Update bitwarden to v2026.5.0
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| bitwarden/clients | minor | 2026.4.2 → 2026.5.0 |
| bitwarden/server | minor | 2026.4.2 → 2026.5.0 |
Release Notes
bitwarden/clients (bitwarden/clients)
v2026.5.0: Web v2026.5.0
What's Changed
- PM-34920 updated icons to be contrast friendly by @voommen-livefront in #20154
- SSH Agent v2: add Unix socket listener by @neuronull in #20046
- [PM-33314] Add FlightRecorder at @bitwarden/logging by @dani-garcia in #20171
- [PM-35318] Desktop v3/4 - Showing two "Archived" badge by @gbubemismith in #20239
- SSH Agent v2: add Windows named pipe listener by @neuronull in #20077
- [CL-1130] Fix storybook a11y and console errors for dirt files by @vleague2 in #19919
- [CL-1128] Fix OnPush Lit Ignore Kitchen Sink Stories by @iivins-livefront in #20044
- [PM-29956] Add logging to sponsorship redemption flow by @connerbw in #19947
- [CL-1111] Migrate key management CTAs to new icon API by @BryanCunningham in #19486
- PM-27343 Mitigate build warnings by @dan-livefront in #19618
- [PM-29549] Update PhishingDetectionService to use constructor, add unit tests by @lastbestdev in #20079
- Auth/Innovation/PM-34210 - Desktop - Add devices dialog by @JaredSnider-Bitwarden in #19797
- [PM-35335] Fix bug making discard edits dialog show on navigate after… by @mcamirault in #20267
- [PM-35318] Desktop v3/4 - Showing two "Archived" badge by @gbubemismith in #20273
- [PM-28190] Migrate clients to use SDK for cipher sharing operations. by @nikwithak in #18548
- [deps] AC: Update core-js to v3.49.0 by @renovate[bot] in #19842
- [CL-1112] Migrate autofill CTAs to new icon API by @BryanCunningham in #19487
- [CL-1108] Migrate billing CTAs to new icon API by @BryanCunningham in #19483
- [PM-30483] Remove feature flagged logic for passkey unlock by @eligrubb in #19798
- Fix typechecking issue in CipherService tests by @nikwithak in #20288
- [PM-31635] Update emergency access takeover to use new separate salt by @enmande in #20139
- [PM-35330] Fix state not being updated on change kdf by @quexten in #20259
- [PM-35240] Add sync before forced kdf migration by @quexten in #20193
- [PM-33315] Create @bitwarden/logging by @dani-garcia in #20197
- Scaffold win_webauthn [PM-29785] by @iinuwa in #20278
- Move Jest dependency ownership to Platform by @trmartin4 in #20254
- Migrate client specific skills into correct location by @theMickster in #20233
- [PM-32784] Increase search service search performance by 50x and defer indexing by @quexten in #19251
- [PM-32598] - Remove Unused sso/details Endpoint by @sven-bitwarden in #20012
- [PM-35365] [deps] Platform: Update nx monorepo to v22.6.5 by @renovate[bot] in #20269
- [PM-34577] Refactor Vault Filter Component by @JaredScar in #20098
- [deps] Platform: Update jest-preset-angular to v16.1.4 by @renovate[bot] in #20202
- Add win_webauthn utility functions by @iinuwa in #20279
- [CL-1171] remove berry default limit by @BryanCunningham in #20283
- Add win_webauthn crypto functions by @iinuwa in #20280
- PM-35363 resolved stale child controllers by @bmbitwarden in #20295
- [CL-1130] Fix a11y and storybook errors in UIF-owned code by @vleague2 in #19921
- [deps]: Update nrwl/nx-set-shas action to v5 by @renovate[bot] in #19856
- [PM-35138] Update targeting rules data on vault sync by @jprusik in #20159
- [PM-29199] fix not clear only 20 emails input by @JaredScar in #18950
- Add safe wrappers and helpers for webauthn.h by @iinuwa in #20281
- [PM-35458] fix status check by @BTreston in #20312
- [deps] Autofill: Update tldts to v7.0.28 by @renovate[bot] in #20268
- PM-32375 Add dynamic text to Autofill Confirmation Dialog by @nikwithak in #20071
- Revert "Add safe wrappers and helpers for webauthn.h" / (fix mac / linux desktop launch error) by @quexten in #20319
- Autosync Crowdin Translations for browser by @bw-ghapp[bot] in #20322
- Autosync Crowdin Translations for desktop by @bw-ghapp[bot] in #20321
- Autosync Crowdin Translations for web by @bw-ghapp[bot] in #20323
- [CL-1130] Fix usage of export message key by @djsmith85 in #20324
- Autosync Crowdin Translations for browser by @bw-ghapp[bot] in #20327
- Autosync Crowdin Translations for web by @bw-ghapp[bot] in #20328
- [BRE-1841] Fix truncate logic for container images tags in Build Web workflow by @vgrassia in #20335
