Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: jetify-com/devbox
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0.17.0
Choose a base ref
...
head repository: jetify-com/devbox
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0.17.1
Choose a head ref
  • 9 commits
  • 22 files changed
  • 6 contributors

Commits on Mar 24, 2026

  1. Add filecache to git plugin FileContent with configurable TTL (#2798)

    @Lagoja
    Lagoja authored Mar 24, 2026
    Configuration menu
    Copy the full SHA
    f82a364 View commit details
    Browse the repository at this point in the history

Commits on Mar 25, 2026

  1. Fix high-severity Dependabot alerts (#2801) 

    ## Summary
- **Go**: Update `buger/jsonparser` 1.1.1 → 1.1.2 (DoS fix)
- **Django**: Update 4.2.27 → 4.2.29 (SQL injection + uncontrolled
resource consumption fixes)
- **Rails example**: Upgrade Rails 7.1.5 → 7.2.0, bringing rack 2.2.14 →
3.2.5 (directory traversal + Active Storage path traversal fixes)
- **VS Code extension**: Add yarn resolutions to update minimatch 3.1.2
→ 3.1.5 (ReDoS) and serialize-javascript 6.0.2 → 7.0.4 (RCE via
RegExp.flags)

## Test plan
- [ ] Verify `go build ./...` still passes
- [ ] Verify VS Code extension compiles (`cd vscode-extension && yarn
compile`)
- [ ] Confirm Dependabot alerts close after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @mikeland73 @claude
    mikeland73 and claude authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    ab5eba0 View commit details
    Browse the repository at this point in the history

  2. feat(init): print success message and next steps after devbox init (#… 

    …2800)

## Summary

Add a success message to devbox init with next steps

## How was it tested?

Run `devbox init` in a test folder, confirm the message is displayed
Rerun the command, confirm the error message still displays
    @Lagoja
    Lagoja authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    bbe7a31 View commit details
    Browse the repository at this point in the history

  3. Fix false duplicate detection for multiple declared built-in pluginss ( 

    …#2799)

## Summary

Fixes #2790, which prevents users from declaring multiple built-in
plugins:

When devbox computed a unique ID (hash) for a plugin like plugin:nodejs
or plugin:python, it tried to use the fully resolved package name. But
for built-in plugins added via include, the package isn’t resolved yet —
so that name is an empty string.

Two different plugins both hashing the empty string = same hash = devbox
thinks they’re duplicates and throws a “circular or duplicate include”
error.

The fix: if the resolved name is empty, use the raw string ("nodejs",
"python") instead. Different raw strings, different hashes, no false
collision. This change should not affect normal package resolution,
since Devbox already enforces that each entry of the packages array is
unique.

## How was it tested?

Added an additional test
(`TestLoadRecursiveMultipleBuiltinPluginIncludes`) which checks that we
can load 2 explicitly declared built-in plugins without issue.
    @Lagoja
    Lagoja authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    540b82c View commit details
    Browse the repository at this point in the history

  4. Fix remaining Dependabot security alerts (#2803) 

    ## Summary
- **Rails example**: Upgrade Rails 7.1.5 → 7.2.3, bringing rack 2.2.14 →
3.2.5 and nokogiri 1.18.9 → 1.19.2. Fixes Active Storage path traversal,
Rack directory traversal/XSS, Active Support ReDoS/DoS/XSS, Action View
XSS, and Active Storage glob injection/DoS/content type bypass.
- **Django example**: Update sqlparse 0.5.0 → 0.5.3 (DoS fix for
formatting list of tuples)
- **VS Code extension**: Add flatted yarn resolution → 3.4.2 (prototype
pollution via parse() fix)

## Test plan
- [x] Verify `go build ./...` still passes (no Go changes, but
confirmed)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: John Lago <750845+Lagoja@users.noreply.github.com>
    @mikeland73 @claude @Lagoja
    3 people authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    27a1502 View commit details
    Browse the repository at this point in the history

  5. Fix remaining Dependabot security alerts (#2804) 

    ## Summary
- **Rails example**: Upgrade Rails 7.1.6 → 7.2.3.1 to fix 8 alerts:
activestorage path traversal/glob injection/DoS/content type bypass,
activesupport ReDoS/DoS/XSS, and actionview XSS
- **Django example**: Update sqlparse 0.5.3 → 0.5.4 (DoS via formatting
list of tuples)
- **Drupal example**: Update psysh v0.12.15 → v0.12.19 (local privilege
escalation via CWD .psysh.php auto-load)

