login page.
-    if (!req.params[0] || req.params[0] === "/") {
+    if (!req.params.path || req.params.path === "/") {
      const to = self(req)
      return redirect(req, res, "login", {
        to: to !== "/" ? to : undefined,
@@ -34,15 +31,14 @@ export async function proxy(
    throw new HttpError("Unauthorized", HttpCode.Unauthorized)
  }

+  // The base is used for rewriting (redirects, target).
  if (!opts?.passthroughPath) {
-    // Absolute redirects need to be based on the subpath when rewriting.
-    // See proxy.ts.
    ;(req as any).base = req.path.split(path.sep).slice(0, 3).join(path.sep)
  }

  _proxy.web(req, res, {
    ignorePath: true,
-    target: getProxyTarget(req, opts?.passthroughPath),
+    target: getProxyTarget(req),
  })
 }

@@ -55,8 +51,14 @@ export async function wsProxy(
  ensureProxyEnabled(req)
  ensureOrigin(req)
  await ensureAuthenticated(req)
+
+  // The base is used for rewriting (redirects, target).
+  if (!opts?.passthroughPath) {
+    ;(req as any).base = req.path.split(path.sep).slice(0, 3).join(path.sep)
+  }
+
  _proxy.ws(req, req.ws, req.head, {
    ignorePath: true,
-    target: getProxyTarget(req, opts?.passthroughPath),
+    target: getProxyTarget(req),
  })
 }
--- a/src/node/routes/vscode.ts
+++ b/src/node/routes/vscode.ts
@@ -14,203 +14,190 @@ import { SocketProxyProvider } from "../socket"
 import { isFile, loadAMDModule } from "../util"
 import { Router as WsRouter } from "../wsRouter"

+export const router = express.Router()
+
+export const wsRouter = WsRouter()
+
 /**
- * This is the API of Code's web client server.  code-server delegates requests
- * to Code here.
+ * The API of VS Code's web client server.  code-server delegates requests to VS
+ * Code here.
+ *
+ * @see ../../../lib/vscode/src/vs/server/node/server.main.ts:72
 */
-export interface IServerAPI {
+export interface IVSCodeServerAPI {
  handleRequest(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>
  handleUpgrade(req: http.IncomingMessage, socket: net.Socket): void
  handleServerError(err: Error): void
  dispose(): void
 }

-// Types for ../../../lib/vscode/src/vs/server/node/server.main.ts:72.
-export type CreateServer = (address: string | net.AddressInfo | null, args: CodeArgs) => Promise<IServerAPI>
+// See ../../../lib/vscode/src/vs/server/node/server.main.ts:72.
+export type CreateServer = (address: string | net.AddressInfo | null, args: CodeArgs) => Promise<IVSCodeServerAPI>

-export class CodeServerRouteWrapper {
-  /** Assigned in `ensureCodeServerLoaded` */
-  private _codeServerMain!: IServerAPI
-  private _wsRouterWrapper = WsRouter()
-  private _socketProxyProvider = new SocketProxyProvider()
-  public router = express.Router()
-  private mintKeyPromise: Promise<Buffer> | undefined
-
-  public get wsRouter() {
-    return this._wsRouterWrapper.router
-  }
-
-  //#region Route Handlers
-
-  private manifest: express.Handler = async (req, res, next) => {
-    const appName = req.args["app-name"] || "code-server"
-    res.writeHead(200, { "Content-Type": "application/manifest+json" })
-
-    return res.end(
-      replaceTemplates(
-        req,
-        JSON.stringify(
-          {
-            name: appName,
-            short_name: appName,
-            start_url: ".",
-            display: "fullscreen",
-            display_override: ["window-controls-overlay"],
-            description: "Run Code on a remote server.",
-            icons: [192, 512].map((size) => ({
-              src: `{{BASE}}/_static/src/browser/media/pwa-icon-${size}.png`,
-              type: "image/png",
-              sizes: `${size}x${size}`,
-            })),
-          },
-          null,
-          2,
-        ),
-      ),
-    )
-  }
-
-  private mintKey: express.Handler = async (req, res, next) => {
-    if (!this.mintKeyPromise) {
-      this.mintKeyPromise = new Promise(async (resolve) => {
-        const keyPath = path.join(req.args["user-data-dir"], "serve-web-key-half")
-        logger.debug(`Reading server web key half from ${keyPath}`)
-        try {
-          resolve(await fs.readFile(keyPath))
-          return
-        } catch (error: any) {
-          if (error.code !== "ENOENT") {
-            logError(logger, `read ${keyPath}`, error)
-          }
-        }
-        // VS Code wants 256 bits.
-        const key = crypto.randomBytes(32)
-        try {
-          await fs.writeFile(keyPath, key)
-        } catch (error: any) {
-          logError(logger, `write ${keyPath}`, error)
-        }
-        resolve(key)
-      })
-    }
-    const key = await this.mintKeyPromise
-    res.end(key)
-  }
-
-  private $root: express.Handler = async (req, res, next) => {
-    const isAuthenticated = await authenticated(req)
-    const NO_FOLDER_OR_WORKSPACE_QUERY = !req.query.folder && !req.query.workspace
-    // Ew means the workspace was closed so clear the last folder/workspace.
-    const FOLDER_OR_WORKSPACE_WAS_CLOSED = req.query.ew
-
-    if (!isAuthenticated) {
-      const to = self(req)
-      return redirect(req, res, "login", {
-        to: to !== "/" ? to : undefined,
-      })
-    }
-
-    if (NO_FOLDER_OR_WORKSPACE_QUERY && !FOLDER_OR_WORKSPACE_WAS_CLOSED) {
-      const settings = await req.settings.read()
-      const lastOpened = settings.query || {}
-      // This flag disables the last opened behavior
-      const IGNORE_LAST_OPENED = req.args["ignore-last-opened"]
-      const HAS_LAST_OPENED_FOLDER_OR_WORKSPACE = lastOpened.folder || lastOpened.workspace
-      const HAS_FOLDER_OR_WORKSPACE_FROM_CLI = req.args._.length > 0
-      const to = self(req)
-
-      let folder = undefined
-      let workspace = undefined
-
-      // Redirect to the last folder/workspace if nothing else is opened.
-      if (HAS_LAST_OPENED_FOLDER_OR_WORKSPACE && !IGNORE_LAST_OPENED) {
-        folder = lastOpened.folder
-        workspace = lastOpened.workspace
-      } else if (HAS_FOLDER_OR_WORKSPACE_FROM_CLI) {
-        const lastEntry = path.resolve(req.args._[req.args._.length - 1])
-        const entryIsFile = await isFile(lastEntry)
-        const IS_WORKSPACE_FILE = entryIsFile && path.extname(lastEntry) === ".code-workspace"
-
-        if (IS_WORKSPACE_FILE) {
-          workspace = lastEntry
-        } else if (!entryIsFile) {
-          folder = lastEntry
-        }
-      }
-
-      if (folder || workspace) {
-        return redirect(req, res, to, {
-          folder,
-          workspace,
-        })
-      }
-    }
-
-    // Store the query parameters so we can use them on the next load.  This
-    // also allows users to create functionality around query parameters.
-    await req.settings.write({ query: req.query })
-
-    next()
-  }
-
-  private $proxyRequest: express.Handler = async (req, res, next) => {
-    this._codeServerMain.handleRequest(req, res)
-  }
-
-  private $proxyWebsocket = async (req: WebsocketRequest) => {
-    const wrappedSocket = await this._socketProxyProvider.createProxy(req.ws)
-    // This should actually accept a duplex stream but it seems Code has not
-    // been updated to match the Node 16 types so cast for now.  There does not
-    // appear to be any code specific to sockets so this should be fine.
-    this._codeServerMain.handleUpgrade(req, wrappedSocket as net.Socket)
-
-    req.ws.resume()
-  }
-
-  //#endregion
-
-  /**
-   * Fetches a code server instance asynchronously to avoid an initial memory overhead.
-   */
-  private ensureCodeServerLoaded: express.Handler = async (req, _res, next) => {
-    if (this._codeServerMain) {
-      // Already loaded...
-      return next()
-    }
-
-    // Create the server...
-
-    const { args } = req
-
-    // See ../../../lib/vscode/src/vs/server/node/server.main.ts:72.
-    const createVSServer = await loadAMDModule<CreateServer>("vs/server/node/server.main", "createServer")
-
-    try {
-      this._codeServerMain = await createVSServer(null, {
-        ...(await toCodeArgs(args)),
-        "without-connection-token": true,
-      })
-    } catch (error) {
-      logError(logger, "CodeServerRouteWrapper", error)
-      if (isDevMode) {
-        return next(new Error((error instanceof Error ? error.message : error) + " (VS Code may still be compiling)"))
-      }
-      return next(error)
-    }
+// The VS Code server is dynamically loaded in when a request is made to this
+// router by `ensureCodeServerLoaded`.
+let vscodeServer: IVSCodeServerAPI | undefined