- Reapply "Add safe wrappers and helpers for webauthn.h (#20281)" (#20319) by @iinuwa in #20326
- Auth/PM-35336 - TokenService - prevent stale access token retrieval to fix logout on org user confirm by @JaredSnider-Bitwarden in #20334
- [PM-35668] [deps] Platform: Update jest-mock-extended to v4.0.1 by @renovate[bot] in #20343
- [PM-35491] Replace start-to-tray with autostart detection by @quexten in #20316
- [deps] Platform: Update Minor and patch webpack updates by @renovate[bot] in #20346
- Add methods for allocating COM memory by @iinuwa in #20282
- [deps] Architecture: Update Minor and patch linting updates by @renovate[bot] in #20345
- [CL-1109] Migrate DIRT CTAs to new icon API by @BryanCunningham in #19484
- [PM-23355] - use MP reprompt in bulk assign to collections by @jaasen-livefront in #20249
- [PM-30860] - Provide a method for Exact Match functionality within the autofill confirmation flow by @jaasen-livefront in #19928
- [PM-26417] Remove eager AccessIntelligenceModule import to enable proper lazy loading by @AlexRubik in #20305
- [PM-34822] Consistency in handling 400 and 404 in Org Integrations by @voommen-livefront in #20131
- [PM-28045] - Validate Organization Key Population by @jrmccannon in #19954
- [deps] Platform: Update @types/node to v22.19.17 by @renovate[bot] in #20238
- [PM-33875] Revocation Reason Messages by @sven-bitwarden in #20177
- BRE-1844 - Change Choco API Key secret name by @vgrassia in #20396
- Update Publish CLI Workflow with fixes for installing the latest NPM by @vgrassia in #20354
- [BRE-1844] Remove legacy failure check job by @vgrassia in #20408
- [FIX] Replaced hard coded auth key name with variable from AKV by @gitclonebrian in #20406
- PM-35270 moved eventcollection to phishing detection service by @voommen-livefront in #20300
- [deps]: Update cargo-deny to 0.19.4 by @renovate[bot] in #20389
- [BRE-1844] Fix Slack webhook by @vgrassia in #20416
- [PM-35484] Remove exemption for owners/admins for mp policy by @BTreston in #20398
- [PM-34775] Generate Invite Link Lib and API Service by @BTreston in #20301
- [deps]: Update uuid to v14 [SECURITY] by @renovate[bot] in #20350
- chore(deps): group electron in Renovate config by @addisonbeck in #20405
- Allow change-login-password invocation in non-Angular contexts by @blackwood in #15150
- [BRE-1845] Setting the id in the keyvault for easier rotation by @pixman20 in #20414
- [PM-34195]Apply readonly guards on autofill by @dan-livefront in #20237
- [BRE-1845] Removing unused code for Apple signing by @pixman20 in #20412
- [PM-32686] Add bank account item type by @gbubemismith in #19302
- [PM-32495] adding abe key encoding check to address injection issues by @itsadrago in #20349
- [PM-34788] Fix silent error swallowing in saveRiskInsightsReport$ by @AlexRubik in #20180
- [BRE-1845] Updating SHA256 sig for EV cert by @pixman20 in #20421
- [PM-34409] Create new SCIM UI by @BTreston in #20272
- [PM-34408] Refactor invite member dialog and access selector by @BTreston in #20161
- [CL-1141] Improve tailwind config structure across apps and libs by @vleague2 in #20102
- [PM-14820] CLI: Replace legacy generator service with credential generator service by @harr1424 in #19607
- Update sdk-internal to 0.2.0-main.712 by @bw-ghapp[bot] in #20351
- [PM-34830][POC] Atomic writes for SDK client managed state by @mzieniukbw in #20095
- BRE-1854: Add actions:write permission to build-web-target workflow by @brandonbiete in #20428
- [PM-33121][VULN-394] Use fromChromeEvent + onCommitted for earlier phishing interception by @AlexRubik in #19375
- [PM-34159] - Decouple Auto Confrim and Single Org by @jrmccannon in #20330
- [PM-35698] filters not rendering on page load by @JaredScar in #20357
- Nx telemetry setting (analytics: false). by @blackwood in #20433
- [PM-33797] AIV2: Standardize Models and Services: Wire Up by @Banrion in #20081
- [PM-31441] Improve long attachment file name handling by @shane-melton in #20183
- [PM-35264] Add org ability, hide UI if UseInviteLink is false by @BTreston in #20358
- [PM-28091] - Add copy and quick launch action items by @jaasen-livefront in #20059
- [PM-30447] ssoRequiredCache fix by @rr-bw in #19879
- [PM-851] custom field reordering not keyboard accessible by @jengstrom-bw in #20099
