Update bitwarden to v2026.4.0
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| bitwarden/clients | minor |
2026.3.1 → 2026.4.0
|
| bitwarden/server | minor |
2026.3.2 → 2026.4.0
|
Release Notes
bitwarden/clients (bitwarden/clients)
v2026.4.0: Web v2026.4.0
Overview
- Flagged code - users belonging to auto-confirmation orgs cannot issue or accept emergency access invitations
- Organized policies into categories
- Consolidated Send policies
- Added support for deeplink redirect with https schema
- Various under-the-hood improvements and minor bug fixes
What's Changed
💙 Community Highlight
- [PM-33210] fix(login): clear validation errors on region change by @OnSuorce in #19407
:shipit: Feature Development
- feat(redirect): [PM-26578] Https Redirection for Cloud Users by @Patrick-Pimentel-Bitwarden in #17873
- [CL-958] Update avatar component to new styles by @vleague2 in #18975
- [CL-1023][CL-1031] Design system refresh: Milestone 1 by @willmartian in #19061
- PM-31767 resend feature by @bmbitwarden in #19136
- [PM-31426] add categories to policy page by @JaredScar in #19151
- Auth/PM-33261 - Multi-client Password Management (new for desktop & extension) by @JaredSnider-Bitwarden in #19289
- [PM-31885] Consolidate all Send policies to a single policy by @harr1424 in #19314
- [PM-33173] Use unlock service for password login strategy by @quexten in #19371
- [PM-33372] hide prompt if org does not use my items by @JaredScar in #19475
- Auth/PM-33353 - Password Login - refine prefetching of password prelogin data by @JaredSnider-Bitwarden in #19510
- PM-31418 implemented password generator inside drawer by @bmbitwarden in #19521
- [PM-24476] At Risk Password setting by @nick-livefront in #19557
- [PM-32783] Cached electron storage by @dani-garcia in #19590
- [PM-30101] subscription discounts in web checkout by @kdenney in #19599
- [PM-32057] Wire up Trend Widget in Access Intelligence Activity by @Banrion in #19664
- [PM-28419] Remove feature flagged logic by @BTreston in #19718
- [PM-34012] - Replace image in welcome dialog with extension prompt by @jaasen-livefront in #19720
- [CL-1012] Removed hyphenation from Simple Dialog Component by @lxiong-livefront in #19732
- [CL-941] Remove router focus flag from client by @vleague2 in #19812
- [PM-19168] Remove Archive Feature Flag by @nick-livefront in #19829
- [PM-31897] Remove m2 flagged logic by @cturnbull-bitwarden in #19867
- [PM-31899] Remove m2 flag definition by @cturnbull-bitwarden in #19869
- [PM-31885] Bump SendControls Policy Enum Value by @harr1424 in #19903
- Update primitive colors by @BryanCunningham in #19910
🐛 Bug fixes
- [PM-33067] Fix false success toast when mark/unmark critical apps API fails by @AlexRubik in #19344
- [PM-22890] Automatically open Extension in FireFox by @nick-livefront in #19456
- [PM-33380] Fix Access Intelligence drawer not opening on row click by @AlexRubik in #19496
- [PM-32761] Lock causes log out on TDE account with PIN by @mzieniukbw in #19594
- [PM-33765] - Fix viewPassword not preserved during legacy cipher encryption by @jaasen-livefront in #19601
- [CL-1105] Ensure hover and focus states match spec by @vleague2 in #19638
- [PM-32747] Empty TOTP secrets are being saved to ciphers in web based clients by @jengstrom-bw in #19645
- [PM-30614] - Fix double event log in browser ext popup by @jrmccannon in #19657
- [PM-33952] Fix cipher key encryption logic when editing ciphers by @nikwithak in #19695
- PM-33577 added email validation by @bmbitwarden in #19707
- [PM-34047] Change column header in at-risk member drawers to "At-risk applications" by @lastbestdev in #19741
- [PM-34054] Fix text overruns by @voommen-livefront in #19781
- [PM-34131] Editing ciphers with change at risk password banner fails on web by @jengstrom-bw in #19785
- Auth/PM-34198 - Device Management - fix device icons not rendering by @JaredSnider-Bitwarden in #19786
- [PM-34192] My Items Collection is not marked as default when creating an item by @jengstrom-bw in #19793