+/**
+ * Ensure the VS Code server is loaded.
+ */
+export const ensureVSCodeLoaded = async (
+  req: express.Request,
+  _: express.Response,
+  next: express.NextFunction,
+): Promise<void> => {
+  if (vscodeServer) {
    return next()
  }
-
-  constructor() {
-    this.router.get("/", this.ensureCodeServerLoaded, this.$root)
-    this.router.get("/manifest.json", this.manifest)
-    this.router.post("/mint-key", this.mintKey)
-    this.router.all("*", ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyRequest)
-    this._wsRouterWrapper.ws("*", ensureOrigin, ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyWebsocket)
-  }
-
-  dispose() {
-    this._codeServerMain?.dispose()
-    this._socketProxyProvider.stop()
+  // See ../../../lib/vscode/src/vs/server/node/server.main.ts:72.
+  const createVSServer = await loadAMDModule<CreateServer>("vs/server/node/server.main", "createServer")
+  try {
+    vscodeServer = await createVSServer(null, {
+      ...(await toCodeArgs(req.args)),
+      "accept-server-license-terms": true,
+      // This seems to be used to make the connection token flags optional (when
+      // set to 1.63) but we have always included them.
+      compatibility: "1.64",
+      "without-connection-token": true,
+    })
+  } catch (error) {
+    logError(logger, "CodeServerRouteWrapper", error)
+    if (isDevMode) {
+      return next(new Error((error instanceof Error ? error.message : error) + " (VS Code may still be compiling)"))
+    }
+    return next(error)
  }
+  return next()
+}
+
+router.get("/", ensureVSCodeLoaded, async (req, res, next) => {
+  const isAuthenticated = await authenticated(req)
+  const NO_FOLDER_OR_WORKSPACE_QUERY = !req.query.folder && !req.query.workspace
+  // Ew means the workspace was closed so clear the last folder/workspace.
+  const FOLDER_OR_WORKSPACE_WAS_CLOSED = req.query.ew
+
+  if (!isAuthenticated) {
+    const to = self(req)
+    return redirect(req, res, "login", {
+      to: to !== "/" ? to : undefined,
+    })
+  }
+
+  if (NO_FOLDER_OR_WORKSPACE_QUERY && !FOLDER_OR_WORKSPACE_WAS_CLOSED) {
+    const settings = await req.settings.read()
+    const lastOpened = settings.query || {}
+    // This flag disables the last opened behavior
+    const IGNORE_LAST_OPENED = req.args["ignore-last-opened"]
+    const HAS_LAST_OPENED_FOLDER_OR_WORKSPACE = lastOpened.folder || lastOpened.workspace
+    const HAS_FOLDER_OR_WORKSPACE_FROM_CLI = req.args._.length > 0
+    const to = self(req)
+
+    let folder = undefined
+    let workspace = undefined
+
+    // Redirect to the last folder/workspace if nothing else is opened.
+    if (HAS_LAST_OPENED_FOLDER_OR_WORKSPACE && !IGNORE_LAST_OPENED) {
+      folder = lastOpened.folder
+      workspace = lastOpened.workspace
+    } else if (HAS_FOLDER_OR_WORKSPACE_FROM_CLI) {
+      const lastEntry = path.resolve(req.args._[req.args._.length - 1])
+      const entryIsFile = await isFile(lastEntry)
+      const IS_WORKSPACE_FILE = entryIsFile && path.extname(lastEntry) === ".code-workspace"
+
+      if (IS_WORKSPACE_FILE) {
+        workspace = lastEntry
+      } else if (!entryIsFile) {
+        folder = lastEntry
+      }
+    }
+
+    if (folder || workspace) {