- [PM-35761] Default sort in PM Vault incorrect by @gbubemismith in #20364
- [PM-28660] Folder filter properly for folders with no items by @JaredScar in #20402
- [PM-35354] Fix empty error toast when DisableHideEmail policy is not respected on browser by @harr1424 in #20332
- [PM-35826][PM-35797] SSH Key fixes for new item grid by @nick-livefront in #20378
- [PM-31061] Implement biometrics migration by @quexten in #20127
- PM-35200 - Create contributing guide for Claude tooling by @theMickster in #20430
- [PM-35253] Add organization ability UseInviteLinks by @r-tome in #20227
- [PM-36072] Change DN + Skunkworks Shared Ownership To Be More Precise by @coltonhurst in #20440
- Desktop: Fix ssh import key button by @neuronull in #20314
- [PM-33951] automatically confirm pending users on admin login by @JaredScar in #20331
- [PM-31364] discard edits dialog to policies page by @JaredScar in #20096
- [PM-35038] Fix Link SSO button not rendering in org options menu by @jaasen-livefront in #20410
- [PM-34394] Organization invite service by @BTreston in #20367
- Revert "[PM-31061] Implement biometrics migration" by @quexten in #20455
- [BRE-1851] - Update Crowdin API token by @vgrassia in #20456
- [PM-34918] use sdk for collection decryption by @JaredScar in #20136
- PM-30396 resolved zoho importer by @bmbitwarden in #20265
- [deps]: Update Rust crate rusqlite to v0.39.0 by @renovate[bot] in #19847
- fix BIT workflow call by @aj-bw in #20458
- [PM-34890] Update icon usage to bit icon by @voommen-livefront in #20181
- Auth/PM-36080 by @JaredSnider-Bitwarden in #20452
- Auth/DeviceManagement - Fix flaky test by @JaredSnider-Bitwarden in #20429
- [PM-33887] Add Revocation Reasons to Member Page UI by @sven-bitwarden in #20442
- [PM-34887] - Improve responsiveness of AC collection table by @jaasen-livefront in #20104
- [BRE-1851] Update to use official Crowdin action latest version by @vgrassia in #20464
- [deps] Tools: Update Rust crate clap to v4.6.1 by @renovate[bot] in #19844
- [PM-33597] fix: add try/catch for malformed JSON input in parseEmail by @maksimtech in #19573
- [PM-36233] Revert "[PM-14820] CLI: Replace legacy generator service with credential generator service" by @harr1424 in #20465
- [PM-36106] add test ids and re-add role multiselect by @BTreston in #20450
- [PM-36187] Refactor sm section by @BTreston in #20457
- [PM-36090] Fix placeholder by @BTreston in #20451
- [deps]: Update yargs to v18 by @renovate[bot] in #18718
- [bre-1874] switch BIT to workflow dispatch by @aj-bw in #20469
- [PM-36015] Fix dialog size for 1-column add-item grid layout by @nick-livefront in #20446
- [PM-36186] use mousedown for ng-select outside-click detection by @BryanCunningham in #20474
- [PM-28727] Update web docker file to match .NET 10 upgrade done in server by @justindbaur in #20476
- PM-29657: Shift PUT Policy/VNext -> PUT Policy, Finalize MigrateItemsVault FF by @sven-bitwarden in #20404
- [BRE-1845] Triggering web deploy by @pixman20 in #20466
- [PM-796] Fix boolean parsing when using serve command by @djsmith85 in #20302
- Minimal implementation of DL and Passport by @nick-livefront in #20438
- [PM-35153] Revert collection encrypt implementation by @eliykat in #20477
- [PM-34380] Remove SASS from apps/web by @Hinton in #19859
- [PM-36090] add dynamic seat validation, fix copy by @BTreston in #20470
- Update sdk-internal to 0.2.0-main.721 by @bw-ghapp[bot] in #20488
- [PM-34155] Enhance policy service with accepted policies retrieval and update sync response structure for new sync response by @JaredScar in #20336
- Remove unused NgIf import from SetupExtensionComponent by @nick-livefront in #20490
- [PM-34388] Add API method to update organization invite link allowed domains by @r-tome in #20431
- [BRE-1851] Remove GPG signing by @vgrassia in #20497
- [PM-36047] Add tech-leads group as owners of the CODEOWNERS file by @coltonhurst in #20435
- [deps] Tools: Update @types/jsdom to v28 [PM-32324] by @renovate[bot] in #19002
- Update sdk-internal to 0.2.0-main.723 by @bw-ghapp[bot] in #20507
- [deps]: Update ruby to v4 by @renovate[bot] in #18203
- [PM-33174] Remove master key from auth request login by @quexten in #19372
- Desktop Native: Run integration tests in CI by @neuronull in #20424