- [PM-34199] [Extension] Change Password Routing Fix by @rr-bw in #19794
- [PM-32096] Collection name style fix by @BTreston in #19809
- [PM-34223] discounts rounding bug fix by @kdenney in #19811
- [PM-30190] Add validator for revoked emails when inviting users by @BTreston in #19815
- BRE-1746 fix(build-web-target): add packages write by @fntyler in #19816
- [CL-1140] BUG FIX: desktop nav group anchor link color and cipher name styles by @lxiong-livefront in #19820
- Auth/PM-34242 - Device Management Comp - Fix upsert losing isTrusted state and show trust status on pending auth request devices by @JaredSnider-Bitwarden in #19822
- [PM-30311] focus management creation in effect to account for async menu item changes by @BryanCunningham in #19871
- [PM-33928] Fix: Can view MyItems Passwords in Org Vault Health Reports by @Banrion in #19874
- [PM-34225] generate keypair even if there is no current one on password login by @jlf0dev in #19896
- [CL-1130] Fix storybook a11y and console errors for admin console files by @vleague2 in #19917
- [PM-34530] Display cart-level discount on personal subscription page by @amorask-bitwarden in #19925
- [PM-34556, PM-34558, PM-34557] Access Intelligence trend chart design tweaks by @lastbestdev in #19977
- Revert "[PM-33210] fix(login): clear validation errors on region change" by @enmande in #19979
- [PM-34685][Defect] Subscription status for organizations not updating with feature flag enabled by @sbrown-livefront in #20018
- Cherry-Pick #20018 Fix Subscription Status Logic by @sbrown-livefront in #20034
- [PM-34781] exclude "no folder" from key rotation by @mzieniukbw in #20068
- [PM-34781] exclude "no folder" from key rotation - cherry pick by @mzieniukbw in #20143
- Revert "[PM-34781] exclude "no folder" from key rotation - cherry pick" by @mzieniukbw in #20152
⚙️ Maintenance
- [deps]: Update chromaui/action action to v13.3.5 by @renovate in #17886
- [PM-25686] - migrate cipher export and sub-models by @jaasen-livefront in #19050
- [deps]: Update docker/build-push-action action to v7 by @renovate in #19582
- [BRE-1004] Publish web images to GHCR on release by @vgrassia in #19679
- [PM-33797] AIV2: Standardize Models and Services: Web Services by @Banrion in #19717
- [PM-33797] AIV2: Standardize Models and Services: Shared Components by @Banrion in #19730
- chore: update sm code ownership for sm owned files in bw license by @vincentsalucci in #19765
- refactor(scheduling): extract @bitwarden/scheduling Nx leaf library by @addisonbeck in #19771
- [CL-1137] Remove unecessary toggle-width componet by @Hinton in #19782
- [BRE-1004] Remove web-sh image tag by @vgrassia in #19788
- [deps]: Update docker/login-action action to v4 by @renovate in #19853
- [deps]: Update dorny/paths-filter action to v4 by @renovate in #19854
- [PM-33167] Replace img with TwoFactorIcon component by @djsmith85 in #19865
- [PM-33797] AIV2: Standardize Models and Services: Page Components by @Banrion in #19930
- remove base directive import by @BryanCunningham in #19978
- Update config.yml by @acostarj in #4555
- Update config.yml by @acostarj in #4775
📦 Dependency Updates
- [deps] Architecture: Update Minor and patch linting updates by @renovate in #17491
- [deps] UI Foundation: Update vite-tsconfig-paths to v6 by @renovate in #18085
- [deps] UI Foundation: Update @compodoc/compodoc to v1.2.1 by @renovate in #18713
- [deps] Platform: Update copy-webpack-plugin to v14 by @renovate in #19581
- [deps] UI Foundation: Update svgo to v4.0.1 [SECURITY] by @renovate in #19757
🎨 Other
- [CL-1026] Cherry pick icon tile refresh to main by @willmartian in #19063
- disable claude attribution by @audreyality in #19253
- Update all import statements and remove re-exporting files by @eliykat in #19545
- [CL-1049] Make fallback autofocus approach for dialogs by @vleague2 in #19561
- Autosync Crowdin Translations for web by @bw-ghapp in #19801
- Dirt/pm 33474/setup data testids by @voommen-livefront in #19807
- [PM-34459] AI skill for converting figma designs to Angular component by @Hinton in #19866
- [PM-34230] Skill for HEC integration by @voommen-livefront in #19914
- Autosync Crowdin Translations for web by @bw-ghapp in #19960
bitwarden/server (bitwarden/server)
v2026.4.0: Version 2026.4.0
Overview
- Removed feature flag for vault items archive
- Removed feature flag for default saving location when organization data ownership policy is enabled
- Removed feature flag for hiding alternate login methods when SSO is required
- Removed feature flag for several UX improvements
- Removed feature flag for provider initialization refactor
- Added support for deeplink redirect with https schema
- Various under-the-hood improvements and minor bug fixes
What's Changed
:shipit: Feature Development
- [PM-31736] User-friendly cookie vendor error message by @dereknance in #7270
- [PM-33972] Remove pm-26140-marketing-initiated-premium-flow feature flag by @trmartin4 in #7275
- [PM-32783] Add electron-storage-cache flag by @dani-garcia in #7286
- [PM-33890] Set up Stripe Subscription Schedule API operations by @amorask-bitwarden in #7289
- feat(redirect): [PM-30810] Https Redirection for Cloud Users by @Patrick-Pimentel-Bitwarden in #6852
- [PM-22110] Remove pm-22110-disable-alternate-login-methods feature flag by @trmartin4 in #7274
- [PM-22435] chore: remove create default collections ff ref by @vincentsalucci in #7298
- [PM-33086/7] Remove the feature flag RefactorOrgAcceptInit by @r-tome in #7287
- [PM-28420] Remove feature flag by @BTreston in #7282
- [PM-33087] Remove RefactorOrgAcceptInit feature flag by @r-tome in #7325
- [PM-15489] 2fa account recovery by @kspearrin in #7139
- Auth/PM-34400 - Add desktop devices feature flag by @JaredSnider-Bitwarden in #7361
- [PM-32009] Add New Item Type Feature Flag by @nick-livefront in #7358
- [PM-34410] Attachment Upload Feature Flag by @nick-livefront in #7357
- Add feature flag for access intelligence trend chart by @Banrion in #7363
- [PM-33212] Finalize Org Data Ownership Policy Requirement by @sven-bitwarden in #7210
- [PM-332124] Finalize PolicyRequirement + 2FA Feature Flag by @sven-bitwarden in #7209
- [PM-19168] Remove Archive Feature Flag guards by @nick-livefront in #7371
- [PM-31885] Consolidate all Send policies to a single policy by @harr1424 in #7113
- [PM-31905] Remove m2 flag definition by @cturnbull-bitwarden in #7353
- [PM-28190] Add feature flag: pm-28190-cipher-sharing-ops-to-sdk Feature Flag by @nikwithak in #6887
🐛 Bug fixes
- [PM-33980] Only verify
UseMyItemswhen claim exists by @amorask-bitwarden in #7278 - [PM-32450] Allow SMTP TLS CRL status retrieval failures by @dereknance in #7271
- [PM-19143] Fix custom permissions not persisting via InviteOrganizationUsersCommand by @r-tome in #7285
- [PM-34049] Fix PoliciesController authorize attribute by @eliykat in #7303
- [PM-34048 ] Add limit item deletion to manage collection permission to Org view/edit by @vincentsalucci in #7296
- [PM-31822] Fix file Send size validation by @mcamirault in #7311
- [PM-34440] Fix cache duplicate-key error by @JimmyVo16 in #7360
- [PM-30185] Fix email fallback logic to ignore empty primary email by @BTreston in #7359
- [PM-32829] Cipher Key for unassigned ciphers by @nick-livefront in #7164
- [PM-32260] Fix missing device approval event logs for accepted users by @r-tome in #7247
- [PM-26581] Add missing model.type param by @BTreston in #7369
- [PM-29981] Add repo call to check if existing collection already has access setup by @BTreston in #7365
- [PM-34570] Expired or Cancelled Claimed User Throws Billing Exception on Subscription Cancel by @sbrown-livefront in #7382
- fix(change-email): [PM-34742] Change Email Sets Salt (#7422) by @Patrick-Pimentel-Bitwarden in #7423
⚙️ Maintenance
- [BRE-1004] Add GHCR Support to Build/Publish workflows by @vgrassia in #7263
- [PM-32066] - Add Org Ability View by @jrmccannon in #7194
- [PM-33895] Filter
[BindNever]parameters from OpenAPI schema by @dani-garcia in #7257 - [deps]: Update docker/build-push-action action to v7 by @renovate[bot] in #7221
- [PM-32067] - Add Provider Ability View by @jrmccannon in #7200
- [PM-33041] Organization Ability: Refactor CipherResponseModel by @JimmyVo16 in #7202
- [PM-33043] Refactor PolicyService, CipherService, and TwoFactorAuthenticationValidator by @JimmyVo16 in #7214
- [PM-33042] Refactor EventService to remove deprecated GetOrganizationAbilitiesAsync by @JimmyVo16 in #7240
- [deps]: Update dorny/test-reporter action to v3 by @renovate[bot] in #7347
- [PM-34462] Improve role handling in provider controllers by @eliykat in #7372
- [PM-3836] Tools - Make Controllers, Services and API Models nullable by @harr1424 in #7212
- Add release yml to rc by @djsmith85 in #7466
📦 Dependency Updates
- [deps] Auth: Update Duende.IdentityServer to 7.4.6 by @renovate[bot] in #6323
- [PM-33499] Permissive base64 decoder by @dereknance in #7207
- [deps]: Update sass to v1.98.0 by @renovate[bot] in #7343
- [deps]: Update prettier to v3.8.1 by @renovate[bot] in #6702
🎨 Other
- PM-33964 - Fix silent switch defaults in Seeder with fail-fast throws by @theMickster in #7277
- [PM-33819] Enforce use of authorize attributes by @eliykat in #7242
- Arch/cipher scene by @MGibson1 in #7241
- [PM-33894] Schedule price increases by @amorask-bitwarden in #7293
- [PM-34082] Seed passkeys by @MGibson1 in #7265
- Added RSA keypair pool + Caching to Seeder's RustSdk by @theMickster in #7288
- [PM-33896] Update Families organization on schedule transition by @cturnbull-bitwarden in #7300
- [PM- 30370] [PM-28827] Add Salt to Auth and KM DTOs by @ike-kottlowski in #7239
- [PM-32008] Add scope comment for SecurityTaskAuthorizationHandler by @nick-livefront in #7291
- [PM-21926] Add salt to Admin Console DTOs by @ike-kottlowski in #7231
- [PM-33043] Fix the failing test. by @JimmyVo16 in #7316
- [PM-33899] Release schedule on terminal subscription operations by @amorask-bitwarden in #7305
- PM-34033 - Add individual user seeding to preset pipeline by @theMickster in #7304
- PM-34033 - Add user & org API key seeding and improve CLI output by @theMickster in #7324
- [PM-34039] [Defect] Discount Eligibility Endpoint Shows "New Users Only" Discounts by @sbrown-livefront in #7301
- Update to
IHostBuilderstyle by @justindbaur in #6843 - [PM-32216] Create Stripe Checkout Session Endpoint by @sbrown-livefront in #7246
- [PM-33901] Remove unused UpdateTaxInformation by @cturnbull-bitwarden in #7320
- [PM-33901] Implement schedule-aware tax handling by @cturnbull-bitwarden in #7319
- PM-33964 - Unify CipherSeeder factories behind CipherSeed domain model. by @theMickster in #7330
- Clarify potential misleading comment by @theMickster in #7339
- Rename CLI endpoint to Preset instead of Seed by @theMickster in #7340
- Move IEventService to Dirt by @eliykat in #7272
- [PM-33898] Schedule-aware storage adjustments by @amorask-bitwarden in #7350
- [PM-33891] Migrate Cancel and Reinstate Paths by @sbrown-livefront in #7331
- [PM-33405] Add
OrganizationUserNotificationPolicyby @nick-livefront in #7250 - [PM-31902] Remove m2 flagged logic by @cturnbull-bitwarden in #7351
- [PM-34530] Display schedule discount on premium subscription page by @amorask-bitwarden in #7375
- [PM-33897] Schedule Aware Cancellation and Reinstatement by @sbrown-livefront in #7374
- [PM-34530] Fix schedule discount scope on premium subscription page by @amorask-bitwarden in #7378
- [PM-29956] Add logging to sponsorship redemption flow by @cturnbull-bitwarden in #7381
- [pm-34486] require basic auth on seeder api endpoints by @MGibson1 in #7368
- [PM-34582] Include schedule discount in premium tax estimate by @cturnbull-bitwarden in #7385
- [PM-33788] EF Emergency Access Query Updates by @enmande in #7297
- [PM-34623] Fix stale discount display after Stripe deletion by @amorask-bitwarden in #7391
Full Changelog: https://github.com/bitwarden/server/compare/v2026.3.2...v2026.4.0
Configuration
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
- If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by Renovate