+      return redirect(req, res, to, {
+        folder,
+        workspace,
+      })
+    }
+  }
+
+  // Store the query parameters so we can use them on the next load.  This
+  // also allows users to create functionality around query parameters.
+  await req.settings.write({ query: req.query })
+
+  next()
+})
+
+router.get("/manifest.json", async (req, res) => {
+  const appName = req.args["app-name"] || "code-server"
+  res.writeHead(200, { "Content-Type": "application/manifest+json" })
+
+  return res.end(
+    replaceTemplates(
+      req,
+      JSON.stringify(
+        {
+          name: appName,
+          short_name: appName,
+          start_url: ".",
+          display: "fullscreen",
+          display_override: ["window-controls-overlay"],
+          description: "Run Code on a remote server.",
+          icons: [192, 512].map((size) => ({
+            src: `{{BASE}}/_static/src/browser/media/pwa-icon-${size}.png`,
+            type: "image/png",
+            sizes: `${size}x${size}`,
+          })),
+        },
+        null,
+        2,
+      ),
+    ),
+  )
+})
+
+let mintKeyPromise: Promise<Buffer> | undefined
+router.post("/mint-key", async (req, res) => {
+  if (!mintKeyPromise) {
+    mintKeyPromise = new Promise(async (resolve) => {
+      const keyPath = path.join(req.args["user-data-dir"], "serve-web-key-half")
+      logger.debug(`Reading server web key half from ${keyPath}`)
+      try {
+        resolve(await fs.readFile(keyPath))
+        return
+      } catch (error: any) {
+        if (error.code !== "ENOENT") {
+          logError(logger, `read ${keyPath}`, error)
+        }
+      }
+      // VS Code wants 256 bits.
+      const key = crypto.randomBytes(32)
+      try {
+        await fs.writeFile(keyPath, key)
+      } catch (error: any) {
+        logError(logger, `write ${keyPath}`, error)
+      }
+      resolve(key)
+    })
+  }
+  const key = await mintKeyPromise
+  res.end(key)
+})
+
+router.all(/.*/, ensureAuthenticated, ensureVSCodeLoaded, async (req, res) => {
+  vscodeServer!.handleRequest(req, res)
+})
+
+const socketProxyProvider = new SocketProxyProvider()
+wsRouter.ws(/.*/, ensureOrigin, ensureAuthenticated, ensureVSCodeLoaded, async (req: WebsocketRequest) => {
+  const wrappedSocket = await socketProxyProvider.createProxy(req.ws)
+  // This should actually accept a duplex stream but it seems Code has not
+  // been updated to match the Node 16 types so cast for now.  There does not
+  // appear to be any code specific to sockets so this should be fine.
+  vscodeServer!.handleUpgrade(req, wrappedSocket as net.Socket)
+
+  req.ws.resume()
+})
+
+export function dispose() {
+  vscodeServer?.dispose()
+  socketProxyProvider.stop()
 }
--- a/src/node/update.ts
+++ b/src/node/update.ts
@@ -105,6 +105,7 @@ export class UpdateProvider {
        logger.debug("Making request", field("uri", uri))
        const isHttps = uri.startsWith("https")
        const agent = new ProxyAgent({
+          keepAlive: true,
          getProxyForUrl: () => httpProxyUri || "",
        })
        const httpx = isHttps ? https : http
--- a/src/node/vscodeSocket.ts
+++ b/src/node/vscodeSocket.ts
@@ -20,11 +20,11 @@ export interface EditorSessionEntry {
 }

