chore(deps): bump the coder-image group across 2 directories with 1 update

[dependabot]

Bumps the coder-image group with 1 update in the /heroku directory: coder/coder.
Bumps the coder-image group with 1 update in the /render directory: coder/coder.

Updates coder/coder from v2.34.1 to v2.34.2

Release notes

Sourced from coder/coder's releases.

v2.34.2 [SECURITY]

[!IMPORTANT] Security hardening release.
This patch addresses vulnerabilities responsibly disclosed to Coder by Anthropic's Project Glasswing under their coordinated vulnerability disclosure program.
We strongly recommend upgrading.
See the Security patches section below for the fixed issues and their advisories.

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ffe764531a) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
• fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, fb52711371) (GHSA-mcqq-fqgf-rxwm)
• fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 120b37a09d) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)

Security patches

• Escape agent log HTML (#25808, bf5a2205e9) (GHSA-7qw2-f75v-62f7)
• Escape appearance values in HTML output (#25804, aba08538bb) (GHSA-h58c-xccx-75m3)
• Clamp template port sharing level in SubAgentAPI (#26061, b78ec312ed) (GHSA-x9qq-2qh5-8rxf)
• Use a random value for a simulated hash for built-in users (#26205, 6879532f9d) (GHSA-8fxq-53rx-ph5f)
• Require update permission to recreate devcontainers (#25812, e822677bd2) (GHSA-jqj2-x4c5-jfxm)
• Server: Verify workspace owner matches app username (#26085, 3019613cd5) (GHSA-5wg6-jmq2-53pw)
• Always verify TLS on aibridgeproxyd upstream transport (#26131, 6293c89895) (GHSA-84rm-42xw-mx52)
• Check user user is active in aibridge auth (#26173, 943b04f663) (GHSA-wqxv-w64v-5wh6)
• Add max bytes request limit to aibridge (#26164, 9fc2550fe1) (GHSA-f5vp-w269-392g)
• Server: Prevent user-admin from resetting owner password (#25709, f15a934eec) (GHSA-29xf-69gq-m9jx)
• Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 531ef5ecb3) (GHSA-f962-qm93-mj4c)
• Reject oversized and invalid zip uploads (#25877, 430ba84ada) (GHSA-2mg2-p7r7-g27f)
• Server: Prevent cross-tenant workspace app rebinding (#26103, e4a765754a) (GHSA-9rjw-3gwp-f59v)
• Agent: Prevent command injection in shell execer (#26235, b949480248) (GHSA-359v-rvmf-m3g9)
• Validate agent-supplied AllowedIPs in coordinator (#26144, c3e7e94a90) (GHSA-wrq8-fcv5-8hvp)
• Only trust x-forwarded-host from configured trusted proxies (#2… (#26296, 3c46473d53) (GHSA-5g4w-3vw9-478w)
• Prevent session token exfiltration via external app URLs (#26146, d7774e5c4c) (GHSA-v54h-cp2w-9x4g)

Features

• Cli: add support for supplying ephemeral parameters at workspac… (#26280, bd5666a46e)

Bug fixes

• Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, f3839ebaa9)
• Server: Suppress AI Governance seat-count error for not-entitled licenses (#26276, 6419f535dd)
• Preserve gemini thought signatures (#25933, 9595e6cc73)
• Allow lifecycle code path to retry failed stop jobs (#26278, 05e50d10f4)

Chores

... (truncated)

Commits

• d7774e5 fix: prevent session token exfiltration via external app URLs (#26146) (#26302)
• 3c46473 fix: only trust x-forwarded-host from configured trusted proxies (#2… (#26296)
• c3e7e94 fix: validate agent-supplied AllowedIPs in coordinator (#26144) (#26293)
• b949480 fix(agent/agentcontainers): prevent command injection in shell execer (#26235...
• e4a7657 fix(coderd): prevent cross-tenant workspace app rebinding (#26103) (#26283)
• 120b37a fix!: reject OIDC login when email_verified claim is non-bool or absent (#257...
• ffe7645 fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25...
• bd5666a feat: cli: add support for supplying ephemeral parameters at workspac… (#26280)
• 05e50d1 fix: allow lifecycle code path to retry failed stop jobs (#26278)
• 430ba84 fix: reject oversized and invalid zip uploads (#25877) (#26179)
• Additional commits viewable in compare view

Updates coder/coder from v2.34.1 to v2.34.2

Release notes

Sourced from coder/coder's releases.

v2.34.2 [SECURITY]

[!IMPORTANT] Security hardening release.
This patch addresses vulnerabilities responsibly disclosed to Coder by Anthropic's Project Glasswing under their coordinated vulnerability disclosure program.
We strongly recommend upgrading.
See the Security patches section below for the fixed issues and their advisories.