- [PM-31826] Update *ngIf to @if and *ngFor to @for in vault lib components by @jengstrom-bw in #18817
- [CL-962] update banner component styles by @iivins-livefront in #20045
- [PM-34036] Skip corrupted attachments during zip vault export by @gbubemismith in #19976
- [PM-34158] - Confirmed User Migrate Items by @jrmccannon in #20337
- PM-19944 - remove feature flag pm-19941-migrate-cipher-domain-to-sdk by @nikwithak in #20147
- PM-24328 Remove feature flag pm-22136-sdk-cipher-encryption by @nikwithak in #20150
- [PM-36609] Add regex manager for updating electronVersion on electron updates by @trmartin4 in #20520
- Add Windows WebAuthn Plugin FFI safe type wrappers [PM-29785] by @iinuwa in #20284
- [PM-35052] Address Access Intelligence refactor feedback by @AlexRubik in #20271
- PM-35060 specify import return path by @voommen-livefront in #20422
- [PM-34891] Use star end icons in buttons by @voommen-livefront in #20232
- [PM-21777]Defect Safari - Save login notification bar icon is stretched and Save login is scrollable by @dan-livefront in #20449
- [PM-36045] Fix application of bitLink selector in desktop usages by @vleague2 in #20494
- [CL-1106] Migrate vault CTAs to new icon API by @BryanCunningham in #19481
- Small fix for ssh namespace mismatch by @coltonhurst in #20502
- [PM-35196] use compile-time flag to enable performance instrumentation by @audreyality in #20525
- [deps] KM: Update node-forge to v1.4.0 [SECURITY] by @renovate[bot] in #19795
- [BRE-1851] Move all release publish deploy workflows by @vgrassia in #20518
- Autotriage merge candidate by @blackwood in #20149
- [PM-28346] Use SDK for attachment delete operations by @gbubemismith in #20361
- [PM-35216] Align at-risk members CSV header with drawer label by @AlexRubik in #20315
- Autosync Crowdin Translations for browser by @bw-ghapp[bot] in #20500
- [PM-31112] Decouple local tools crypto from user key by @mzieniukbw in #19433
- [PM-32391] bw edit should exit with non-0 when user do not have R/W permission to the item. by @gbubemismith in #20370
- [PM-35201] Enhance password reset logic in MemberActionsService by @JaredScar in #20504
- [PM-34832] Update event logging messages for account recovery by @JaredScar in #20512
- SSH Agent v2: list keys by @neuronull in #20371
- [CL-1193] document banner dismiss button binding behavior by @willmartian in #20532
- [PM-31364] Discard edit bug fixes by @JaredScar in #20511
- PM-36834 Fixes OrganizationId Missing From Access Intelligence API Calls When Switching Tabs. by @prograhamming in #20531
- [CL-989] updating popover component by @iivins-livefront in #20021
- PM-29781 removed feature flag and corresponding code by @bmbitwarden in #20487
- [deps] Tools: Update jsdom to v29 [PM-34333] by @renovate[bot] in #19850
- [PM-36571] Custom field hidden field right buttons are in the wrong place by @jengstrom-bw in #20509
- PM-26250 Explore options to enable direct importer for mac app store build by @harr1424 in #17479
- Autosync Crowdin Translations for desktop by @bw-ghapp[bot] in #20499
- Autosync Crowdin Translations for web by @bw-ghapp[bot] in #20501
- [PM-33473] Remove pm-29594-update-individual-subscription-page feature flag by @amorask-bitwarden in #20311
- [PM-34389] Wire refreshInviteLink to dedicated server refresh endpoint by @r-tome in #20522
- [PM-32586] Add readonly view to Send edit flow by @mcamirault in #19688
- [PM-27896]Remove disabled orgs from notification org dropdown by @dan-livefront in #20368
- [PM-36629] Cipher Filter Refactor + Feature Flags by @nick-livefront in #20491
- [CL-1192] Improve spotlight behavior and test coverage by @vleague2 in #20527
- [PM-34397] Allowed domains field by @BTreston in #20513
- [PM-31942] Add FileReportPersistenceService implementation to store Access Intelligence reports as files (pt. 2) by @lastbestdev in #20289
- [CL-1191] - spotlight and popover fixes by @jaasen-livefront in #20519
- [PM-26202] Refactor vault page to subcomponents to make it more wieldy by @JaredScar in #20373
- Revert "[deps] Tools: Update jsdom to v29 [PM-34333] [PM-36962]" by @itsadrago in #20565
- Use globalEnvironment$ on environment selector by @trmartin4 in #20495
- Update sdk-internal to 0.2.0-main.733 by @bw-ghapp[bot] in #20587
- Update sdk-internal to 0.2.0-main.737 by @bw-ghapp[bot] in #20590