 interface DeleteSessionRequest {
-  socketPath: string
+  socketPath?: string
 }

 interface AddSessionRequest {
-  entry: EditorSessionEntry
+  entry?: EditorSessionEntry
 }

 interface GetSessionResponse {
@@ -40,37 +40,42 @@ export async function makeEditorSessionManagerServer(
  // eslint-disable-next-line import/no-named-as-default-member
  router.use(express.json())

-  router.get("/session", async (req, res) => {
-    const filePath = req.query.filePath as string
-    if (!filePath) {
-      res.status(HttpCode.BadRequest).send("filePath is required")
+  router.get<{}, GetSessionResponse | string | unknown, undefined, { filePath?: string }>(
+    "/session",
+    async (req, res) => {
+      const filePath = req.query.filePath
+      if (!filePath) {
+        res.status(HttpCode.BadRequest).send("filePath is required")
+        return
+      }
+      try {
+        const socketPath = await editorSessionManager.getConnectedSocketPath(filePath)
+        const response: GetSessionResponse = { socketPath }
+        res.json(response)
+      } catch (error: unknown) {
+        res.status(HttpCode.ServerError).send(error)
+      }
+    },
+  )
+
+  router.post<{}, string, AddSessionRequest | undefined>("/add-session", async (req, res) => {
+    const entry = req.body?.entry
+    if (!entry) {
+      res.status(400).send("entry is required")
      return
    }
-    try {
-      const socketPath = await editorSessionManager.getConnectedSocketPath(filePath)
-      const response: GetSessionResponse = { socketPath }
-      res.json(response)
-    } catch (error: unknown) {
-      res.status(HttpCode.ServerError).send(error)
-    }
+    editorSessionManager.addSession(entry)
+    res.status(200).send("session added")
  })

-  router.post("/add-session", async (req, res) => {
-    const request = req.body as AddSessionRequest
-    if (!request.entry) {
-      res.status(400).send("entry is required")
-    }
-    editorSessionManager.addSession(request.entry)
-    res.status(200).send()
-  })
-
-  router.post("/delete-session", async (req, res) => {
-    const request = req.body as DeleteSessionRequest
-    if (!request.socketPath) {
+  router.post<{}, string, DeleteSessionRequest | undefined>("/delete-session", async (req, res) => {
+    const socketPath = req.body?.socketPath
+    if (!socketPath) {
      res.status(400).send("socketPath is required")
+      return
    }
-    editorSessionManager.deleteSession(request.socketPath)
-    res.status(200).send()
+    editorSessionManager.deleteSession(socketPath)
+    res.status(200).send("session deleted")
  })

  const server = http.createServer(router)
--- a/test/integration/installExtension.test.ts
+++ b/test/integration/installExtension.test.ts
@@ -13,9 +13,10 @@ describe("--install-extension", () => {
  })
  it("should use EXTENSIONS_GALLERY when set", async () => {
    const extName = "author.extension"
-    const { stderr } = await runCodeServerCommand([...setupFlags, "--install-extension", extName], {
-      EXTENSIONS_GALLERY: "{}",
-    })
-    expect(stderr).toMatch("No extension gallery service configured")
+    await expect(
+      runCodeServerCommand([...setupFlags, "--install-extension", extName], {
+        EXTENSIONS_GALLERY: "{}",
+      }),
+    ).rejects.toThrow("No extension gallery service configured")
  })
 })
--- a/test/unit/node/cli.test.ts
+++ b/test/unit/node/cli.test.ts
@@ -912,8 +912,6 @@ cert: false`)
 describe("toCodeArgs", () => {
  const vscodeDefaults = {
    ...defaults,
-    "accept-server-license-terms": true,
-    compatibility: "1.64",
    help: false,
    port: "8080",
    version: false,
--- a/test/unit/node/proxy.test.ts
+++ b/test/unit/node/proxy.test.ts
@@ -199,7 +199,7 @@ describe("proxy", () => {
  })

  it("should proxy non-ASCII", async () => {
-    e.get("*", (req, res) => {
+    e.get(/.*/, (req, res) => {
      res.json("ほげ")
    })
    codeServer = await integration.setup(["--auth=none"], "")
@@ -208,6 +208,54 @@ describe("proxy", () => {
    const json = await resp.json()
    expect(json).toBe("ほげ")
  })
+
+  it("should not double-encode query variables", async () => {
+    const spy = jest.fn()
+    e.get(/.*/, (req, res) => {
+      spy([req.originalUrl, req.query])
+      res.end()
+    })
+    codeServer = await integration.setup(["--auth=none"], "")
+    for (const test of [
+      {
+        endpoint: proxyPath,
+        query: { foo: "bar with spaces" },
+        expected: "/wsup?foo=bar+with+spaces",
+      },
+      {
+        endpoint: absProxyPath,
+        query: { foo: "bar with spaces" },
+        expected: absProxyPath + "?foo=bar+with+spaces",
+      },
+      {
+        endpoint: proxyPath,
+        query: { foo: "with-&-ampersand" },
+        expected: "/wsup?foo=with-%26-ampersand",
+      },
+      {
+        endpoint: absProxyPath,
+        query: { foo: "with-&-ampersand" },
+        expected: absProxyPath + "?foo=with-%26-ampersand",
+      },
+      {
+        endpoint: absProxyPath,
+        query: { foo: "ほげ ほげ" },
+        expected: absProxyPath + "?foo=%E3%81%BB%E3%81%92+%E3%81%BB%E3%81%92",
+      },
+      {
+        endpoint: proxyPath,
+        query: { foo: "ほげ ほげ" },
+        expected: "/wsup?foo=%E3%81%BB%E3%81%92+%E3%81%BB%E3%81%92",
+      },
+    ]) {
+      spy.mockClear()
+      const resp = await codeServer.fetch(test.endpoint, undefined, test.query)
+      expect(resp.status).toBe(200)
+      await resp.text()
+      expect(spy).toHaveBeenCalledTimes(1)
+      expect(spy).toHaveBeenCalledWith([test.expected, test.query])
+    }
+  })
 })

 // NOTE@jsjoeio
--- a/test/unit/node/routes/login.test.ts
+++ b/test/unit/node/routes/login.test.ts
@@ -68,13 +68,10 @@ describe("login", () => {
      }
    })

-    it("should return HTML with 'Missing password' message", async () => {
+    it("should return 'Missing password' without body", async () => {
      const resp = await codeServer().fetch("/login", { method: "POST" })
-
-      expect(resp.status).toBe(200)
-
      const htmlContent = await resp.text()
-
+      expect(resp.status).toBe(200)
      expect(htmlContent).toContain("Missing password")
    })

--- a/test/yarn.lock
+++ b/test/yarn.lock
@@ -1906,9 +1906,9 @@ inherits@2, inherits@^2.0.3:
  integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==

 ip@^1.1.5:
-  version "1.1.5"
-  resolved "https://registry.yarnpkg.com/ip/-/ip-1.1.5.tgz#bdded70114290828c0a039e72ef25f5aaec4354a"
-  integrity sha1-vd7XARQpCCjAoDnnLvJfWq7ENUo=
+  version "1.1.9"
+  resolved "https://registry.yarnpkg.com/ip/-/ip-1.1.9.tgz#8dfbcc99a754d07f425310b86a99546b1151e396"
+  integrity sha512-cyRxvOEpNHNtchU3Ln9KC/auJgup87llfQpQ+t5ghoC/UhL16SWzbueiCsdTnWmqAWl7LadfuwhlqmtOaqMHdQ==

 is-core-module@^2.8.0:
  version "2.8.1"
@@ -2626,6 +2626,11 @@ minipass@^3.0.0:
  dependencies:
    yallist "^4.0.0"

+minipass@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/minipass/-/minipass-5.0.0.tgz#3e9788ffb90b694a5d0ec94479a45b5d8738133d"
+  integrity sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==
+
 minizlib@^2.1.1:
  version "2.1.2"
  resolved "https://registry.yarnpkg.com/minizlib/-/minizlib-2.1.2.tgz#e90d3466ba209b932451508a11ce3d3632145931"
@@ -3293,13 +3298,13 @@ symbol-tree@^3.2.4:
  integrity sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==

 tar@^6.1.11, tar@^6.1.9:
-  version "6.1.11"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-6.1.11.tgz#6760a38f003afa1b2ffd0ffe9e9abbd0eab3d621"
-  integrity sha512-an/KZQzQUkZCkuoAA64hM92X0Urb6VpRhAFllDzz44U2mcD5scmT3zBc4VgVpkugF580+DQn8eAFSyoQt0tznA==
+  version "6.2.1"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-6.2.1.tgz#717549c541bc3c2af15751bea94b1dd068d4b03a"
+  integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==
  dependencies:
    chownr "^2.0.0"
    fs-minipass "^2.0.0"
-    minipass "^3.0.0"
+    minipass "^5.0.0"
    minizlib "^2.1.1"
    mkdirp "^1.0.3"
    yallist "^4.0.0"
--- a/yarn.lock
+++ b/yarn.lock
@@ -1 +1 @@
 .15.0
 .18.2