This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
Summary
AI summaryUpdates desktop, host-service, and revert across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Fix dangerouslySetInnerHTML XSS findings in codex. Fix dangerouslySetInnerHTML XSS findings in codex. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
Offer window reload when workspace creation stalls in desktop. Offer window reload when workspace creation stalls in desktop. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Add workspace navigation to command palette in codex. Add workspace navigation to command palette in codex. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Optimistic workspace creation and Electric write-sync correctness added. Optimistic workspace creation and Electric write-sync correctness added. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Feature | Medium |
Un-gate automations in codex. Un-gate automations in codex. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Dependency | Medium |
Bump version to 1.9.7 in desktop chore. Bump version to 1.9.7 in desktop chore. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Performance | Medium |
Index-back auth.apikeys shape via derived organization_id column in electric-proxy. Index-back auth.apikeys shape via derived organization_id column in electric-proxy. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Deprecation | Medium |
Revert drop host-offline workspace gate from #4672. Revert drop host-offline workspace gate from #4672. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Bugfix | Medium |
Tolerate locked+missing worktrees in destroy host-service. Tolerate locked+missing worktrees in destroy host-service. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
— |
| Bugfix | Medium |
Restore vertical scroll in new-workspace project picker. Restore vertical scroll in new-workspace project picker. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Bugfix | Medium |
Bundle DuckDB native binding into x64 macOS build for desktop. Bundle DuckDB native binding into x64 macOS build for desktop. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Refactor | Medium |
Rename sidebar 'Tasks' to 'Issues & PRs'. Rename sidebar 'Tasks' to 'Issues & PRs'. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Other | Medium |
Weekly changelog updated for 2026-05-18. Weekly changelog updated for 2026-05-18. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Other | Medium |
Update trusted-by logo in marketing chore. Update trusted-by logo in marketing chore. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
Full changelog
What's Changed
- chore(desktop): bump version to 1.9.7 by @Kitenite in https://github.com/superset-sh/superset/pull/4692
- rename sidebar 'Tasks' to 'Issues & PRs' by @AviPeltz in https://github.com/superset-sh/superset/pull/4698
- fix(desktop): bundle DuckDB native binding into x64 macOS build by @saddlepaddle in https://github.com/superset-sh/superset/pull/4694
- docs: weekly changelog — 2026-05-18 by @Kitenite in https://github.com/superset-sh/superset/pull/4695
- fix(host-service): tolerate locked+missing worktrees in destroy by @Kitenite in https://github.com/superset-sh/superset/pull/4693
- feat(desktop): offer window reload when workspace creation stalls by @Kitenite in https://github.com/superset-sh/superset/pull/4699
- [codex] fix sidebar notifications after host restart by @Kitenite in https://github.com/superset-sh/superset/pull/4703
- revert: drop host-offline workspace gate from #4672 by @Kitenite in https://github.com/superset-sh/superset/pull/4727
- chore(marketing): update trusted-by logo by @Kitenite in https://github.com/superset-sh/superset/pull/4728
- [codex] Add workspace navigation to command palette by @saddlepaddle in https://github.com/superset-sh/superset/pull/4730
- feat: optimistic workspace creation + Electric write-sync correctness by @saddlepaddle in https://github.com/superset-sh/superset/pull/4707
- fix(desktop): backport v2 glyph/font-settle fixes to v1 terminal by @Kitenite in https://github.com/superset-sh/superset/pull/4733
- [codex] Fix git status refresh storm by @Kitenite in https://github.com/superset-sh/superset/pull/4731
- fix: solve #4680 — restore vertical scroll in new-workspace project picker by @github-actions[bot] in https://github.com/superset-sh/superset/pull/4681
- [codex] ungate automations by @saddlepaddle in https://github.com/superset-sh/superset/pull/4734
- perf(electric-proxy): index-back auth.apikeys shape via derived organization_id column by @alco in https://github.com/superset-sh/superset/pull/4713
- [codex] fix changes tree context menu by @saddlepaddle in https://github.com/superset-sh/superset/pull/4736
- [codex] fix dangerouslySetInnerHTML XSS findings by @Kitenite in https://github.com/superset-sh/superset/pull/4741
- [codex] Fix Codex workspace MCP loading by @Kitenite in https://github.com/superset-sh/superset/pull/4742
- [codex] Revert optimistic workspace Electric transaction work by @saddlepaddle in https://github.com/superset-sh/superset/pull/4744
New Contributors
- @alco made their first contribution in https://github.com/superset-sh/superset/pull/4713
Full Changelog: https://github.com/superset-sh/superset/compare/desktop-v1.9.7...desktop-v1.9.9
Breaking Changes
- Reverted host‑offline workspace gate removal introduced in #4672
Security Fixes
- [codex] Fixed dangerouslySetInnerHTML XSS findings
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Superset
Code Editor for the AI Agents Era - Run an army of Claude Code, Codex, etc. on your machine
Related context
Related tools
Beta — feedback welcome: [email protected]