- [deps] Architecture: Update Minor and patch linting updates to v8.59.1 by @renovate[bot] in #20576
- Linting is removing this line by @coltonhurst in #20558
- [PM-30942] Allow user to download logs from a user-initiated button click by @harr1424 in #20420
- Update rkyv vuln due to RUSTSEC-2026-0122 by @coltonhurst in #20593
- [PM-34669] Fix premium modal dismissal not persisting across browser restarts by @amorask-bitwarden in #20182
- Add autocomplete current-password to master password input by @differsthecat in #20552
- Add autofill check for autocomplete="current-password" by @differsthecat in #20556
- [PM-37069] Move rust dep to autofill-desktop-dev ownership by @jprusik in #20597
- [PM-36840] Return sample data for bank account CLI template by @nick-livefront in #20563
- [PM-36858] Fix routing number copy toast showing generic message by @nick-livefront in #20562
- [deps] Autofill: Update prettier-plugin-tailwindcss to v0.8.0 by @renovate[bot] in #20577
- [PM-32833] Remove Input Password Feature Flag by @rr-bw in #20306
- [PM-32019] add diamond action chip to archive menu option in desktop by @jengstrom-bw in #20186
- [CL-1115] accordion component by @BryanCunningham in #20508
- [PM-36617] Enhance PoliciesComponent: Add focus restoration for active element by @JaredScar in #20550
- [PM-35655] - escape html in new item nudge component by @jaasen-livefront in #20409
- [PM-36048] - redirect back to vault after coachmark tour ends by @jaasen-livefront in #20445
- PM-36583 - Add override for 'tmp' library to 0.2.4 by @nikwithak in #20528
- [Shared Unlock] [PM-34510] Remove desktop-side browser ipc fingerprint by @quexten in #19905
- Autosync Crowdin Translations for browser by @bw-ghapp[bot] in #20553
- Autosync Crowdin Translations for web by @bw-ghapp[bot] in #20555
- [deps] Platform: Update jest-junit to v17 by @renovate[bot] in #20584
- Autosync Crowdin Translations for desktop by @bw-ghapp[bot] in #20554
- [PM-31059] Implement state bridge support by @quexten in #20394
- Disable state bridge by @quexten in #20615
- [PM-31760] Implement sign() for PrivateKey by @coltonhurst in #20523
- Non-login form/field disqualifier for signup/subscription forms by @blackwood in #20411
- [PM-36565] creating new item from new dialog is not working by @JaredScar in #20560
- [PM-21374] Wrong notification is displayed when copying a passphrase from the generator history by @harr1424 in #20546
- [PM-28191] Replace SaveCollectionsWithServerAdmin API calls to use SDK by @nikwithak in #20359
- PM-34680 include enriched tags in the HEC template by @voommen-livefront in #20539
- [PM-35268] tech req for push based event delivery splunk by @voommen-livefront in #20369
- Remove BW-GHAPP tokens and GPG from repository-management workflow by @AmyLGalles in #20624
- Bump client version(s) by @github-actions[bot] in #20626
- [PM-34405 | PM-34406] Invite url field by @BTreston in #20557
- [PM-32698] feat(vault): add copy button for cardholder name in card detail view by @Sebastianhayashi in #19216
- [PM-32693] Driver's License for the Web by @nick-livefront in #20461
- [deps]: Update actions/github-script action to v9 by @renovate[bot] in #20391
- [PM-36973] lazy-loading jsdom by @itsadrago in #20568
- [PM-37065] Failed-to-decrypt vault items are not displayed at the top of the vault list by @gbubemismith in #20616
- [PM-35399] golddragon007 performance fix by @audreyality in #20622
- [PM-36877] Remove nudge from bank account cipher type by @nick-livefront in #20561
- [PM-34111] Add Driver's License item type to the CLI by @nick-livefront in #20620
- [PM-34108] Add Driver's License to browser by @nick-livefront in #20638
- [PM-36616] Fix fido2 script injection not respecting blocked domains by @jprusik in #20551
- [PM-34791] fix duplicate call to i18n removing pricing term for non-english languages by @kdenney in #20542
- [PM-31054] Add state service for V2UpgradeToken by @Thomas-Avery in #20636
- [PM 34174]Do not show renewal reminder banners to exempt organizations by @cyprain-okeke in #20201
- [PM-37234] - fix launch button by @jaasen-livefront in #20629
- [PM-29073] Remove Premium Badge Opens New Premium Upgrade Feature Flag by @sbrown-livefront in #20287
- [PM-31061] Implement biometrics migration by @quexten in #20506
- [Shared Unlock] [BEEEP|IS|PM-22254] Support IPC transport to desktop and browser flatpak, snap by @quexten in #14836
- Update sdk-internal to 0.2.0-main.757 by @bw-ghapp[bot] in #20663
- Autosync Crowdin Translations for browser by @bw-ghapp[bot] in #20660
- Autosync Crowdin Translations for desktop by @bw-ghapp[bot] in #20659
- Autosync Crowdin Translations for web by @bw-ghapp[bot] in #20661
- PM-36610 derive users from cache after import by @voommen-livefront in #20526
- [PM-36972] [PM-37468] Update revocation reason tooltips by @vincentsalucci in #20649
- [PM-36560] Create Send event logs by @harr1424 in #20567
- [PM-37521] Refactor password strength component for improved performance and to properly work by @JaredScar in #20650
- [PM-31652]Inline autofill for totp code on vimeo.com login does not appear by @dan-livefront in #20436
- [PM-32738] Passport Web by @nick-livefront in #20514
- [PM-37560] Respect lock or logout signal during Send edits by @harr1424 in #20669
- [PM-31317] Remove flagged logic from clients feature flag pm-29438-welcome-dialog-with-extension-prompt by @jengstrom-bw in #20619
- [PM-16191] - fix popup width when opening in popped out mode by @jaasen-livefront in #20188
- Remove accidentally re-added i18n values by @quexten in #20667
- [PM-34109] Driver's License to Desktop by @nick-livefront in #20530
- [PM-31945] Fix missing group access to collections in Access Intelligence V2 by @lastbestdev in #20545
- [PM-35378]Remove stale iconServerUrl by @dan-livefront in #20549
- [PM-37485] Bugfix: Autofill settings do not save in browser extension by @nikwithak in #20658
- [PM-32743] Convert collections to folders when importing into My Items by @mcamirault in #20453
- [PM-29654] Hide copy button when custom field has no value by @gbubemismith in #20459
- PM-37554 resolved double cancel issue (#20683) by @bmbitwarden in #20707
🍒 🤏 [PM-29067] Remove Feature Flag Code for PM-24032 (#20415) by @sbrown-livefront in #20737- [PM-37816] Remove Getting Started tab on extension install (pick) by @trmartin4 in #20757
- [PM-37759] Unable to use passkey that is stored in my vault to log in cherry pick by @jengstrom-bw in #20784
- [PM-37720] Fixes vault changing of orgs by @JaredScar in #20786
- [PM-37816] Revert removal of Getting Started tab on extension by @trmartin4 in #20792
New Contributors
- @maksimtech made their first contribution in #19573
- @Sebastianhayashi made their first contribution in #19216
Full Changelog: https://github.com/bitwarden/clients/compare/web-v2026.4.2...web-v2026.5.0
bitwarden/server (bitwarden/server)
v2026.5.0: Version 2026.5.0
What's Changed
🐛 Bug fixes
- [PM-36613] Void open invoices for unpaid subscriptions by @amorask-bitwarden in #7589
📦 Dependency Updates
- Update
Bitwarden.Server.Sdkto1.5.2by @justindbaur in #7559 - Bumped version to 2026.4.2 by @connerbw in #7619
🎨 Other
- [PM-33501] Prevent orphaned Sends during user and org deletion by @harr1424 in #7386
- Arch/qa env seeding tweaks by @MGibson1 in #7430
- [deps] Tools: Update MailKit to 4.16.0 [SECURITY] by @renovate[bot] in #7502
- [PM-25056] - Deadlock testing fix by @jrmccannon in #7478
- [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @aikido-autofix[bot] in #7448
- [PM-34427] Fix Users can edit and save sends with the hide email address option enabled by @harr1424 in #7509
- [PM-30483] Remove feature flagged logic around passkey unlock by @eligrubb in #7318
- Add README for PolicyRequirements feature by @eliykat in #7503
- [PM-27278] add AccountKeysRequestModel to RegisterFinishRequestModel for account encryption v2 support by @eligrubb in #6798
- Add seed script for local development by @Hinton in #7490
- billing/pm-24665/license-file-generation-should-fail-for-unpaid-subscription by @cyprain-okeke in #7444
- Migrate server specific skills into correct location by @theMickster in #7488
- [PM-32598] - Remove Unused sso/details Endpoint + Sprocs by @sven-bitwarden in #7400
- Move missed integration files to DIRT by @eliykat in #7487
- [PM-35306] Fix password change not working when using the unlock and authentication data models by @quexten in #7505
- Update SSO package path in Renovate config by @ike-kottlowski in #7518
- [sm-1878] Adding feature flag for secret versioning by @cd-bitwarden in #7170
- Feature flag for autotriage (autofill) by @blackwood in #7528