Changelog

[!NOTE] This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

BREAKING CHANGES

• fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ffe764531a) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)
• fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, fb52711371) (GHSA-mcqq-fqgf-rxwm)
• fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 120b37a09d) (GHSA-9r87-mvcw-x35f, GHSA-75vm-6w67-gwvp)

Security patches

• Escape agent log HTML (#25808, bf5a2205e9) (GHSA-7qw2-f75v-62f7)
• Escape appearance values in HTML output (#25804, aba08538bb) (GHSA-h58c-xccx-75m3)
• Clamp template port sharing level in SubAgentAPI (#26061, b78ec312ed) (GHSA-x9qq-2qh5-8rxf)
• Use a random value for a simulated hash for built-in users (#26205, 6879532f9d) (GHSA-8fxq-53rx-ph5f)
• Require update permission to recreate devcontainers (#25812, e822677bd2) (GHSA-jqj2-x4c5-jfxm)
• Server: Verify workspace owner matches app username (#26085, 3019613cd5) (GHSA-5wg6-jmq2-53pw)
• Always verify TLS on aibridgeproxyd upstream transport (#26131, 6293c89895) (GHSA-84rm-42xw-mx52)
• Check user user is active in aibridge auth (#26173, 943b04f663) (GHSA-wqxv-w64v-5wh6)
• Add max bytes request limit to aibridge (#26164, 9fc2550fe1) (GHSA-f5vp-w269-392g)
• Server: Prevent user-admin from resetting owner password (#25709, f15a934eec) (GHSA-29xf-69gq-m9jx)
• Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 531ef5ecb3) (GHSA-f962-qm93-mj4c)
• Reject oversized and invalid zip uploads (#25877, 430ba84ada) (GHSA-2mg2-p7r7-g27f)
• Server: Prevent cross-tenant workspace app rebinding (#26103, e4a765754a) (GHSA-9rjw-3gwp-f59v)
• Agent: Prevent command injection in shell execer (#26235, b949480248) (GHSA-359v-rvmf-m3g9)
• Validate agent-supplied AllowedIPs in coordinator (#26144, c3e7e94a90) (GHSA-wrq8-fcv5-8hvp)
• Only trust x-forwarded-host from configured trusted proxies (#2… (#26296, 3c46473d53) (GHSA-5g4w-3vw9-478w)
• Prevent session token exfiltration via external app URLs (#26146, d7774e5c4c) (GHSA-v54h-cp2w-9x4g)

Features

• Cli: add support for supplying ephemeral parameters at workspac… (#26280, bd5666a46e)

Bug fixes

• Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, f3839ebaa9)
• Server: Suppress AI Governance seat-count error for not-entitled licenses (#26276, 6419f535dd)
• Preserve gemini thought signatures (#25933, 9595e6cc73)
• Allow lifecycle code path to retry failed stop jobs (#26278, 05e50d10f4)

Chores

... (truncated)

Commits

• d7774e5 fix: prevent session token exfiltration via external app URLs (#26146) (#26302)
• 3c46473 fix: only trust x-forwarded-host from configured trusted proxies (#2… (#26296)
• c3e7e94 fix: validate agent-supplied AllowedIPs in coordinator (#26144) (#26293)
• b949480 fix(agent/agentcontainers): prevent command injection in shell execer (#26235...
• e4a7657 fix(coderd): prevent cross-tenant workspace app rebinding (#26103) (#26283)
• 120b37a fix!: reject OIDC login when email_verified claim is non-bool or absent (#257...
• ffe7645 fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25...
• bd5666a feat: cli: add support for supplying ephemeral parameters at workspac… (#26280)
• 05e50d1 fix: allow lifecycle code path to retry failed stop jobs (#26278)
• 430ba84 fix: reject oversized and invalid zip uploads (#25877) (#26179)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions