mirror of https://github.com/zed-industries/zed.git synced 2026-05-31 19:05:00 +07:00

Code at the speed of thought – Zed is a high-performance, multiplayer code editor from the creators of Atom and Tree-sitter.

gpui rust-lang text-editor zed

Find a file

renovate[bot] e2e7a6769e Some checks are pending Congratsbot / check-author (push) Waiting to run Details Congratsbot / congrats (push) Blocked by required conditions Details run_tests / orchestrate (push) Waiting to run Details run_tests / check_style (push) Waiting to run Details run_tests / clippy_windows (push) Blocked by required conditions Details deploy_nightly_docs / deploy_docs (push) Has been skipped Details run_tests / clippy_linux (push) Blocked by required conditions Details run_tests / clippy_mac (push) Blocked by required conditions Details run_tests / clippy_mac_x86_64 (push) Blocked by required conditions Details run_tests / run_tests_windows (push) Blocked by required conditions Details run_tests / run_tests_linux (push) Blocked by required conditions Details run_tests / run_tests_mac (push) Blocked by required conditions Details run_tests / miri_scheduler (push) Blocked by required conditions Details run_tests / doctests (push) Blocked by required conditions Details run_tests / check_workspace_binaries (push) Blocked by required conditions Details run_tests / build_visual_tests_binary (push) Blocked by required conditions Details run_tests / check_wasm (push) Blocked by required conditions Details run_tests / check_dependencies (push) Blocked by required conditions Details run_tests / check_docs (push) Blocked by required conditions Details run_tests / check_licenses (push) Blocked by required conditions Details run_tests / check_scripts (push) Blocked by required conditions Details run_tests / check_postgres_and_protobuf_migrations (push) Blocked by required conditions Details run_tests / extension_tests (push) Blocked by required conditions Details run_tests / tests_pass (push) Blocked by required conditions Details Update dependency requests to v2.33.0 [SECURITY] (#58093 ) This PR contains the following updates: \| Package \| Change \| [Age](https://docs.renovatebot.com/merge-confidence/) \| [Confidence](https://docs.renovatebot.com/merge-confidence/) \| \|---\|---\|---\|---\| \| [requests](https://redirect.github.com/psf/requests) ([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) \| `2.32.3` → `2.33.0` \| ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true) \| ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.3/2.33.0?slim=true) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/15138) for more information. --- ### Requests vulnerable to .netrc credentials leak via malicious URLs [CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) / [GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7) <details> <summary>More information</summary> #### Details ##### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ##### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ##### References [https://github.com/psf/requests/pull/6965](https://redirect.github.com/psf/requests/pull/6965) https://seclists.org/fulldisclosure/2025/Jun/2 #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7) - [https://nvd.nist.gov/vuln/detail/CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) - [https://github.com/psf/requests/pull/6965](https://redirect.github.com/psf/requests/pull/6965) - [`96ba401c12`) - [https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env) - [https://seclists.org/fulldisclosure/2025/Jun/2](https://seclists.org/fulldisclosure/2025/Jun/2) - [http://seclists.org/fulldisclosure/2025/Jun/2](http://seclists.org/fulldisclosure/2025/Jun/2) - [http://www.openwall.com/lists/oss-security/2025/06/03/11](http://www.openwall.com/lists/oss-security/2025/06/03/11) - [http://www.openwall.com/lists/oss-security/2025/06/03/9](http://www.openwall.com/lists/oss-security/2025/06/03/9) - [http://www.openwall.com/lists/oss-security/2025/06/04/1](http://www.openwall.com/lists/oss-security/2025/06/04/1) - [http://www.openwall.com/lists/oss-security/2025/06/04/6](http://www.openwall.com/lists/oss-security/2025/06/04/6) - [https://github.com/advisories/GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function [CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2) <details> <summary>More information</summary> #### Details ##### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ##### Affected usages Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. ##### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) - [`66d21cb07b`) - [https://github.com/psf/requests/releases/tag/v2.33.0](https://redirect.github.com/psf/requests/releases/tag/v2.33.0) - [https://nvd.nist.gov/vuln/detail/CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) - [https://github.com/advisories/GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0) Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#7271](https://redirect.github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 Security - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. Improvements - Migrated to a PEP 517 build system using setuptools. ([#7012](https://redirect.github.com/psf/requests/issues/7012)) Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#7205](https://redirect.github.com/psf/requests/issues/7205)) Deprecations - Dropped support for Python 3.9 following its end of support. ([#7196](https://redirect.github.com/psf/requests/issues/7196)) Documentation - Various typo fixes and doc