## Test plan
- [x] Verify `go build ./...` still passes (no Go changes)
- [ ] Confirm Dependabot alerts are resolved after merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @mikeland73 @claude
    mikeland73 and claude authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    d6bd8d5 View commit details
    Browse the repository at this point in the history

  6. Fixes #2793 - replace use of [[ conditionals (#2794) 

    ## Summary

Fixes #2793 - use of zsh/bash conditionals in a file with a pure sh
shebang.

## How was it tested?

## Community Contribution License

All community contributions in this pull request are licensed to the
project
maintainers under the terms of the
[Apache 2 License](https://www.apache.org/licenses/LICENSE-2.0).

By creating this pull request, I represent that I have the right to
license the
contributions to the project maintainers under the Apache 2 License as
stated in
the
[Community Contribution
License](https://github.com/jetify-com/opensource/blob/main/CONTRIBUTING.md#community-contribution-license).

---------

Signed-off-by: Tim Gates <tim.gates@iress.com>
    @timgates42
    timgates42 authored Mar 25, 2026
    Configuration menu
    Copy the full SHA
    8e36761 View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2026

  1. boxcli: fix VS Code binary path resolution on macOS (#2806) 

    ## Summary

The WSL fix in #2729 (4ba6fce) broke "Reopen in Devbox shell
environment" on macOS.

That commit constructs the VS Code binary path as
`$VSCODE_CWD/bin/code`. On WSL, `VSCODE_CWD` points to the VS Code
installation directory (e.g., `/mnt/c/.../Microsoft VS Code`), so this
works correctly. On macOS however, `VSCODE_CWD` is set to the workspace
directory, producing a path like `/Users/user/my-project/bin/code` —
which doesn't exist:

e.g. The debug logs on my machine gives:

```
fork/exec /Users/josh/src/my-project/bin/code: no such file or directory
```

This PR adds an os.Stat check so the constructed path is only used when
the binary actually exists there, falling back to the bare command name
(resolved via `PATH`) otherwise. The resolution logic is extracted into
a `resolveEditorBinary` function with unit tests covering:

- `VSCODE_CWD` unset → uses bare name
- `VSCODE_CWD` points to a VS Code installation (WSL) → uses full path
- `VSCODE_CWD` points to a workspace directory (macOS) → falls back to
bare name

## How was it tested?

- Unit tests for `resolveEditorBinary` covering all three scenarios
- `go test -race -cover ./internal/boxcli/` passes
- `golangci-lint run ./internal/boxcli/` passes

## Community Contribution License

All community contributions in this pull request are licensed to the
project
maintainers under the terms of the
[Apache 2 License](https://www.apache.org/licenses/LICENSE-2.0).

By creating this pull request, I represent that I have the right to
license the
contributions to the project maintainers under the Apache 2 License as
stated in
the
[Community Contribution
License](https://github.com/jetify-com/opensource/blob/main/CONTRIBUTING.md#community-contribution-license).

Co-authored-by: Josh Godsiff <josh.godsiff@corro.co>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    @joshgodsiff @claude
    3 people authored Mar 30, 2026
    Configuration menu
    Copy the full SHA
    1dae9ff View commit details
    Browse the repository at this point in the history

Commits on Mar 31, 2026

  1. Bump lastTag version to 0.17.1 (#2807) 

    ## Summary

Bump Flake Version

## How was it tested?

`nix build`

## Community Contribution License

All community contributions in this pull request are licensed to the
project
maintainers under the terms of the
[Apache 2 License](https://www.apache.org/licenses/LICENSE-2.0).

By creating this pull request, I represent that I have the right to
license the
contributions to the project maintainers under the Apache 2 License as
stated in
the
[Community Contribution
License](https://github.com/jetify-com/opensource/blob/main/CONTRIBUTING.md#community-contribution-license).

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
    @Lagoja @claude
    Lagoja and claude authored Mar 31, 2026
    Configuration menu
    Copy the full SHA
    ea03d2d View commit details
    Browse the repository at this point in the history
Loading