Sourcegraph self-hosted 7.5.4453
This is a patch release for Sourcegraph self-hosted 7.5.
Details
Fixes
- Administration Fix Administration access for non-administrators with administrative permissions
This is a patch release for Sourcegraph self-hosted 7.5.
Take control of your codebase. [...]
Deep Search will automatically compact long conversations when a follow-up question is close to the context window limit. [...]
More focused conversations with Deep Search address context window issues and enable even deeper research. [...]
Deep Search conversations now display their creation timestamp in the avatar tooltip.
Deep Search follow-up inputs now expand beyond the previous five-line limit before scrolling internally.
Deep Search now keeps long running conversations moving with automatic context compaction.
Deep Search now uses a fast subagent to find relevant files, reducing its context usage.
Added detailed logging for Deep Search sub-agent timeouts, including context errors, duration, token counts, and tool call information to aid in debugging timeout issues.
search.categorized telemetry event Export topic keywords in search.categorized telemetry event for Deep Search queries
Deep Search conversations triggered from MCP now display a "Triggered from MCP" badge.
Deep Search tool now supports follow-up questions, enabling agents to ask additional questions within an existing Deep Search conversation.
Upgraded SCIP to version 0.9.0. Deprecated SCIP range fields are normalized into typed ranges when indexes are processed or old documents are loaded.
transformChanges.group now supports an optional title field to customize the title of each grouped changeset.
Added configuration validation checks for commit signing and push keys in Batch Changes.
Batch Changes changeset and workspace search now support partial (substring) matches instead of only whole words.
Improved query performance for batch spec workspace listing and execution job creation by optimizing database index order.
The user-specific Batch Changes settings have been updated to make managing Batch Changes credentials and secrets easier.
Now configurable via CHANGESET_SYNC_WORKER_NUM_HANDLERS
Reworked admin UI for configuring code host credentials in Batch Changes, with improved PAT creation links that pre-select necessary scopes.
Agentic changeset hooks fire at most a bounded number of times per changeset spec (configurable via maxAttempts on a hook action, default 5, max 20) instead of re-running on every new commit without limit. Applying a new changeset spec grants a fresh attempt budget. The per-step maxAttempts retry field is deprecated and no longer has any effect.
Batch Change Agent Plan and Resolve pages now support sorting by column using data table column headers.
The batch change agent now provides direct links to published changesets.
The Resolve tab on the batch change agent page now shows the number of merged changesets out of the total published.
Introduced a fullscreen workspace panel view on Agentic Batch Changes with a new hotkey (alt + f).
This allows you to maximize screen real estate so you can focus on reviewing the diff by collapsing the agent conversation and hiding unnecessary elements.
The Batch Change agent's inline ask field now preserves in-progress text across page refreshes and conversation reloads.
Add "Newest first" sort option for changesets in Agentic Batch Changes
Database migrations that create indexes concurrently now automatically terminate blocking transactions during upgrades, preventing long-running queries from indefinitely blocking index creation.
The "textSearchIndex" field on the debug API now includes two new fields: "lastIndexStatus" and "lastIndexFailureMessage". "lastIndexStatus" represents the last status Zoekt reported to Sourcegraph. "lastIndexFailureMessage" contains the error message and is nullable. The error message is truncated to 12KiB and set to null on the next successful index.
Added optional descriptions to executor secrets and display them in secret management UIs to indicate what each secret does.
Executors v1 now use batch-exec by default when executing v1 batch changes steps. To fall back to using src, set EXECUTOR_USE_INTERNAL_EXEC_BINARY to false on the executors.
Added a per-queue events endpoint for executors to publish events to
Support for omitted thinking display mode in the Sourcegraph Model Provider, allowing configuration of how Anthropic's extended thinking is presented
Worker job traces that opt into tracing via their per-job sampler are now retained by OpenTelemetry Collector tail-sampling policies.
Added Database live/dead tuple monitoring for code-intelligence tables, showing active rows, old/deleted rows, and old/deleted row percentage. The dashboard now filters out stale values from workers that are no longer reporting.
Upgrade open telemetry collector v1.57.0/v0.151.0 -> v1.60.0/v0.154.0
RBAC permissions and roles are now sorted alphabetically.
GitHub App admin detail page now displays the app kind. For commit-signing batch changes apps, a warning banner appears when there are no installations, and guidance clarifies that commits will not be signed for organizations or repositories where the app is not installed.
The GitHub App admin detail page now displays who created the app, making it easier for site admins to audit and manage code host connections.
Notifications are now fetched by only a single browser tab at a time, reducing unnecessary API calls when multiple tabs are open.
Fixed Deep Search worker metrics so deleted or canceled questions are no longer counted as processing errors, preventing inflated error rates and unnecessary alerts during low-traffic periods.
Fixed Deep Search alert calculation that was incorrectly showing error rates above 100%.
Error badges in Deep Search tool results are now clickable to copy the full error message.
Fixed Deep Search subagent cards so agent responses appear below their tool calls
Restricted usage of zoekt-search-opts override to users with OBSERVABILITY#READ permission
Fixed unnecessary page refresh when navigating to a repository's code graph page.
Fixed batch changes list total count to correctly reflect active search and creator filters, eliminating inconsistent "N total (showing first 0)" states in the UI.
Batch Changes now classifies gitserver push failures containing does not exist in index as permanent failures. This error occurs when a patch modifies or deletes a file that isn't present in the base revision, so retrying the same patch will always fail. Marking it non-retryable prevents consuming the entire retry budget with repeated force-pushes that will never succeed. A corresponding test case was added in TestIsPermanentPushFailure.
Fixed an issue where GitHub App commit signing could repoint the branch to the wrong commit if the branch ref had moved between commit creation and signing.
Fixed an issue where changesets could incorrectly show a failed check state when GitHub showed checks as passing. Changeset check states now correctly reflect only the latest check run for each check, matching the GitHub UI behavior.
The admin Batch Changes host status card now shows the "Commit signing" badge whenever commit signing is configured for a code host, rather than only when a site credential is connected. This correctly surfaces host-level commit-signing GitHub App configuration, which exists independently of a site credential.
SiteAdminBatchChanges_CodeHost fragment now selects credential.commitSigningPublicKey, and the Playwright spec mocks/snapshots were updated to pin the new fields.Batch changes pages in site admin now show a proper error page when accessed without permissions, and sidebar entries are hidden for users without access.
Push-only changesets now display their changeset name and are presented as a pushed branch instead of an empty changeset-styled entry.
The Agentic Batch Changes UI now consistently uses the code-host-neutral term "changeset" instead of "pull request" across GitHub, GitLab, Bitbucket, and Azure DevOps.
Replaced the Retry button with a continue hint for cancelled or errored Batch Change Agent runs that have already produced work, preventing accidental loss of agent progress when re-submitting the original prompt.
Superseded changeset hook jobs are now skipped instead of being marked as failed with a misleading error message.
Reduced animations in the BCA thread UI to eliminate layout shifts and visual jumps when loading or collapsing/expanding the conversation panel.
Collapsed 'Help and feedback' to an icon on narrow panels to prevent overlap with the Plan/Resolve mode picker.
Hide the +0 −0 diff stat for batch change agents that have no code changes.
Changeset action buttons now show a loading state while an action is running.
Hide error remediation actions like Retry for non-owners viewing shared batch change agents
Fixed issue where branch-only changesets did not correctly show commits in the Resolve tab.
Resize panels now correctly restore their expanded size after collapsing and refreshing the page. Previously, panels would lose their custom size when collapsed and reopened after a page refresh.
Site admins can now use access tokens to revoke IdP client consent, enabling operational automation for consent management.
Fixed an issue where concurrent OAuth token refresh requests could incorrectly revoke valid access tokens due to race conditions in refresh token rotation.
Fixed an issue where fetching all the repositories in a Bitbucket Cloud workspace caused a nil pointer dereference panic.
Fixed h3 letter-spacing in VS Code extension
Kubernetes executor will now surface "ImagePullBackOff" and "CrashLoopBackOff" errors while a Pod is in pending state.
Updated Node.js to v24 LTS in bundled executor
Fixed handling of content block ordering in Anthropic streaming responses to properly respect the index field
When an error occurs in the middle of a repository permissions sync for a user, the user's external account will no longer be marked as invalid. Instead, on the next sync, if the account receives an error again, the account will be marked as expired. This prevents temporary code host errors from wrongly expiring external accounts and removing a user's access to repositories.
Fixed handling of SCIM PATCH requests that update a user's email with only a casing change (example: [email protected] → [email protected]).
Limited the telemetry recordEvents GraphQL mutation to 1,000 events per request to prevent application-level DoS via oversized input arrays.
Added consent-screen warnings for unrecognized OAuth redirect destinations and clarified the MCP scope grants read access to private code, helping users spot phishing during authorization.
Batch change templates now shell-escape filenames in repository.search_result_paths, steps.*_files, previous_step.*_files, and step.*_files to prevent shell injection attacks from maliciously named files in target repositories.
Acknowledged Slack interaction callbacks with a 200 OK immediately, then verified the signature and handled the work in a background goroutine. This mitigated the >3s timeout issues.
Fixed page layout breaking with horizontal scroll when saved search names are too long
Fixed prompt editor paste behavior so formatted clipboard content is inserted as plain text.