improvements. ### [`v2.32.5`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2325-2025-08-18) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.4...v2.32.5) Bugfixes - The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration. Deprecations - Added support for Python 3.14. - Dropped support for Python 3.8 following its end of support. ### [`v2.32.4`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2324-2025-06-10) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.3...v2.32.4) Security - CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. Improvements - Numerous documentation improvements Deprecations - Added support for pypy 3.11 for Linux and macOS. - Dropped support for pypy 3.9 following its end of support. </details> --- ### Configuration 📅 Schedule: (in timezone America/New_York) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- Release Notes: - N/A <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>		2026-05-29 20:29:38 +00:00
.agents/skills	Add zed-cherry-pick agent skill (#57833 )	2026-05-27 19:46:15 +00:00
.cargo	livekit: Use our build of libwebrtc.a (#51433 )	2026-03-16 10:47:36 +01:00
.cloudflare	Staged docs releases (#50136 )	2026-04-30 11:10:14 +00:00
.config	Increase timeout for `test_random_blocks` (#50724 )	2026-03-04 12:25:12 -05:00
.factory	Add humanizer skill for AI writing pattern detection (#50021 )	2026-02-24 14:58:52 -06:00
.github	Remove rules library (#58067 )	2026-05-29 11:59:18 +00:00
.zed	agent: Remove old edit file tool (#55612 )	2026-05-04 09:54:39 +00:00
assets	Remove rules library (#58067 )	2026-05-29 11:59:18 +00:00
ci	Move Nightly release to gh-workflow (#41349 )	2025-10-28 13:57:23 -06:00
crates	git_ui: Open file diffs from git panel (#56152 )	2026-05-29 19:43:26 +00:00
docs	Add skill share linking (#58009 )	2026-05-28 23:04:44 +00:00
extensions	docs: Fix typo in `EXTRACTION.md` (#55106 )	2026-04-28 19:18:44 +00:00
legal	Relicense Zed source code under GPL (#57948 )	2026-05-28 20:19:17 +00:00
nix	nix: Go around a linker issue on Darwin (#58070 )	2026-05-29 12:22:37 +00:00
script	Update dependency requests to v2.33.0 [SECURITY] (#58093 )	2026-05-29 20:29:38 +00:00
tooling	ci: Reinstate run-nix label in addition to run-bundling (#58034 )	2026-05-29 06:01:22 +00:00
.git-blame-ignore-revs	Add PR 50413 to `.git-blame-ignore-revs` (#50421 )	2026-03-01 00:50:33 +01:00
.gitattributes	windows: Make sure `zed.sh` using the correct line ending (#37650 )	2025-09-05 16:25:55 +00:00
.gitignore	gpui: Accesskit support (#56065 )	2026-05-27 18:17:59 +00:00
.mailmap	Update .mailmap (#47413 )	2026-01-22 23:57:26 +05:30
.prettierrc	ci: Add check for formatting `default.json` (#30034 )	2025-05-06 18:55:26 +00:00
.rules	Update AI rules to reflect that `AsyncApp` updates are now infallible (#54818 )	2026-04-24 19:04:32 +00:00
AGENTS.md	ai: Symlink an `AGENTS.md` file to `.rules` (#45939 )	2026-01-19 15:29:42 +01:00
Cargo.lock	agent_ui: Remove unused rule APIs (#58080 )	2026-05-29 15:27:28 +00:00
Cargo.toml	Enable gain normalization on collab (#58036 )	2026-05-29 15:21:53 +00:00
CLAUDE.md	Initial `.rules` file for agent with symlinks for other rules file paths (#29014 )	2025-04-17 23:41:23 +00:00
clippy.toml	Revert "Revert scheduler update (#46659 )" (#46671 )	2026-01-14 07:19:13 +00:00
CODE_OF_CONDUCT.md	Remove community content from docs and point to zed.dev (#19895 )	2024-10-29 09:44:58 -04:00
compose.yml	Remove Postgres and `stripe-mock` from Docker Compose (#48313 )	2026-02-04 03:42:58 +00:00
CONTRIBUTING.md	Add Zed Feature Process document (#50747 )	2026-03-06 14:14:53 -08:00
debug.plist	WIP	2023-12-14 09:25:14 -07:00
default.nix	nix: Use flake-parts, partitions, and treefmt-nix (#45321 )	2026-02-02 14:26:42 +00:00
Dockerfile-collab	Bump Rust version to 1.94 (#51086 )	2026-03-30 09:06:59 +00:00
Dockerfile-collab.dockerignore	ci: Move collab to Dockerfile-collab (#18515 )	2024-09-30 16:14:26 -04:00
Dockerfile-cross.dockerignore	Add remote server cross compilation (#19136 )	2024-10-12 23:23:56 -07:00
Dockerfile-distros	Removal of mold/wild scripts and mentions in docs (#53078 )	2026-04-08 21:20:02 +03:00
Dockerfile-distros.dockerignore	Support More Linux (#18480 )	2024-09-30 17:46:21 -04:00
flake.lock	Rust 1.95 (#55104 )	2026-04-29 10:27:47 +00:00
flake.nix	ci: Remove garnix substitutor (#58033 )	2026-05-29 05:56:42 +00:00
GEMINI.md	Add missing `GEMINI.md` rule file for `gemini-cli` (#38885 )	2025-10-02 09:47:29 -04:00
LICENSE-APACHE	Update license year (#24191 )	2025-02-04 09:02:59 -05:00
LICENSE-GPL	Licenses: change license fields in Cargo.toml to AGPL-3.0-or-later. (#5535 )	2024-01-27 13:51:16 +01:00
livekit.yaml	Add LiveKit server to Docker Compose (#7907 )	2024-02-16 10:49:48 -05:00
lychee.toml	ci: Check for broken links (#30844 )	2025-06-06 09:39:35 +00:00
Procfile	Update instructions for local collaboration (#35689 )	2025-08-06 11:10:28 -07:00
Procfile.all	Add agent thread sharing (#46140 )	2026-01-06 12:49:51 -08:00
Procfile.web	Remove PostgREST (#41299 )	2025-10-27 13:27:59 -04:00
README.md	Relicense Zed source code under GPL (#57948 )	2026-05-28 20:19:17 +00:00
renovate.json	Remove workspace-hack (#40216 )	2025-10-17 18:58:14 +00:00
REVIEWERS.conl	Remove past reviewer (#51767 )	2026-03-17 16:34:35 +00:00
rust-toolchain.toml	Rust 1.95 (#55104 )	2026-04-29 10:27:47 +00:00
rustfmt.toml	nix: Use flake-parts, partitions, and treefmt-nix (#45321 )	2026-02-02 14:26:42 +00:00
shell.nix	nix: Use flake-parts, partitions, and treefmt-nix (#45321 )	2026-02-02 14:26:42 +00:00
typos.toml	markdown: Merman (#57644 )	2026-05-27 16:27:18 +00:00

README.md

Zed

Welcome to Zed, a high-performance, multiplayer code editor from the creators of Atom and Tree-sitter.

Installation

On macOS, Linux, and Windows you can download Zed directly or install Zed via your local package manager (macOS/Linux/Windows).

Other platforms are not yet available:

Web (tracking discussion)

Developing Zed

Contributing

See CONTRIBUTING.md for ways you can contribute to Zed.

Also... we're hiring! Check out our jobs page for open roles.

Licensing

Zed source code is licensed primarily under GPL-3.0-or-later, with Apache-2.0 components where marked.

License information for third party dependencies must be correctly provided for CI to pass.

We use cargo-about to automatically comply with open source licenses. If CI is failing, check the following:

Is it showing a no license specified error for a crate you've created? If so, add publish = false under [package] in your crate's Cargo.toml.
Is the error failed to satisfy license requirements for a dependency? If so, first determine what license the project has and whether this system is sufficient to comply with this license's requirements. If you're unsure, ask a lawyer. Once you've verified that this system is acceptable add the license's SPDX identifier to the accepted array in script/licenses/zed-licenses.toml.
Is cargo-about unable to find the license for a dependency? If so, add a clarification field at the end of script/licenses/zed-licenses.toml, as specified in the cargo-about book.

Sponsorship

Zed is developed by Zed Industries, Inc., a for-profit company.

If you’d like to financially support the project, you can do so via GitHub Sponsors. Sponsorships go directly to Zed Industries and are used as general company revenue. There are no perks or entitlements associated with sponsorship.

README.md Unescape Escape

Zed