Skip to content

Merge master into feature/LSP-alpha#8715

Open
aws-toolkit-automation wants to merge 290 commits into
feature/LSP-alphafrom
autoMerge/feature/LSP-alpha
Open

Merge master into feature/LSP-alpha#8715
aws-toolkit-automation wants to merge 290 commits into
feature/LSP-alphafrom
autoMerge/feature/LSP-alpha

Conversation

@aws-toolkit-automation

Copy link
Copy Markdown
Collaborator

Automatic merge failed

  • Resolve conflicts and push to this PR branch.
  • Do not squash-merge this PR. Use the "Create a merge commit" option to do a regular merge.

Command line hint

To perform the merge from the command line, you could do something like the following (where "origin" is the name of the remote in your local git repo):

git stash
git fetch --all
git checkout origin/feature/LSP-alpha
git merge origin/master
git commit
git push origin HEAD:refs/heads/autoMerge/feature/LSP-alpha

aws-toolkit-automation and others added 30 commits March 23, 2026 12:12
## Problem
- The HyperPod reconnection system (HyperpodReconnectionManager,
HyperpodConnectionMonitor, getHyperpodSession route) added complexity
and reliability issues that blocked a stable Cursor release.
Additionally, when a SageMaker space is disconnected/stopped, Cursor's
remote-SSH extension retries the connection indefinitely — each failed
attempt opens a browser error page, resulting in a flood of popup
windows.

## Solution
- Removed the HyperPod reconnection layer (HyperpodReconnectionManager,
HyperpodConnectionMonitor, getHyperpodSession route) in favor of using
the existing SageMaker connection flow with presigned URLs
- Refactored prepareDevEnvConnection to use an options object instead of
15+ positional parameters
- Consolidated duplicated code: parseArn, WriteQueue, removeKnownHost,
SSH hostname sanitization
- Added Cursor IDE detection (getIdeType) and IDE-specific SSH prefix
(smc_)
- Added server-side retry cap (max 8 attempts) on the /get_session route
to suppress browser popup storms during Cursor's unlimited SSH
reconnection retries
- Generalized the macOS IDE process detection pattern to support future
VS Code forks without code changes

## Testing
- Local testing with vsix on both VS Code and Cursor
- Verified side panel (lc) and deeplink (dl) connection paths
- Confirmed retry cap suppresses popups after 8 attempts while allowing
recovery on successful reconnection
- Tested on macOS and Win11
---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

---------

Co-authored-by: Laxman Reddy <141967714+laileni-aws@users.noreply.github.com>
## Problem
- detected issue in smus deeplink where it would get stuck in "opening"
the remote window and eventually crash after timeout
- deeplink URL lacked a URL encoding which allowed query param
cell-number (base64-encoded SSM session token) to convert from spec char
'+' to spaces when re-appended to web socket url. this caused mismatch >
corrupted token

## Solution
- wrap cell-number with encodeURIComponent() which will keep spec char
as is after re-appending

## Testing
- Locally tested with vsix
- Confirmed with SMUS

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.
…etIdeInfo from skipped Cursor IDE commit"

This reverts commit 5cf95ee.
VS Code's URI parser can decode percent-encoded separators (%26)
inside the ws_url parameter value, causing embedded query params
to break out as top-level params and displacing the session param.

Add a fallback in parseConnectParams that extracts the session ID
from the ws_url data-channel path when session is missing from the
query params.
aws-ajangg and others added 30 commits June 16, 2026 11:22
…8809)

A fresh AWS Toolkit install showed a notification suggesting to install
Amazon Q ("Try Amazon Q, a generative AI assistant, with chat and code
suggestions."). Per the Amazon Q Developer end-of-support announcement
(new signups end 2026-05-15, end of support 2027-04-30), remove the prompt.

Removes handleAmazonQInstall() and its call site in activate(), plus the
now-unused ExtStartUpSources, VSCODE_EXTENSION_ID, and isExtensionInstalled
imports. The Amazon Q explorer tree nodes are intentionally left unchanged
(separate UI surface, out of scope for this issue).
…n-q-install-prompt

fix(amazonq): remove "Try Amazon Q" install prompt from AWS Toolkit (#8809)
Problem:
The getAsTable() function renders Redshift query results (column names,
cell values, and connection params) directly into HTML without encoding.
An attacker with INSERT privileges on a shared Redshift table can inject
JavaScript that executes when another user queries the table from a
Redshift SQL Notebook (CWE-79, stored XSS to RCE).

Solution:
- Strengthen the shared encodeHTML() utility in textUtilities.ts to also
  encode &, ", and ' (previously only < and >).
- Use encodeHTML() in getAsTable() for all dynamic values interpolated
  into the HTML output.
fix(redshift): sanitize HTML in notebook query results
…nput, which could lead to unintentional path traversal outside the expected directory
fix: Audit codebase and fix uses of path.join with unsanitized user input
ci: fix Windows build by upgrading node-gyp for Visual Studio 2026
Add changelog entry for path traversal validation fix
…try-account-id

fix(sagemaker): update metrics for Jorus dashboard
build(amazonq): merge release candidate version rc-20260624
## Problem

Users are unable to utilise a customised self-hosted ide-specific threat
composer deployment within vs-code unless within a private network with
customised dns resolution, due to the hardcoded URL for the
ide-threat-composer editor resources.

Benefit of leveraging a self-hosted deployment of threat composer is
users can include customised threat/mitigation packs - outlined
[here](https://github.com/awslabs/threat-composer/blob/main/docs/WEB-APP.md#customising-reference-data-in-your-build).

## Solution

Added a configurable VS-Code setting `aws.threatComposer.cdn` that
allows users to override the default `cdn` value
'https://ide-toolkits.threat-composer.aws.dev'.

## Testing

Change is minimal: 2 files changed

## Caveats

Does require the users self-hosted version to update the content
security policy in their deployment of the ide variant of
[threat-composesr](https://github.com/awslabs/threat-composer) but that
seems a reasonable expectation.

```bash
sed -i -e `s|https://ide-toolkits.threat-composer.aws.dev|<cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html
sed -i -e `s|data:|data: <cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html
```

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.
The type annotation used 'configurationChangeEvent' (lowercase c) instead
of the correct 'ConfigurationChangeEvent' (uppercase C), causing TS2724
compilation errors across all CI checks. Also fixes prettier formatting
issues introduced in the same commit.
fix(threatcomposer): fix ConfigurationChangeEvent type casing
feat(sagemaker): Added the validation for refresh url and updated the uri handler
build(amazonq): merge release candidate version rc-20260701
feat(cloudformation): Update how cloudformation lsp determines clientId
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.