Fixed layout issues in agentic UI threads messages display
Fixed file path resolution in worktree folders when symlinks are present.
Removed the unused batchChangesExecution experimental setting; Batch Changes server-side execution is now always enabled if executors are configured
Deprecated the batchChanges.restrictToAdmins site setting; it no longer has any effect. Batch Changes access for non-admins should be managed through RBAC instead.
Deprecated the unused Own site settings own.bestEffortTeamMatching, own.background.repoIndexConcurrencyLimit, own.background.repoIndexRateLimit, and own.background.repoIndexRateBurstLimit. Removed the unused experimental site settings experimentalFeatures.enableStorm, experimentalFeatures.goPackages, experimentalFeatures.jvmPackages, experimentalFeatures.npmPackages, experimentalFeatures.pythonPackages, experimentalFeatures.rubyPackages, and experimentalFeatures.rustPackages.
Gitserver now has automated recloning logic that recovers from repository corruption, so this critical alert is no longer needed.
Free-text user feedback from the in-product happiness survey is now exported via telemetry.
This is a patch release for Sourcegraph self-hosted 7.4.
Fixed an issue where scrolling up during Deep Search response generation would force the view back to the bottom.
Changesets targeting unreachable repositories (deleted, renamed, or outside GitHub App installation scope) now fail immediately instead of retrying repeatedly.
A dedicated history tab for Deep Search conversations shared with you. [...]
Esc to cancel searches Deep Search cancellation now requires double-tapping Esc, preventing accidental cancellations.
Ownership avatars are now shown on all Deep Search conversations.
Allow typing in the prompt editor while Deep Search is processing a query.
Zoekt can now report index failures to Sourcegraph.
Search result headers now wrap more intelligently, allowing result details to flow below action buttons when space is constrained, improving readability and space utilization.
Site admins can now set and clear default search contexts for organizations. Regular users can see their effective default search context and override it for themselves.
After installing a GitHub App, Batch Changes actively polls for credentials for up to 30 seconds and automatically refreshes them if needed, ensuring immediate access without manual intervention.
Batch Changes GitHub App installation now works on instances without external webhook reachability.
Capture response body sizes of chunked responses in the outbound request log
Improved notification visibility for RBAC management actions by displaying messages using toast notifications instead of at the top of the page.
Sourcegraph API now supports manipulating explicit repository permissions, allowing users to be given access to repositories via the API, as opposed to regular permissions syncing from code hosts.
Added telemetry to clarify the executors mode running in a Sourcegraph instance.
Added a reconnect option for user-level GitHub App credentials in Batch Changes settings, allowing users to recover orphaned credentials
Added support for Claude Opus 4.8 to Cody.
Added a limit parameter to the find_references MCP tool to adjust the number of results returned.
Repository administration GraphQL endpoints now use the REPO_MANAGEMENT RBAC permission instead of requiring full site-admin access.
Add per-repo git CLI CPU pprof endpoint to track repository activity
Prevent framing of authentication pages by default to protect against clickjacking attacks. Administrators can opt in to allow framing by setting auth.allowEmbeddedAuth: "true" in site configuration.
Repositories no longer remain stuck in a backoff period (up to 8 hours) after updating code host credentials. The failure counter is now reset when an admin updates the code host configuration with valid credentials.
Added a new user:create outgoing webhook event that triggers when users are created, enabling customers to automate workflows such as assigning explicit permissions.
Optimized Deep Search conversation retrieval to use direct by-id queries instead of full list operations, reducing database load and improving response times.
Fixed resize panel behavior in Deep Search where the source panel would grow uncontrollably and cover other UI elements when using CSS media queries for collapse/expand.
Fixed layout and alignment issues in the citations panel, including file preview headers and source cards. Repository information now wraps responsively when space is limited.
Fixed conversation rendering when viewing a DS conversation referencing repositories you don't have access to.
Polished markdown table styling in answer cards with horizontal scrolling for wide tables, rounded borders, and header backgrounds.
Fixed chips not being cleared from the prompt after message submission and Enter key not submitting messages when only a chip is present.
Prevented cancelled Deep Search queries from reappearing after page refresh.
Fixed stale hover highlight in the Deep Search conversation history panel
When sharing is disabled, the markdown export endpoint and the deepsearch_read tool no longer resolve shared conversations via share tokens. This brings them in line with the web UI, which already honored the setting.
Improved Deep Search prompt to reduce excessive commit searches and provide better context to the finder tool.
Added a retry button for cancelled Deep Search prompts that preserves all content blocks and filters superseded retry attempts from view.
Fixed blame toggle label from wrapping when the symbols sidebar is open in the blob view.
Fixed a panic that could occur when processing certain regular expression patterns during search result hydration.
SCIP upload audit log entries now populate the reason column with the context provided by the backend (e.g. "soft-deleting expired uploads", "upload overlapping with a newer upload") instead of always being empty.
Batch Changes reconciler no longer holds database connections open during code host API calls, reducing connection pool contention.
Fixed an issue where changesets were not rebased when the base revision changed during batch spec re-application.
Fixed an issue where the /admin/permission-syncs page could fail to load if a repository was hard deleted from the database.
Fixed an error when navigating away from the admin roles page
Granting an RBAC role the repo permissions read permission now allows users belonging to that role to access the /admin/permissions-syncs page.
Fixed an issue where the current user count on the /admin/license page included deleted users.
External API user identifier validation now returns CodeInvalidArgument instead of treating invalid formats as internal errors.
The Prompt Library UX will no longer be available when Cody is disabled.
GraphQL max settings (graphQLMaxDuplicateFieldCount and graphQLMaxUniqueFieldCount) are now properly respected when configured in site-config.
Fixed executors running in Kubernetes using Docker-in-Docker (dind).
Fixed permissions sync jobs failing when users are deleted while sync is pending
Fixed an issue where permissions configuration changes were not applied until restart
Improved consistency of the role management page header with other admin pages
Send full response to thread could sometimes time outSend full response to thread/r/github.com/foo/bar would not correctly link to SourcegraphIncreased timeouts for diff and commit search in Deep Search and MCP from 60s to 115s.
Removed batch spec admin page and its backing Query.batchSpecs API.
Added beta warnings for Kubernetes native executor deployment options.
This is a patch release for Sourcegraph self-hosted 7.3.
Updated the OS packages in all Sourcegraph container base images to their latest versions, picking up upstream security and bug fixes. No configuration changes are required.
Deep Search can now count, rank, and aggregate across search results, not just find them. [...]
Smart hover summaries leverage precise code intelligence data to show key architectural details of your code on hover. [...]
Use search contexts in Deep Search to ask questions within a set of repositories. [...]
Administrator privileges can now be delegated through granular RBAC permissions, you can grant users only the admin capabilities they need without making them full administrators. [...]
Making it easier to understand large changes. [...]
Pinpoint where a commit or fix lives across branches, tags, and releases. [...]
Support search contexts in the List Repos tool. The tool now uses a search-based implementation, following the same design as other Deep Search tools such as Keyword Search and NLS Search.
Search context lookup now matches by visible name, namespace, and full spec format, making it easier to find contexts using partial queries.
Added keyboard shortcut (Cmd/Ctrl+Shift+,) to open the scope picker directly from the Deep Search composer.
Added a code execution 'evaluator' tool to Deep Search that allows sandboxed Lua scripts to call keyword, regex, commit or diff searches and process results programmatically.
Deep Search now uses Sonnet 4.6 as the main agent model.
Deep Search can now more efficiently answer questions about which versions and releases contain a specific commit or fix.
Upgraded zoekt dependency to include a 21% performance improvement in git indexing time
Tree-sitter syntax highlighting support for Gherkin/Cucumber .feature files.
SRC_CODE_INTEL_COMMIT_GRAPH_MAX_ANCESTORS can now be set to alter the default of 100.
Added commit signing toggle to OAuth credential configuration flow for batch changes. Users can now enable SSH commit signing when configuring credentials via OAuth (GitHub, GitLab), matching the functionality previously available only in the PAT flow.
As an alternative to SITE_CONFIG_FILE and EXTSVC_CONFIG_FILE, the entire contents of advanced configuration and external service configuration can now be provided using SITE_CONFIG and EXTSVC_CONFIG respectively.
Automatically retry OAuth2 refresh tokens after transient errors, improving authentication reliability and reducing the need for manual reconnection.
Notify users when their account credentials have expired, prompting them to reconnect.
Admins can now customize the sign-in page message when built-in sign-up and access requests are disabled using the new auth.accessRequest.disabledMessage site config field (supports Markdown).
Reorganized file tree panel to show reviewed status inline and moved file stats to bottom of page. Updated file tree styling to match VS Code: removed folder icons and aligned file icons with folder toggle buttons.
Long lines in unified diff mode now wrap instead of extending horizontally
Added visual badges to indicate added, removed, and renamed files in the compare view. Deleted files are now automatically collapsed by default.
Added visual level lines to the file tree view to improve readability of deeply nested directory structures. The tree view is now more condensed with slightly smaller item sizes.
Kubernetes jobs launched by the executor service can now be configured with a runtime class via the EXECUTOR_KUBERNETES_RUNTIME_CLASS environment variable.
