v4.17.2

What's Changed

• chore(dev): bump docker/build-push-action to latest by @brendan-kellam in #1172
• fix: Add missing changes from #1170 by @brendan-kellam in #1176
• fix(web): use blame line's path when navigating to commit diff by @brendan-kellam in #1178
• chore(worker): Reduce logger verbosity by @brendan-kellam in #1179
• chore: bump fast-uri to ^3.1.2 by @brendan-kellam in #1181
• fix: upgrade simple-git to 3.36.0 to address CVE-2026-6951 by @brendan-kellam in #1183
• fix: upgrade hono to ^4.12.18 to address CVE-2026-44455, CVE-2026-44456, CVE-2026-44457, CVE-2026-44458 by @brendan-kellam in #1186
• fix: refresh yarn.lock to upgrade ip-address to ^10.2.0 (CVE-2026-42338) by @brendan-kellam in #1189
• fix: refresh yarn.lock to upgrade fast-xml-builder to ^1.2.0 (CVE-2026-44664, CVE-2026-44665) by @brendan-kellam in #1184
• fix(backend): opt in to simple-git unsafe categories present in env by @brendan-kellam in #1193
• refactor(web): detect hoverable symbols via Lezer highlight tags by @brendan-kellam in #1194
• feat(web): add skeleton to LatestCommitInfo while loading by @brendan-kellam in #1195
• feat(backend): write changed-path Bloom filters to commit-graph by @brendan-kellam in #1198
• chore(web): add ESLint rule require-auth-wrapper by @brendan-kellam in #1199
• chore: add lint workflow for PRs by @brendan-kellam in #1200
• fix(web): preserve source revisions in chat citation links by @brendan-kellam in #1205
• chore: upgrade next to ^16.2.6 to address CVE-2026-45109 by @brendan-kellam in #1203
• chore: upgrade react-email to ^6.1.4 by @brendan-kellam in #1206
• chore(web): Upgrade @posthog/ai by @brendan-kellam in #1207
• fix: pin @protobufjs/inquire to 1.1.0 to fix Turbopack incompatibility by @brendan-kellam in #1208

Full Changelog: v4.17.1...v4.17.2

v4.17.1

What's Changed

• feat(web): add audit log entries for org membership changes by @brendan-kellam in #1165
• feat(web): JWT session versioning and credential revocation on org removal by @brendan-kellam in #1168
• fix(schemas): allow spaces in Azure DevOps project and repo names by @brendan-kellam in #1170

Full Changelog: v4.17.0...v4.17.1

v4.17.0

What's Changed

• feat(web): add git history view by @brendan-kellam in #1150
• chore(web): bump postcss to 8.5.10 by @brendan-kellam in #1155
• feat(web): Commit diffs by @brendan-kellam in #1154
• feat(web): collapsible file diffs in commit diff panel by @brendan-kellam in #1157
• feat(web): add /api/blame endpoint by @brendan-kellam in #1158
• feat(web): add /api/avatar resolver by @brendan-kellam in #1159
• feat(web): add file blame view to code browser by @brendan-kellam in #1160
• chore(web): harden post-auth redirects and legacy URL rewrite by @brendan-kellam in #1161
• chore(web): make session and OAuth token lifetimes configurable by @brendan-kellam in #1162
• chore(web): guard OAuth API routes against 307/308 redirects by @brendan-kellam in #1163

Full Changelog: v4.16.15...v4.17.0

v4.16.15

What's Changed

• fix(web): restore ServiceError boundary in getFileSourceForRepo by @fatmcgav in #1145
• feat: improve diff tool display and token efficiency by @brendan-kellam in #1146
• fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq by @brendan-kellam in #1147
• chore(web): bump @aws-sdk/credential-providers to ^3.1036.0 (CVE-2026-41650) by @brendan-kellam in #1148

Full Changelog: v4.16.14...v4.16.15

v4.16.14

What's Changed

• feat(web): GitLab MR Review Agent by @fatmcgav in #1104

Full Changelog: v4.16.13...v4.16.14

v4.16.13

What's Changed

• chore: sync vendor/zoekt with upstream sourcegraph/zoekt by @msukkari in #1140
• chore: bump vendor/zoekt with CodeQL security fixes by @msukkari in #1141
• feat(web): expose get_diff on MCP server by @msukkari in #1142

Full Changelog: v4.16.12...v4.16.13

v4.16.12

What's Changed

• fix(worker): prefer newest refs when applying the 64 revision cap by @GitBalake in #1122
• fix(backend): stop Gitea/Forgejo pagination on empty page response by @brendan-kellam in #1130
• fix: add explicit empty permissions to deploy-railway.yml by @msukkari in #1132
• fix: add explicit empty permissions to docs-broken-links workflow by @msukkari in #1131
• fix: validate reviewAgentLogPath to prevent path injection by @msukkari in #1134
• fix(web): prevent XSS via OAuth redirect URI scheme injection by @msukkari in #1136
• fix(query-language): preserve grouped filters in regex mode by @brianphillips in #1138

New Contributors

• @GitBalake made their first contribution in #1122

Full Changelog: v4.16.11...v4.16.12

v4.16.11

What's Changed

• chore(deps): bump protobufjs from 7.5.4 to 7.5.5 by @dependabot[bot] in #1128

Full Changelog: v4.16.10...v4.16.11

v4.16.10

What's Changed

• chore(web): Bump AI sdk dependencies by @brendan-kellam in #1126
• fix(web): Add support for adaptive thinking parameters by @brendan-kellam in #1127

Full Changelog: v4.16.9...v4.16.10

v4.16.9

What's Changed

• feat: add Coastfile for local development by @dahyman91 in #1058
• feat: add thinkingLevel and thinkingBudget config for Gemini models by @brendan-kellam in #1110
• feat(web): rename PostHog chat events, add tool_used tracking, and client-side ask events by @msukkari in #1111
• chore: upgrade Go toolchain 1.25 & zoekt version by @brendan-kellam in #1112
• chore: bump next.js by @brendan-kellam in #1113
• fix: upgrade Alpine packages to resolve CVEs by @brendan-kellam in #1114
• chore: upgrade vitest to v4 by @brendan-kellam in #1115
• chore: bump tsx to ^4.21.0 across all workspaces by @brendan-kellam in #1116
• chore: delete MCP package by @brendan-kellam in #1117
• chore: deduplicate esbuild via resolution by @brendan-kellam in #1118
• chore: remove unused npm and clean up ctags artifacts in Docker image by @brendan-kellam in #1119
• chore: fix security vulnerabilities found by yarn audit by @brendan-kellam in #1121

New Contributors

• @dahyman91 made their first contribution in #1058

Full Changelog: v4.16.8...v4.16.9