- [PM-33436] Refactor setup shell commands by @dereknance in #7494
- Add -o --output parameters to DB seeder util for preset command by @mimartin12 in #7495
- [PM-34213] Create attachment event log by @shane-melton in #7425
- [PM-35489] Move collections to AC ownership by @eliykat in #7523
- [PM-34813] fix system coupons regression by @kdenney in #7515
- [PM-35250] Prevent Custom Users Removing Admins by @sven-bitwarden in #7526
- [PM-35305] Add desktop-ui-settings-dialog flag by @Hinton in #7491
- [PM-34822] Consistent error response 400 and 404 in Org Integrations controller by @voommen-livefront in #7458
- [PM-28045] - Org Key Validation by @jrmccannon in #7384
- [PM-33875] Add Revocation Reasons by @sven-bitwarden in #7473
- [PM-35489] Move collections to AC ownership - update namespaces by @eliykat in #7532
- fix(ci): fix startup_failure in move_edd_db_scripts job by @addisonbeck in #7554
- [BRE-1848] Remove legacy failure check job and Slack webhook by @vgrassia in #7557
- [PM-34116][PM-34117] Drivers License and Passport by @nick-livefront in #7512
- PM-35200 - Create contributing guide for Claude tooling by @theMickster in #7508
- [PM-34883] - Add InjectOrganizationUserAttribute by @jrmccannon in #7536
- [PM-29090] Remove FF:
pm-26793-fetch-premium-price-from-pricing-service- Flag by @amorask-bitwarden in #7549 - [PM-35805] Add BulkAutoConfirmOnLogin feature flag by @JaredScar in #7553
- [PM-34565] Save Cancellation Details for Scheduled Subscriptions by @sbrown-livefront in #7535
- Auth/pm 35392/master password service foundation by @enmande in #7530
- [PM-34601] Bump Group.RevisionDate on edits and access changes by @r-tome in #7467
- Implement master password policy requirement by @BTreston in #7537
- [deps] Billing: Update coverlet.collector to v10 by @renovate[bot] in #7542
- [PM-35252] by @ike-kottlowski in #7501
- [PM-35253] Add organization ability UseInviteLinks by @r-tome in #7489
- [PM-33417] WebAuthn cache by @ike-kottlowski in #7500
- [PM-35351] Fix self-hosted public API member invites by skipping plan retrieval by @r-tome in #7507
- [PM-33885]: Attach RevocationReason to Needed Client Response Model by @sven-bitwarden in #7563
- [PM-34148] Implement feature flag for fetching new policies and organization details by @JaredScar in #7529
- PM-35503 fixed flaky tests due to timing issue. by @prograhamming in #7551
- [PM-36209] Support Unprotect only certificates by @justindbaur in #7569
- [PM-34387] Add organization invite link creation endpoint by @r-tome in #7477
- [BRE-1871] Adding trigger for dev deploy after build on main by @pixman20 in #7572
- [PM-28727] Upgrade to .NET 10 by @dereknance in #7171
- [BRE-1871] Using new trigger action by @pixman20 in #7573
- Removed feature flag by @Patrick-Pimentel-Bitwarden in #7574
- [PM-36250] Add option to load certificate from file path by @quexten in #7571
- [PM-34774] Add GET endpoint for organization invite links by @r-tome in #7534
- [deps] BRE: Update mcr.microsoft.com/devcontainers/dotnet Docker tag to v10 by @renovate[bot] in #6498
- Separate Feature Flags for Desktop Native Team by @differsthecat in #7577
- [PM-32100] Implement Multi-Provider Ability Lookup by @JimmyVo16 in #7552
- [PM-34388] Add organization invite link update endpoint by @r-tome in #7560
- [PM-35263] Admin Portal: Add checkbox for the InviteLinks ability by @r-tome in #7578
- [PM-28346] Use SDK for attachment delete operations by @gbubemismith in #7538
- [PM-36047] Add tech-leads group as owners of the CODEOWNERS file by @coltonhurst in #7562
- [PM-30852] Add support for TDE user key rotation by @Thomas-Avery in #7565
- [PM-34848] Add authorization to PreviewInvoiceController org endpoints by @connerbw in #7583
- [PM-35257] Validate plan frequency tier by @connerbw in #7570
- chore(launch/tasks): Upgrade for .net10 by @enmande in #7584
- [PM-31631] update password pre-login salt response by @ike-kottlowski in #7469
- [PM-36568] Disable Pushed Authorization Request endpoint in Identity and SSO by @ike-kottlowski in #7585
- [BRE-1851] - Migrate Publish and Release workflows by @vgrassia in #7582
- [PM-35909] Preserve existing discounts during price migration by @amorask-bitwarden in #7561
- [PM-34392] Add delete invite link endpoint by @r-tome in #7591
- [PM-36421] Add xmldoc to Admin Console entities by @eliykat in #7580
- [PM-36419] [BEEEP] Add collection management settings to seeder by @eliykat in #7576
- [PM-33289] Stop 500-retry loop on incomplete_expired subs by @amorask-bitwarden in #7525
- [deps] Tools: Pin dependencies by @renovate[bot] in #6204
- [PM-35624] Fix EF GetCountByOnlyOwnerAsync by @JimmyVo16 in #7586
- [PM-35201] Enhance AdminRecoverAccountValidator to include Accepted status by @JaredScar in #7579
- SHOT-152: Remove workflow logic for EE labels by @mimartin12 in #7595
- [PM-33473] Remove
pm-29594-update-individual-subscription-pagefeature flag by @amorask-bitwarden in #7519 - [PM-34389] Add refresh endpoint for organization invite links by @r-tome in #7588
- [PM-19790] [PM-19791] Remove policy requirements feature flag references and definition by @vincentsalucci in #7596
- [PM-35300] emails do not match figma by @JaredScar in #7592
- [PM-36859] Add new feature flag for refactoring Org Collections Vault by @JaredScar in #7599
- [PM-34150] - RequireSSO Applies to Accepted by @jrmccannon in #7603
- [PM-25690] Create UpdateUserResetPasswordEnrollment command by @r-tome in #7594
- PM 35229 [Browser/Desktop] Stripe Checkout from upgrade dialog by @cyprain-okeke in #7606
- PM-31923 adding the whole report endpoints v2 by @prograhamming in #7228
- [PM-23900] Optimize organization exports by @harr1424 in #7590
- PM-36416 - Implement master password reprompt seeding by @theMickster in #7598
- [deps]: Update vstest monorepo by @renovate[bot] in #6869
- [deps]: Update Microsoft.NET.Test.Sdk to v18 by @renovate[bot] in #6870
- Add data protection cert override to recommended dev settings by @MGibson1 in #7614
- [deps]: Update actions/github-script action to v9 by @renovate[bot] in #7545
- PM-34680 serialize values to prevent injection by @voommen-livefront in #7593
- [PM-31781] skip unpaid automations for exempt orgs by @kdenney in #7480
- [PM-37077] Remediate Data Protection errors in DeleteSendsJob by @harr1424 in #7608
- Remove plan file by @eliykat in #7625
- Remove BW-GHAPP tokens from repository-management workflow by @AmyLGalles in #7624
- Fix/repository management remove tokens by @AmyLGalles in #7626
- [PM-36185] Change where Setup container looks for openssl config by @dereknance in #7623
- [PM-37482] Disable migration tester by @eliykat in #7633
- Seeder progress indicators by @withinfocus in #7510
- [PM-37230] remove FF logic from new send endpoints by @itsadrago in #7621
- [PM-35300] fix emails do not match figma by @JaredScar in #7609
- [PM-30215] Allow key rotation for key connector users by @mzieniukbw in #7618
- [PM 34174]Do not show renewal reminder banners to exempt organizations by @cyprain-okeke in #7483
- Auth/PM-37165 - Add Last API Key Rotated Date to User by @JaredSnider-Bitwarden in #7634
- [PM-37292] - add feature flag by @jaasen-livefront in #7630
- [PM-26657] removes feature flag
pm-25083-autofill-confirm-from-searchby @jengstrom-bw in #7610 - Auth/PM-37166 - Devices - add client version by @JaredSnider-Bitwarden in #7632
- [PM-36560] Create Send event logs by @harr1424 in #7602
- PM-37478 temporarily disabling useRiskInsights access controll by @prograhamming in #7631
- [PM-29607] Remove PM24032 Feature Flag by @sbrown-livefront in #7558
- Aspire Integration by @sbrown-livefront in #6775
- Migrate to SLNX Style Solution by @justindbaur in #7645
- [PM-26696] Removes
pm-23904-risk-insights-for-premiumfeature flag by @jengstrom-bw in #7613 - Aspire: Add README for Aspire AppHost setup and usage by @sbrown-livefront in #7646
- chore: ignore C# Dev Kit lscache and dump files by @enmande in #7648
- Auth/PM-37621 - Fix Device.LastActivityDate surfacing legacy NULL rows as DateTime.UtcNow by @JaredSnider-Bitwarden in #7649
- [PM-32743] Add ability to create folders during import to orgs by @mcamirault in #7568
- [PM-19551] Add externalId support to groups PATCH endpoint by @JimmyVo16 in #7620
New Contributors
- @aikido-autofix[bot] made their first contribution in #7448
- @blackwood made their first contribution in #7528
Full Changelog: https://github.com/bitwarden/server/compare/v2026.4.2...v2026.5.0
Configuration
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
- If you want to rebase/retry this MR, check this box
This MR has been generated by Mend Renovate.