When creating a GitHub App from Sourcegraph, the corresponding webhook handler is now linked to the App, and deleting the App in Sourcegraph deletes the webhook handler as well.
Added support for Opus 4.7 model in Cody with adaptive thinking.
Exposed the evaluator tool on MCP endpoints.
Added new OBSERVABILITY#{READ,WRITE} RBAC permissions that gate access to observability and debugging admin endpoints (outbound requests, slow requests, gitserver info, background jobs, search stats, observability test alerts).
Add a dedicated EXTERNAL_SERVICES RBAC namespace gating code host configuration (replacing prior site-admin and REPO_MANAGEMENT checks), grant admin UI access to its holders, and surface a high-trust warning for EXTERNAL_SERVICES#WRITE.
Added EXECUTOR_SECRETS#READ and EXECUTOR_SECRETS#WRITE RBAC permissions to allow delegated executor secret administration without requiring full site-admin privileges.
Added new OOB_MIGRATIONS#{READ,WRITE} RBAC permissions that gate access to the out-of-band migrations admin endpoints.
Added new NOTIFICATIONS#READ and NOTIFICATIONS#WRITE RBAC permissions for controlling access to admin notifications and test email sending
Access request management now uses the USER_MANAGEMENT#{READ,WRITE} RBAC permissions instead of the static site-admin check.
Access token management and auth provider validation endpoints now use ACCESS_TOKENS#READ and ACCESS_TOKENS#WRITE RBAC permissions instead of requiring site-admin status, allowing delegated access token administration without full site-admin privileges.
Non-site-admin users can now manage users, organizations, roles, and permissions when explicitly granted USER_MANAGEMENT#{READ,WRITE} RBAC permissions.
Added INTEGRATION_MANAGEMENT#{READ,WRITE} RBAC permission to allow non-site-admin users to manage Slack, incoming webhook, and outbound webhook integrations
Non-site-admin users can now manage entitlements when explicitly granted ENTITLEMENT#{READ,WRITE} RBAC permissions.
Implemented the BATCH_CHANGES#READ permission. This enables administrators to create a role where users can view, but not edit or create Batch Changes.
Added a Compare action to repository branch listings to open the compare view for a branch.
Smart hover summaries now support entitlements.
Upgrade Monaco editor to 0.55.
In Sourcegraph Cloud, some site config fields are no longer configurable by customers, such as auth.allowedIpAddress, as they are managed by our infrastructure.
Admin notifications now alert when credit balance is low, with thresholds at 50%, 25%, 10%, 5%, and 0% remaining.
SCIM-managed users can now add additional non-primary emails
Admins can now set entitlement limits to zero to fully block user access to a feature.
Add entitlements for smart hover summary, enabling site admins to configure usage limits for the feature.
Added monthly (30-day) window option for entitlements
Users are notified when repository permissions are being synced for the first time and when the sync completes.
Fixed visual bug where the read_file tool in Deep Search showed "undefined" if the line range wasn't explicitly set. Now falls back to "1" for a missing start line and "end" for a missing end line, matching how the backend handles missing bounds.
Fixed pluralization of "more ranges" label in file citations to correctly show singular form when only one range is present
Deep Search now displays an error message when reasoning consumes the entire output budget, preventing users from seeing a blank response.
Deep Search keyword and NLS search results now include repository revisions in file and repo results.
Fixed Deep Search title generation failing with "context length exceeded" on deeply forked conversations.
Scoped listRepos to the active search context when a repo-defined search context is selected.
Fixes a bug where some deep search conversations were not indexed for conversation search. This change triggers a full rebuild of the search index for conversation search, which happens in the background.
Conversation search now correctly finds conversations after their titles have been changed.
Fixed a bug where "/"-delimited regex patterns were incorrectly detected in the Fuzzy Finder, which especially for path queries could lead to zero search results.
Slash-delimited inline regex queries now preserve regex escapes and behave like patterntype:regexp.
Canceled searches are now classified separately from application errors, preventing false-positive SLO burn alerts from normal product behavior.
Fixed an issue where multiple suggestion rows could appear selected simultaneously during Query assist refreshes
Fixed incorrect commit date filter suggestions for "Last week" and "Last month" options, which were using before: instead of after:.
Batch Changes now rejects pushed-only changesets for unsupported code hosts (Bitbucket Cloud) instead of accepting them and failing during reconciliation.
Fixed a batch changes UI error when Bitbucket Cloud pull request metadata is missing its HTML link.
Fixed foreign key constraint violation when re-running batch specs with previously-applied changesets
The Select all button now appears consistently and is more responsive while selecting all changesets on the preview page.
Select All on the batch changes changeset details page will now lazy select all changesets.
Fixed the code host connections page displaying confusing text like "Next sync 4 minutes ago" when a sync was overdue or running. It now shows "Next sync pending." instead.
Fixed incorrect paths used for GitHub OAuth token refreshes
Built-in auth now accepts passwords longer than 72 UTF-8 bytes. Existing hashes continue to work and are migrated on next successful login.
Preserve user permissions when a 401 error occurs immediately after a successful OAuth token refresh, treating it as a transient error rather than a credential revocation. This prevents unnecessary permission wipes caused by GitLab's token rotation eventual consistency and concurrent refresh race conditions.
MCP clients using random ports in redirect URIs no longer require reauthentication when the port changes.
Restored the GraphQL field Repository.createdAt to return the persisted repository timestamp instead of synthetic time.Now() data.
Fixed license key changes taking up to an hour to take effect.
Improved RBAC permission error message formatting for better readability (e.g. "missing READ permission for REPO_MANAGEMENT" instead of "user is missing permission REPO_MANAGEMENT#READ").
Fixed z-index stacking order issues in repository area pages that caused UI elements to overlap with the header search input suggestions panel.
Upgraded github.com/go-jose/go-jose to address CVE-2026-34986, a potential denial of service vulnerability in JSON Web Encryption decryption.
The "Set your preferred editor" popover now shows the current repository name in the path example instead of a hardcoded placeholder.
Fixed collapsible panel resizing that was broken with Svelte 5.55.0.
Fixed syntax validation for Bitbucket Server code host connection configuration
Repository sync failure notifications are automatically cleared after a successful sync
Fixed OTLP receiver in bundled jaeger.yaml to accept cluster traffic by binding to 0.0.0.0:4317 (gRPC) and 0.0.0.0:4318 (HTTP). Previously, after otelcol v0.104.0, the receiver defaulted to 127.0.0.1 and silently dropped traces from other pods.
In non-indexed regex search, when both path and content matching are enabled, searcher now evaluates content even when paths match, ensuring content matches contribute to result counts and aligning counting semantics with indexed search.
Hover tooltips, highlights, and basic code navigation in search-based mode are now powered by Syntactic code navigation.
This is a patch release for Sourcegraph self-hosted 7.2.
Making Code Search easier to use with natural language input. [...]
Try a different approach or continue past the context window limit. [...]
Deep Search conversations can now be renamed by clicking the title or using the rename option in the menu. [...]
Batch Changes now supports bulk syncing all changesets at once, making it easy to refresh state across large batch changes without loading each changeset individually. [...]
Batch Changes now supports OAuth authentication for GitHub code hosts. [...]
The Slack integration now supports multiple workspaces and Enterprise Grid. [...]
Share insights, documentation and architecture diagrams with your team. [...]
The default Sourcegraph MCP endpoint now prioritizes the most commonly used context-gathering tools, while /.api/mcp/all exposes the full tool suite. [...]
Batch Changes now supports OAuth authentication for Bitbucket Server and Bitbucket Cloud code hosts. [...]
Clarified Deep Search sharing notice to explicitly indicate that code will be visible to anyone with the link.
Improved visual feedback when forking conversations
Conversation titles can now be renamed by clicking the title or using the rename button in the options menu.
Use TypeWriter effect for smoother Deep Search conversation streaming
Load mermaid diagram renderer lazily to reduce initial JavaScript bundle size when opening Deep Search.
Tool calls and redis broker operations now have a 2-minute timeout to prevent runaway operations and improve system stability.
Added PDF export option to Deep Search conversations.
Deep Search now uses a faster and more reliable model (GPT-5.4 Nano) to generate conversation titles.
Deep Search users can now fork from any question in an existing conversation. Forking creates a new conversation that includes all questions and answers up to and including the selected question, making it easy to branch into a new line of inquiry while preserving valuable context
When you delete a Deep Search conversation from history, you’ll now see the same small confirmation pop-up used in "Recent conversations".
Deep Search homepage now displays global notices configured with location "home", matching the behavior of the code search homepage.
Improve styling of inline errors in deep search conversations.
Deep Search now receives the user and date info at the start of every conversation.
Code Navigation tooltips can now be used in the Deep Search citations panel without needing to expand a citation.
Commit searches with date filters (after: / before:) are now significantly faster on large repositories.
Indexed search is now faster during both searching and indexing.
Added onboarding prompts to help new users discover Query Assist.
Query assist is now enabled by default for customers with code search licenses who have signed AI terms.
Adds a focus=search URL parameter for the search results page. When present, the search input is focused instead of the first search result, and suggestions are suppressed until the user interacts with the input. This enables external tools (e.g. golinks) to deep-link into Sourcegraph search with the cursor ready for query refinement.
Added Alt+B keyboard shortcut to toggle git blame view in file viewer
Code intelligence hovers are now faster thanks to a simplified architecture that initiates requests earlier during file load and falls back to search-based results more quickly when precise data is unavailable.
Batch change admins can now select changesets and trigger a high-priority status sync from the code host using the "Sync changesets" bulk action on the batch change detail page.
GitHub OAuth tokens can now be used as Batch Changes credentials, providing an alternative to personal access tokens and GitHub Apps.
Added agentic workflows client prototype with three main pages: home page listing predefined workflows and running instances, template page with canvas UI for workflow configuration, and running instance page with logs and outputs panels for monitoring workflow progress.
Usage export now includes user metadata, eliminating the need for additional lookups based on user_id.
Include whether a user is a service account in opt-in user metadata exports.
Add filter support to ListConversationSummaries. Two filter types are supported: content_query for substring search (min 3 characters) and starred for filtering by starred status. Duplicate filters of the same type are rejected with InvalidArgument.
Add a basic repositories service to the Sourcegraph API that can fetch repositories by their ID.
A default ReferenceExample authentication provider is now available in /api-reference. Users can click "Authorize" in the "Authentication" modal to use their own credentials when making test requests in the reference.
The GetUser RPC now supports looking up users by their verified email address using the name parameter, for example: GetUser({ name: 'users/[email protected]' }
The users.v1.Service API now returns verified emails associated with the user.
Add repos field to Azure DevOps external service for explicit repository selection
Updated the required src CLI version to 7.0.2, with OAuth support and more.
Retry git operations on executors to improve reliability during gitserver pod shutdowns.
Admins now receive notifications to clean up GitHub Apps on Sourcegraph if they have been deleted on GitHub.
Normalized LLM provider stop reasons into a consistent enum, enabling provider-agnostic error handling for refusal and content filter cases in deep search and subagents.
Added support for specifying reasoning effort overrides per request, allowing different applications to use different thinking levels with the same model.
Add support for GPT-5.4 models (base, mini and nano).
Added a thinking variant of Claude Sonnet 4.6 to the model selector for comparison and testing purposes.
Add support for Gemini 3.1 Flash Lite
The Code Intelligence Platform and Cody Enterprise plans no longer require a separate license key to use AI features beyond Cody. Deep Search, AI query assist, and future AI features are now automatically enabled on these plans.
MCP tools now validate arguments earlier and provide clearer error messages that mention the specific argument incorrectly used.
read_file: Large files (>128KB) now return the first 200 lines (further capped by bytes to avoid huge responses from files with very long lines) as accurately line-numbered content. The truncation notice is returned in ToolExecutionResponse.Note instead of being appended to the file content, preserving the guarantee that each numbered line corresponds to an actual file line. Binary files are detected and return a clear message with MIME type instead of a misleading line count.nls_search: Tool description rewritten to accurately describe OR-logic keyword matching with stemming. No longer claims to be "semantic search". Includes explicit examples of correct vs incorrect query formatting.list_repos: Now accepts an empty query to list all available repositories. A default pagination limit is always applied at the database layer to prevent unbounded table scans.Added a new RBAC permission MCP#ACCESS for accessing MCP endpoints under /.api/mcp.
Added a new "/all" MCP endpoint that users can opt into before it becomes the default in the next release.
Added site configuration mcp.enabled to allow admins to disable MCP API endpoints instance-wide
Added MCP tool behavior annotations so Sourcegraph tool definitions now expose safety hints like read-only, destructive, idempotent, and open-world to clients
For self-hosted customers:
Added granular SITE_CONFIG#{READ,WRITE} RBAC permissions for site administration endpoints, allowing non-admin users with the appropriate role to view or modify site configuration options.
Administrators can now grant non-site-admin users the ability to manage repositories and code host connections through the new REPO_MANAGEMENT permission. Users with this permission can access the Repositories section of the admin interface without requiring full site administrator privileges.
Gitserver can now be scaled up or down without downtime using secondary fallbacks and a graceful drain mechanism via the SRC_GITSERVER_DRAIN_SHARDS environment variable.
Added sort by last committed (asc/desc) to /admin/repositories, making it easier for admins to identify stale repositories.
Repository pages now show repository icons sync'd from code hosts.
Inline markdown (such as backtick-wrapped code) in changelog post titles and taglines now renders correctly in the in-product changelog modal.
External services with expired credentials are now automatically suspended and will not retry syncing until credentials are updated. The UI displays the suspended state and prompts admins to take action.
Support GitHub's theme-specific image syntax in markdown rendering, allowing images to adapt based on light/dark theme context.
Self-hosted Sourcegraph no longer requires separate buckets for LSIF uploads and search jobs: a single SOURCEGRAPH_UPLOADS_ bucket can now be used for all features. Existing configurations for AWS S3 and GCS object storage will be respected for LSIF uploads and search jobs. To learn more, refer to https://sourcegraph.com/docs/self-hosted/external-services/object-storage
Added warning to administrators when the new sourcegraph bucket requirement is not fulfilled. Self-hosted customers using GCS or AWS S3 will soon need to manually prepare this bucket - see https://sourcegraph.com/docs/self-hosted/external-services/object-storage for more details.
Deep search now displays tool call errors instead of silently showing no results.
Fixed an issue where clicking "Cancel" while a Deep Search conversation or follow-up question was being created would be silently ignored. The cancel now executes once the server responds with the conversation/question ID.
Fixed token limit error incorrectly suggesting to fork on the first question when there's no prior context.
Fixed summarization failures in Deep Search when token limits are exceeded.
The prompt editor now automatically receives focus when the /deepsearch page loads.
Fixed explore panel not populating when using "find references" from citation hover cards by including the end position of the symbol range.
Cancelled Deep Search questions now remain visible in conversation history when asking follow-up questions.
Aligned error boxes with question cards in deep search interface
Fixed visual jitter of question-answer pairs in forked conversations during streaming.
MCP and Deep Search tools now surface search alerts when a query matches no repositories, times out, or hits another issue.
Reduced visual jitter in conversations by only animating the most recent answer card instead of all cards during conversation reloads.
Fixed an issue where deleted Deep Search conversations could reappear in the history sidebar or recent conversations menu. Deleted conversations are now consistently removed across both views.
Fixed source reference pills in the deep search prompt editor and question cards from triggering unnecessary page reloads when clicked. Pills in the prompt editor are now non-clickable, while question card pills only navigate when showing different content than currently displayed.
Fixed symbol search and conversation search not returning results in the command palette.
count and timeout fields now apply consistently across OR expressions in search queries.
All citations and sources are now always visible for Deep Search conversations, with consistent counts between the conversation header and the right sidebar.
Disabled a recent optimization in search indexers which sometimes led to git processes with large memory usage while indexing a repository.
Query assist promo now remains visible in search suggestions after onboarding, positioned above the "Narrow your search" section instead of being removed entirely.
Hid the Query Assist promo suggestion after a user starts typing a query.
Unindexed search now uses the same maximum file limits as indexed search (1 MB instead of 2 MB).
Fixed non-deterministic count of "skipped files" in index options. For large repos, the count could fluctuate with every page refresh.
When switching from Precise to Search in the Explore panel, fetch search-based results from the API instead of showing an empty tab. Previously, the Search tab reused the same precise query and showed no results.
Fixed explore panel not showing local references in certain situations when clicking "Find references" on a local symbol.
Removed deprecated PRECISE_CODE_INTEL_UPLOAD_TTL environment variable. Configure CODEINTEL_UPLOADSTORE_EXPIRER_MAX_AGE on the worker container instead.
Fixed an issue where enqueuing already existing Precise auto-indexing jobs resulted in a warning.
Fixed bulk delete to only affect uploads from the active tab (auto-indexing or user uploads), preventing unintended deletion of uploads from the other source.
Fixed database constraint for pushed-only changesets to align with application code
Fixed setup error display for GitHub Apps and OAuth apps in code host connections
OAuth authentication options are now hidden when adding site credentials for batch changes, as OAuth is not supported for site-level credentials. Only Personal Access Token authentication is shown for GitLab and Bitbucket site credentials.
Deleting a batch changes user credential now also removes its associated BATCH_CHANGES external account, preventing orphaned accounts while preserving AUTH accounts to maintain user access.
Fixed error when updating changeset events with GitLab pipeline metadata
Fixed incorrect GitHub review statuses showing as pending after a PR is merged
All GitHub Apps, including ones used for Batch Changes, can now be deleted from the /admin/github-apps page.
Fixed OAuth client scope selection for admin-created clients
Fixed an issue where GitHub App code host connection pages without an installationID would crash.
Admin notifications for deleted code hosts are now automatically cleared.
MCP clients using random ports in redirect URIs no longer require reauthentication when the port changes.
Enabled OAuth tokens to make API requests on sourcegraph.com
Reduced the number of stale executors tracked in the executors list.
statusFilter and add enableSourcegraphInternalModels Deprecated statusFilters in modelConfiguration to simplify model availability. Sourcegraph now automatically determines which models should be available, eliminating cases where important models may be accidentally excluded through configuration. Individual and provider-specific models may still be excluded through modelFilters.
Fixed auto-edit failures on instances using modelConfiguration.systemPreInstruction.
Fixed tool call events for Gemini models to prevent client-side errors when mapping responses to tool calls.
Preserve raw JSON bytes in Anthropic tool-call handling to prevent cache invalidation caused by JSON reformatting.
MCP endpoints now accept Personal Access Tokens using the standard Authorization: Bearer <token> format for compliance with the MCP authorization specification (RFC 6750).
Fixed certain notifications not appearing in the sidebar admin alerts
Grandfathered in the MCP#ACCESS RBAC role to all existing service account roles to avoid restricting access if your system role previously used MCP.
Acronyms in RBAC namespaces are now correctly displayed in uppercase (e.g., "IdP" instead of "Idp").
Fixed edge-case in gitserver where zero repos on the primary shard caused database errors when syncing repo status
Fixed cross-site scripting vulnerability where repository file paths containing HTML metacharacters could execute arbitrary scripts when viewing file diffs.
Fixed Slack bot not responding in Enterprise Grid environments with shared channels or org-level installs
Fixed GitHub icon display in dark mode on the code host connections configuration page
Improved performance when retrieving git notes for commits
Fixed cache disk filling up due to temporary files never being cleaned up after process restarts.
Removed Mixtral 8x22B Instruct model from available model configurations
Gemini 3 Pro and 2.0-flash-exp are not accessible anymore.
This is a patch release for Sourcegraph self-hosted 7.1.
Support unlimited results when the query specifies a count: parameter, removing hardcoded limits.
Fixed the Product license page in the admin section crashing when the Sourcegraph license is invalid or revoked.
batcheshelper and KUBERNETES_JOB_STEP_IMAGE batcheshelper image unless explicitly overriddenKUBERNETES_JOB_STEP_IMAGE should override pre / post imagesFixed the prompt detail page (/prompts/:id) returning "must specify owner or viewerIsAffiliated args: must be site admin" for non-admin users by adding the missing viewerIsAffiliated: true argument to the PromptsDetailPage query.
Jump to anything at lightning speed. [...]
Deep Search can now load prior Deep Search investigations from a URL or read token so you can continue and extend earlier research. [...]
Deep Search and MCP tools are now more token-efficient. [...]
srcOAuth login is now supported in src, and src auth token allows you to easily use your active token in scripts. [...]
Set up Sourcegraph MCP in VS Code and Cursor with one click from the integrations page. [...]
Reference git notes attached to commits. [...]
Starting today, the latest features, improvements, and fixes will be applied on weekly basis. [...]
See how Deep Search usage trends month over month with new pacing charts. [...]
Deep Search now displays deepsearch_read tool calls with a dedicated UX.
Deep Search can now read other Deep Search threads when you include a URL in your conversation.
When Deep Search sidebar is opened from a repository's root page, the conversation now includes the repository name as context.
Improved ranking of file suggestions in @-mention of the Deep Search sidebar in the blob view. Results from the repository the user is currently browsing are prioritized.
Failed questions are now automatically hidden after a successful retry or follow-up question
Deep Search now uses Claude Sonnet 4.6 as the main agent model.
Persist unsubmitted Deep Search queries in sessionStorage, preventing loss of unsaved queries during accidental navigation.
Added a search bar to the history panel of Deep Search
Commit search results now display a count of git notes attached to each commit.
Deep Search and MCP tools now return outputs in a more compact format, reducing token usage.
Search now automatically redirects to the file view when only one result is returned, with an info toast notification. Back navigation returns to search results without re-triggering the redirect.
Added syntax highlighting support for JSONC files.
Code intelligence dashboards now allow filtering indexing errors by time range (last 7 days, 30 days, 90 days, last year, or all time).
Added admin-only network diagnostic endpoints (/netdiag) for testing proxy and load balancer compatibility, including upload, download, timeout, SSE streaming, and latency tests to verify ingress reverse proxy configuration.
Invalid keys that are not in the advanced configuration schema are now highlighted in the configuration editor.
The "Report a bug" page is now available to all authenticated users in user settings, instead of only to site admins in the site admin area.
Site admins on self-hosted instances now see a warning notification on the admin dashboard when telemetry export has failed persistently, including the target address and last error. The notification auto-clears once export recovers.
When the site configuration auth.idpDynamicClientRegistrationEnabled is set to false, existing DCR registered clients and tokens are disabled.
Optimised assigning pending permissions to newly created users
Integrations page now includes "Add to Cursor" and "Add to VS Code" buttons for Sourcegraph MCP.
Added a new RBAC permission SEARCH_CONTEXTS#WRITE_GLOBAL for managing global search contexts. Users with this permission can manage global search contexts independently of site-admin status.
Added background worker jobs that compile repository activity data.
Filesystem operations in gitserver and archive extraction use Go 1.24's os.OpenRoot API, replacing manual path-traversal checks.
Multiple Slack workspaces can now be connected to the same Sourcegraph instance. Visit the Administration > Slack integration page for setup.
Site admins can now set up the Slack integration for link unfurling independently of Deep Search, and control whether Deep Search is allowed in Slack via a new "Allow Deep Search" toggle on the Slack integration admin page.
Truncated deep search responses now show a rich preview card automatically via link unfurl, with a single "Send full response to thread" button replacing the previous prompt with two buttons.
Added a user setting to disable the Deep Search Slack integration CTA. This can be set globally for all users under Administration > Global Settings by adding "deepSearch.slackCta.disable": true,
Enable Slack agent mode, allowing users to interact with Sourcegraph via the split-view pane in Slack's top bar
Show a warning when entering a GitHub App base URL that contains a path
Error messages now appear on the repository settings page when reclone or fetch scheduling operations fail, improving visibility into repository synchronization issues.
Show error state when requesting a manual reclone or sync fails for a repository
Expanded fuzzy finder into a command palette. Click, click, click. "Wait? Where's that option gone...? Damn, they changed the UI again!" Say no more, we've got you. We've upgraded our fuzzy finder into a full-blown command palette.
Jump to parts of Sourcegraph you need quickly and easily. Search files, repositories and symbols in flash.
Just CMD/Ctrl + K.
This is just a starting point to making all parts of Sourcegraph more accessible, and if we're lucky, maybe even reduce some RSI.
Access tokens now display their last 5 characters in the UI, making it easier to identify which token corresponds to credentials stored in configuration files or environment variables.
Expired access tokens are now visible in the UI and marked as expired, allowing users to identify and delete them for easier token management.
Git notes are now displayed on commit pages and in commit elements throughout the UI. On commit pages, full notes are shown, while other views display a count of notes.
Users can now view their own entitlement usage under the new "Entitlements" tab on the user settings page (/settings).
Deleting a feature flag now automatically removes its per-user and per-org overrides.
Add src CLI usage guidance to the integrations page
Entitlement warnings and errors now display correctly when entitlement limits are reached.
Quota warnings and errors now display correctly in the Deep Search UI when quota limits are reached.
Improve reliability of conversation title generation by reducing reasoning overhead for simple tasks.
Harden Deep Search image upload validation to verify content type matches declared MIME type.
Fixed citation UI header styling in Deep Search to match search result page appearance in dark mode.
Fixed a bug in @-anchor detection that could cause the selected suggestion to be inserted at an incorrect position in the prompt, particularly when line breaks were involved.
Prevented memory exhaustion from crafted images by limiting decompressed image size to 25MP.
Fix pasted text formatting in the Deep Search input
Remove user info from Deep Search prompt to improve handling of codebase-wide questions.
Fix deep link detection in deep search conversation URLs.
Optimized context handling in Deep Search sidebar conversations to avoid resending identical source reference context from previous questions.
Fixed incorrect panel state when navigating between search results and file views
Search results toolbar is now more responsive, keeping result stats and action buttons stable and readable across screen sizes.
Improved selection visibility in CodeMirror for pre-selected and cursor-selected lines
On the commit page, the copy button next to the abbreviated commit SHA now copies the full SHA instead of the abbreviated SHA to the clipboard
Fixed a data race in the search method that could cause panics when concurrent goroutines modified the thread status map. The search method now safely retrieves a snapshot of thread statuses while holding the appropriate lock.
Moved the enqueue auto-indexing form to appear only when viewing the auto-indexing jobs tab.
Optimized upload discovery query by reversing join order and preventing full upload table scans, eliminating timeouts on large instances
Fixed pagination bug that caused missing results and infinite loops when one data source (uploads or indexes) was exhausted before the other
Fixed broken documentation link in Batch Changes settings page that previously returned a 404 error
Fixed an issue where creating a GitHub App through the Batch Changes settings interface would fail.
Fixed a bug where password reset links generated immediately after updating the external URL in site config could use the previous (or default unconfigured.sourcegraph.com) URL due to a stale cache. The external URL cache is now invalidated whenever site config is saved.
Fixed panic when telemetry allowlist entries are configured via environment variable
Fixed M2M credential names and descriptions containing apostrophes or other special characters being displayed with raw HTML entities (e.g., ' instead of ').
Fixed account security page to correctly show SAML connection status when the SAML provider does not provide standard attribute statements.
Changed the OAuth consent screen messaging for third-party MCP clients from "has not been verified by Sourcegraph administrators" with an "Unverified" badge to "Third-party" badge with simpler trust guidance.
Service accounts are now excluded from the registered users count on the administration users page and license page, and shown separately with their own count.
Remove the option to configure completion quotas when Cody is disabled. Unless Cody is enabled, this configuration no longer has any effect.
Fixed a bug where the permissionsSyncJobs GraphQL resolver would only return a maximum of 100 results, despite it being documented as 500.
Set the HOME environment variable in executor job pods to ensure processes running in the pod containers use the mounted volume instead of falling back to /.
Propagated KUBERNETES_FS_GROUP environment variable to the executor job pod's security context.
Improved handling of extremely large outputs when a worker executes commands
Loading GitHub App code host connections from a declarative config file no longer prevents frontend pods from starting when failures occur.
Fixed GitLab OAuth login failures caused by API rate limiting when allowGroups is configured and the user belongs to a large number of groups. Group membership is now verified with a single targeted API call per allowed group instead of paginating through all user groups.
This increases the timeout on SMP from 2 to 10 minutes and also removes the capability to override the timeout by setting the header "X-Timeout-Ms".
Preserve Gemini thinking signature when thinking text is empty to prevent inference failures on tool calls
sampling.retain trace attribute is now only set when tracing is explicitly requested via ?trace=1 query parameter or X-Sourcegraph-Request-Trace header, rather than being set for all requests when observability.tracing: { sampling: all } is configured. Behaviour in other sampling modes (selective, none) is unchanged.
Removed redundant permission sync jobs to prevent queue growth
Fixed incorrect status reporting for long-running repository clones
Fixed queue position calculation for repository optimization to exclude soft-deleted repositories
Improved Slack integration error messages when an associated Sourcegraph account email could not be found, informing the user how to resolve the issue themselves.
Slack app manifest now always displayed on the Administration > Slack integration page for reference, irrespective of integration status.
Removed stale preload for sourcegraph-mark.svg that was causing browser warnings on SvelteKit pages where the asset is not used.
Improved contrast for raised and muted backgrounds in dark mode. Fixed code insight centered legend button styling.
Fixed curl request examples to include required content-type header for GraphQL queries.
Blame gutter now uses a muted background color for reduced visual contrast.
Added /integrations to the frontend Go router static page entries so requests are served by the Svelte-backed UI page instead of returning 404.
Schema migrations now terminate blocking transactions by default to prevent upgrades from stalling on long-running queries.
Remove expandable step previews in Deep Search.
The update.channel site-config setting no longer has any effect. Pings and update checks are now controlled by license features.
Removed Gemini 2.0 Flash and Flash Lite models, redirecting usage to Gemini 2.5 Flash
The deprecated native Jaeger export option has been removed. To set up a tracing backend, refer to our documentation.
The advanced settings experimentalFeatures.deepSearch.enabled and experimentalFeatures.deepSearch.sharing.enabled are now deprecated. Please use the new top-level fields deepSearch.enabled and deepSearch.sharing.enabled instead. To give customers time to migrate, we will support both the old and new fields for several releases. The precedence is: top-level > experimentalFeatures > default.
The site config batchChanges.nativeServerSideExecution replaces the feature flag native-ssbc-execution. Support for native-ssbc-execution will be removed in a future release.
Renamed sidebar entries from "Permissions" and "Roles" to "Repository permissions" and "Role-based access control" for clarity.
Enabled collection of user IDs in telemetry when admins delete users to improve user deduplication.
Renamed the "Account security" settings menu item and page heading to "Security".
Resolved security vulnerabilities CVE-2026-25121, CVE-2026-25122, and CVE-2026-26958 by updating apko and edwards25519 dependencies.
This is a patch release for Sourcegraph self-hosted 7.0.
Added KUBERNETES_EXECUTOR_POD_SECURITY_CONTEXT and KUBERNETES_EXECUTOR_CONTAINER_SECURITY_CONTEXT to configure Kubernetes Executors pod and container security contexts.
Fixed an issue where Gemini 3 Flash was incorrectly marked as experimental, preventing query categorization, title suggestions, open-source research sub-agent, and the finder tool from working on customer instances with model status filters.
The Finder subagent has been reverted while we investigate some issues.
This is a patch release for Sourcegraph self-hosted 7.0.
Improved prompt caching for system prompts and tool descriptions, resulting in lower latency and reduced token costs for deep search queries.
Added a debug GraphQL query to view telemetry events queued for export.
url to Deep Search API responses (#10511) The API now supports users/- as an alias for the authenticated user, in addition to the existing users/~self alias.
The Enterprise Portal access error page now explains that site admin access on a Sourcegraph instance does not automatically grant access to the Enterprise Portal, and directs users to contact their support engineer. The instance admin dashboard analytics card also clarifies that a separate account linked to the customer's subscription is needed.
When no Deep Search quota is available, the error now renders correctly instead of showing NaN
Deep Search subagents now consistently produce summaries for the main agent to consume.
Fixed newly created batch changes incorrectly showing "Updated by a deleted user" in the header byline.
/api/users.v1.Service/ListUsers now returns a better error for invalid active period filters. The API reference also no longer shows an example with ACTIVE_PERIOD_UNSPECIFIED.
parent optional on ListConversationSummaries Made parent field optional on ListConversationSummaries RPC, defaulting to the authenticated user when omitted.
Fixed authentication for codex and older versions of Cursor and VSCode to correctly include the "mcp" scope when authenticating via OAuth for MCP endpoints.
Azure DevOps repositories marked as disabled are no longer cloned or surfaced as synced repositories in Sourcegraph.
Fixed migrator drift check failing for codeintel/codeinsights schemas in IAM-authenticated environments by ensuring the frontend schema connection is always included when version checking is enabled.
Fixed executor src-cli download failing when the latest version API call errors.
Kubernetes-native executors can now run as a non-root user by setting KUBERNETES_RUN_AS_USER, KUBERNETES_RUN_AS_GROUP, and optionally KUBERNETES_FS_GROUP environment variables on the executor service. When using Helm, add these to your override.yaml:
executor:
...
kubernetesJob:
fsGroup: 100
runAsGroup: 101
runAsUser: 101
Note that "100" and "101" are the values Sourcegraph images use for the sourcegraph user. Adjust these values for your environment.
Fixed repository permissions being dropped when permission syncs failed due to configured internal rate limits.
Fixed URL parsing to handle legacy format URLs correctly, preventing unintentional truncation of repository names.
Improved Slack integration behavior when a Deep Search takes longer than a few minutes to complete, showing a helpful link preview instead of Deep Search timed out.
See what's new in Sourcegraph without leaving the app. [...]
A comprehensive design refresh with a new theme system and UI refinements. [...]
Administration is becoming simpler to navigate and easier to configure, with clear forms and guided setup flows. [...]
Longer, more focused conversations with Deep Search address context window issues and enable even deeper research. [...]
Code navigation, right inside Deep Search. [...]
Real-time results in Deep Search. [...]
Drag and drop images into Deep Search. [...]
Quickly find and navigate to Deep Search conversations from anywhere with the fuzzy finder. [...]
Track Sourcegraph MCP tool usage with new dashboards in Sourcegraph Analytics. [...]
The Sourcegraph MCP server is now generally available with frictionless OAuth setup enabled by default. [...]
Sourcegraph search and file links now unfurl with rich previews in Slack. [...]
Improved repository availability with enhanced corruption detection, safer optimization coordination, and atomic recovery. [...]
Bring Deep Search to your custom integrations with the new Sourcegraph API. [...]
Software development is changing, and so are its tools. [...]
Deep Search now displays a warning banner when answers are truncated due to output token limits.
Citations in Deep Search conversations are numbered continuously across all questions. When the same source is referenced in multiple questions, it reuses the original citation number, making it easier to track sources throughout a conversation. The citations panel auto-scrolls to show relevant sources as you navigate between answers.
Deep Search now provides better answers to "what have I worked on recently" questions by automatically including current user and date context.
Added Deep Search conversation search to the fuzzy finder, allowing users to search past conversations by title or content using Cmd+J (or Ctrl+J on Linux/Windows).
When Deep Search is enabled, it replaces Cody Web in the UI. The /cody/chat route and Cody sidebar are no longer shown.
Reintroduced the get_contributor_repos tool to enable queries about contributor activity.
Added Cmd+. (Mac) / Ctrl+. (Windows/Linux) keyboard shortcut to start a new Deep Search conversation from anywhere within the interface.
@mention suggestions now remember recently used repositories and show them instantly
Deep Search now streams answers with a typing effect, improving perceived latency.
Added context window indicator to inform users of how much of the context window has been used.
Include images in Deep Search questions by pasting or dragging up to 2 images per question (5MB max each) to share screenshots, diagrams, or error messages.
File preview in Deep Search now supports code intelligence features including hover tooltips, go to definition, and find references.
Deep Search conversations now display a Slack icon in the thread header when initiated from Slack, providing a direct link back to the original Slack thread.
Deep Search now uses a dedicated subagent for finding relevant files, reducing token usage and allowing more thorough searches before reaching context window limits.
When the search input is empty, a "Recent searches" suggestion group now appears showing up to 5 of your most recent queries with syntax highlighting and clock icons. Selecting an entry populates the search input with that query.
Site admin authentication settings now offer password policy presets (Standard, Strong, Fortress) instead of requiring manual configuration of each complexity rule. Session idle timeout uses an explicit checkbox instead of empty-field conventions. Access request toggle is disabled with an explanation when built-in signup is already enabled.
Added a form-based UI for managing authentication settings including session management, signup controls, password policies, and access restrictions, replacing the need to edit raw JSON configuration.
Added a dedicated UI in the site administration area for configuring TLS/mTLS settings.
Added a dedicated page in the site administration area for configuring email SMTP settings.
Admins can now update the license key directly from the License page
Consolidated Background jobs and Code Insights jobs pages as tabs within the Diagnostics page.
Added query parameters to the Diagnostics page to make tab selection shareable and bookmarkable. Old diagnostic routes now redirect to the new page with the appropriate tab selected.
Consolidated Pings, Migrations, Outbound requests, and Slow requests pages under a single "Diagnostics" page in the site admin sidebar.
Administrators can now mark an email as verified when creating a user.
Reorganized site admin sidebar navigation: Repositories section now lists repos before code hosts, Users & auth section moved higher, new Integrations section groups Slack/webhooks, and redundant API Console and Documentation links removed.
A warning is now displayed on the repositories administration page when authz.enforceForSiteAdmins is enabled.
Users now see a modal informing them their session has expired, with an option to redirect to the sign-in page.
GitHub privacy emails (format: <ID>+<username>@users.noreply.github.com) are now resolved to Sourcegraph users when the GitHub account is linked, improving user attribution on commit pages and other views.
auth.idpDynamicClientRegistrationEnabled is now enabled by default for easy MCP access.
OAuth Clients registered via Dynamic Client Registration are now limited to the "mcp" scope only, improving security by preventing overly permissive applications.
Added a new mcp scope for issuing access tokens or OAuth tokens with access limited to MCP tools only. This provides a more restricted alternative to the previously required user:all scope.
Added a search bar to the Code Insights "All Insights" tab, enabling users to quickly filter insights by title instead of scrolling through paginated results.
Group Results (Compute) Code Insights feature is now generally available and no longer requires an experimental feature flag.
Added a worker that runs ANALYZE on database tables on weekends to optimize query performance.
Diff pages now load faster by initially rendering plaintext hunks and lazily loading syntax highlighting as hunks are scrolled into view.
Added KUBERNETES_JOB_HOST_NETWORK environment variable for the Executor service to enable host networking for Kubernetes job pods. This is useful when pods need to access routes accessible by the host but not from the pod, such as when running a kind cluster on podman.
On sourcegraph.com, MCP tool descriptions now explicitly indicate they search open source code, making it easier for AI agents to distinguish between public and private Sourcegraph instances.
Repository recloning operations now display real-time progress updates on the repository mirroring page. The reclone and fetch buttons are hidden while a reclone is in progress.
Gitserver now coordinates optimization tasks per repository, ensuring only one optimization runs at a time with priority-based preemption.
Repository optimization now writes incremental progress reports, making it easier to monitor long-running optimization operations.
This enables us to render the Slack identity of a user instead of just the Sourcegraph username.
Added instructions for uploading a profile picture to the Slack app.
Users can now send direct messages to the Slack app for Deep Search. To use this feature, uninstall the app, update the manifest, and reinstall the app.
Slack integration now supports rich link previews for code file links.
Slack integration now supports asking Deep Search questions with images in the thread, with a maximum of 2 images per message.
Slack integration now uses the ContentBlocks API to pass thread context as structured data instead of prepending it to the question text.
Slack configuration errors are now displayed in the Administration -> Notifications area.
Sourcegraph now supports rich link preview for search links in Slack.
Verbose responses in Slack now include an AI-generated summary, providing immediate insight before expanding the full response.
Removed the 30-minute expiration for deferred Slack messages, so unfurled responses are now always available.
Added an interactive button to handle lengthy Slackbot responses (over 3,000 characters). Users can choose to view the full response inline or in the Deep Search thread. Full responses are temporarily stored for 30 minutes, after which users must view them in the Sourcegraph instance.
Removed the feature flag UI from the site admin interface for all non-Cody self-hosted Sourcegraph instances. Site admins that still need to manage feature flags can do so using the src CLI tool with GraphQL API commands.
Removed the feature flag UI from the site admin interface for all non-Cody self-hosted Sourcegraph instances. Site admins that still need to manage feature flags can do so using the src CLI tool with GraphQL API commands. See this docs page for instructions on how to do so.
Repository URLs now use the /r/ prefix (e.g., /r/github.com/owner/repo). Old top-level repository routes automatically redirect to the new format for backward compatibility. This prevents conflicts between product routes and repository names.
Access requests are now displayed as a status notification.
Added a 'What's new' popover in the navigation that displays recent changelog posts, allowing users to discover new features directly within the product.
Hides several admin UI elements on Cloud that are not relevant and actionable to customers on Cloud, including gitserver disk details, email delivery configuration, Updates/Gitserver/Observability pages, OOB migrations, license key form, and gitserver storage warnings.
Entitlements now support an hourly option.
Administrators can now reset user entitlement usage via the "Entitlement usage" page.
To support moving off of notebooks, we're providing an exports API. The GraphQL query field notebookExports provides markdown exports of all notebooks with filtering options.
Added toast notification system with helper functions and custom Sourcegraph styling for light and dark themes.
Improved error handling when token limits are exceeded by estimating prompt size before LLM calls and ensuring errors are displayed in the UI.
Fixed tool renderers to display "0 results" instead of raw JSON when no results are found.
Deep Search now resumes automatically after server restarts instead of getting stuck in a pending state.
Added support for Proto/Protobuf, SCSS, Groovy, PowerShell, CMake, and Makefile highlighting in Deep Search markdown code blocks.
Fixed URLs in deep search results being incorrectly double-prepended with the domain when they already contained the external URL.
Fix errors when deleting Deep Search conversations while they are still processing.
Fixed horizontal scrolling in the Deep Search sidebar when a long filename context chip was displayed.
Fixed a visual bug where a draggable divider line appeared on the right edge of Deep Search on narrow screens.
Fixed overflow issue in search input history mode
Search-based symbols in the symbol tree now preserve the current file view (e.g., blame view) instead of resetting to code/raw view.
Fixed alignment of code intelligence preview popover when blame panel is visible
Fixed inconsistent alignment of the batch change state pill (OPEN/CLOSED badge) in the batch changes list.
GitLab OAuth tokens are now properly validated using the /oauth/token/info endpoint to check scopes, while personal access tokens continue to use the /user endpoint. This ensures correct token validation behavior for both authentication methods.
When connecting a code host identity to Batch Changes, errors are now correctly surfaced in the UI.
Fixed incorrect pattern syntax in the "GitHub Actions: Pin Versions" batch spec template to use proper regex instead of glob syntax
Fixed database constraint violations when recreating batch changes in the same repositories by properly cleaning up associated changesets during deletion
Fixed a bug where users (including service accounts) could not be created by a site admin when signup is disabled.
Site configuration history now loads significantly faster in many cases.
Fixed site config occasionally reverting to old config after saving
Fixed an issue where site config would occasionally revert to old config after saving
Sourcegraph will now avoid dropping a user's repository permissions if it encounters a 429, 500, 502, 503, or 504 when refreshing the OAuth access token (as encountered during the Feb 9 GitHub incident: https://www.githubstatus.com/incidents/lcw3tg2f6zsd). The permission syncer will simply re-use the users' old permissions until the next sync.
invalid_grant errors when concurrent refresh attempts occurredRemoved distracting fly-in animation when loading Code Insights dashboards
Skip invalid repositories (deleted or not cloned) to prevent infinite processing loops
Code monitor webhooks now accept all HTTP 2xx status codes (200-299) as successful responses, preventing duplicate notifications when webhook endpoints return HTTP 202 Accepted or other 2xx codes.
Reduce concurrent load on gitserver by spreading out code monitor queries with jitter
Long gone because of webworker issues in Safari, Cody Web is now available again.
Fixed missing sync reasons in the SOURCEGRAPH group for the permissionsSyncJobs API.
Report which container failed if an executor pod fails when executing on Kubernetes.
Fixed executors on Kubernetes joining commands incorrectly
Improve page that lists executor instances to better handle instances with extremely long names
When connecting a GitHub external account to Sourcegraph, the user's GitHub profile link is now properly displayed on the Account Security page. If the link is not visible, remove and re-add the GitHub connection.
Fixed an issue where Anthropic models could produce malformed tool call arguments, causing Deep Search conversations to become stuck in an errored state.
Fixed stale license validation states being used after updating license keys, ensuring validation results always correspond to the currently configured key.
Added --scopes mcp argument to the MCP login command to ensure proper OAuth scope grants for MCP functionality.
Upgraded go-tuf dependency to v2.4.1 to fix three medium-severity security vulnerabilities (CVE-2026-23991, CVE-2026-23992, CVE-2026-24686).
Show the right error message in Slack search link preview when there is a query syntax error
Fixed confusing UI state in Administration -> Slack configuration where the UI showed a warning that Slack couldn't contact the Sourcegraph instance even when the integration was working correctly. The UI now displays a cache-busting ?retry URL parameter to force Slack to re-verify the connection.
Fixed video playback in Safari for Markdown-rendered content
Fixed z-index stacking issue where app shell floating elements incorrectly appeared above survey toasts and feedback modals
Fixed UI flash when loading temporary settings from cache
MultiCombobox popovers The "Account security" page now displays the login for each connected external account (e.g., GitHub, GitLab).
Fixed line number alignment when switching to blame view
Fixed sticky file header positioning on commit page
Fixed image alignment in the image viewer and now always display the dimensions of binary images.
Fixed cursor-based pagination to correctly apply filters when using multi-column cursors. Previously, filters (such as search queries or clone status) were silently ignored for a subset of results due to SQL operator precedence, causing paginated endpoints to return more results than expected and include items that didn't match the filter criteria.
User settings page headers now have a consistent appearance across all sections.
Deep Search no longer generates diagrams by default, making responses faster and more responsive. You can still request diagrams anytime by including "draw a diagram" or similar in your query.
Hid implementations and supers buttons in the explore panel when using search-based code navigation, as these features are only supported by precise code intelligence.
Removed automatic PostgreSQL 12 to PostgreSQL 16 upgrade support from builtin Sourcegraph database containers (pgsql, codeintel-db, and codeinsights-db).
Removed support for generation 1 Gemini models (no longer accessible) and Mistral models (no longer deployed on Fireworks serverless).
Deprecated observability.tracing.type: "jaeger"; use "opentelemetry" with an OTLP-compatible collector instead
Remove autoupgrade supporting functions and methods
Removed feature flag UI access for non-Sourcegraph operators in Cloud environments.
Removed the single-container (sourcegraph/server) deployment mode. The sourcegraph/server Docker image is no longer published. Customers must migrate to Docker Compose or Kubernetes before upgrading to 7.0.0.
Search Notebooks pick up on the idea that most searches are not just one search. In a common workflow, you run multiple searches, gather several pieces of information, and then you compile your final answer from all these sources. Back in 2022, Notebooks solved a real need to be able to document and share that research trail.
Sound familiar? Notebooks are reflecting the steps a Deep Search takes to compile it's answer. It collects citations and the answer in a central place. We believe that the future lies much more in this agent-driven code exploration and future iterations of it than the manual Notebooks idea that predates the AI era.
Removed explicit code ownership assignment and teams management from the web app. Codeowners files are still processed and this information is still available via search and the ownership panel.
Migrated the search-content-based-lang-detection feature flag to the searchContentBasedLanguageDetection site configuration setting. Customers who previously had the flag enabled and would like to continue using this feature should enable it in their site configuration settings.
/api/openapi/ pages, home to the Cody API, have been moved to /legacy/openapi/. Existing links are redirected./external-api./api/console/ to /debug/console/ to reflect its role as an internal API. Existing links are redirected./external-api.Upgrade opentelemetry-collector to v0.144.0.
This is a patch release for Sourcegraph self-hosted 6.12.
Fixed negated terms in hybrid search to correctly exclude files when the term appears in either the file path or contents.
Fixed search history not saving new searches after the Svelte 5 signals migration.
Improved user deletion latency by optimizing database calls and removing redundant work
Fixed user-initiated actions (OAuth sign-in, auth token validation) that would hang when the internal Bitbucket rate limit was hit. These operations now bypass the internal rate limiter.
Migrator now gracefully handles cases where the pg_stat_statements extension cannot be installed due to database permission restrictions
Fixed an issue where access tokens created by hard-deleted users could not be listed.
Commits with changes to large files are now displayed with plaintext diff output when syntax highlighting is unavailable.
This is a patch release for Sourcegraph self-hosted 6.12.
This is a patch release for Sourcegraph self-hosted 6.12.
All users can now filter batch changes by user, not just site administrators. The current user appears at the top of the user filter list for easy access to their own batch changes.
Fixed "View on code host" button to properly escape % characters in file paths when generating external links.
Code Insight preview results now exclude archived and forked repositories by default, matching the backend behavior present since 3.40.
Disable deepsearch and sg_deepsearch tools at .api/mcp and .api/mcp/v1 respectively. To use Deep Search, directly use /.api/mcp/deepsearch.
Repository permissions are no longer dropped when encountering HTTP/2 stream cancellation or "internal error" from the upstream GitLab code host. Instead, existing permissions are preserved and the permissions sync is retried later.
This is a patch release for Sourcegraph self-hosted 6.12.
Fixed an issue where URLs containing the external URL would be incorrectly mangled, resulting in duplicate domain paths
Fixed invalid links in deepsearch markdown content that contained the host twice
Fixed TLS configuration not being applied to HTTP client, causing OAuth authentication failures.
This is a patch release for Sourcegraph self-hosted 6.12.
Fixed TLS certificate validation via regular expressions in site config
This is a patch release for Sourcegraph self-hosted 6.12.
Fixed an edge case where Deep Search questions did not respect cancellation state from the database, preventing them from continuing indefinitely after being cancelled.
Fixed infinite loop in DeepSearch when LLM tool argument parsing fails during streaming by properly propagating errors to internal callers
MCP deepsearch queries on the old .api/mcp/v1 and new .api/mcp endpoints will now time out after 50 seconds to avoid Cloudflare connection timeouts. Queries exceeding this timeout return a link so agents can track completion and inform users where to follow progress.
Say hello to the brand new Sourcegraph changelog. [...]
Interact with Deep Search while browsing code. [...]
Ask questions about your codebase directly in Slack with the Sourcegraph Slack integration. [...]
The Sourcegraph MCP server, and our new Deep Search tools, can now be connected via OAuth to your AI agents with minimal configuration required. [...]
The Sourcegraph administration pages are getting a makeover. [...]
Per-user Deep Search usage limits can now be applied using entitlements. [...]
A more secure credentials mechanism for Batch Changes in GitLab. [...]
The Sourcegraph UI has been completely rewritten in SvelteKit for improved performance and development velocity. [...]
Deep Search now streams results as they become available.
The Deep Search input now dynamically grows as users type or paste content.
Site admins can now set per-user Deep Search usage limits through entitlements: classes of usage limits that can be assigned as a global default, or to specific users.
Deep Search backend sources are now rendered after citations in collapsible sections within a unified sources container.
Added Slack bot integration for Deep Search. To get set up, go to Site Admin → Slack integration.
The site admin page is now simply titled "Administration".
Site admin organizations page now uses the standard page container design.
GitHub Apps can now be configured via the declarative config file with secure handling and storage of private keys
Introduces a new notification widget that replaces the site-wide banners on Sourcegraph, as well as a new site-admin dashboard that shows notifications, as well as some suggestions on what admins can do to manage their instance.
Fixed context retrieval bug when using remote file mentions and chat UI flickering
Added option to skip TLS verification for executors talking to Sourcegraph via EXECUTOR_FRONTEND_TLS_SKIP_VERIFY
Alert when repository cleanups fail consistently
The repository permissions page now displays the total count of users who have access to the repository.
Fix history panel displaying the last question's title instead of the conversation title by generating conversation title only on the first question.
Links now point to answers instead of questions. This resolves confusion where the link pointed to the question but the copy button was part of the answer card. Old links continue to work because the question anchor is preserved in the code.
The tab title is now correctly updated when switching between DeepSearch conversations and then navigating away and back to DeepSearch.
Permalinks now use full commit hashes instead of abbreviated ones.
The star button is no longer rendered for non-owners, eliminating the confusing behavior where changes appeared to work but were reverted on refresh.
Conversation creation failures now display error messages instead of hanging indefinitely in a loading state
Increased the deep search input size from one line to multiple lines for improved usability.
Fixed loading skeleton and sources to reflect the currently viewed question's state instead of a global "is anything searching" state
Fixed file search result content not updating when filtering results in certain situations where truncated content caused stale data to be displayed
repo: filter is present Repository name matches are excluded from search results when a repo: filter is present without an explicit type: filter. Users can still search repository names by adding type:repo.
Switch from plain ctags to tree-sitter for analyzing symbols in CSS and SCSS files. The result is more predictable parsing, no comment blocks leaking into the symbols sidebar, and css variables showing up as symbols.
Reduced the complexity of GitHub GraphQL queries for syncing changesets to reduce token consumption
READONLY changesets are now counted as CLOSED in batch change statistics, fixing a discrepancy between the burndown chart and summary stats.
Improve error message clarity when user creation fails in site admin
Error messages are now clearer when attempting to connect an external account that is already in use by another Sourcegraph account
Addresses an issue where the OAuth consent pages did not allow to scroll down to the action buttons.
Code insights job UI now displays correctly on mobile devices.
In 6.11 our experimental AWS RDS IAM Auth would panic if we failed to refresh the token. We now correctly treat this as an error to log and retry.
Fix broken links to alerts reference in alert notifications for customers on the latest release.
Fixed an edge case where the permission sync scheduler would excessively enqueue jobs when old completed jobs existed in the database
Temporary files are now cleaned up from repository directories, reducing disk space usage.
Fixed an issue where a service account's access tokens would be deleted when the site admin that created the access tokens for the service account got deleted.
Custom indexing policies are now disabled by default. The codeIntelAutoIndexing.policyManagementEnabled configuration can be used to re-enable support.
Removed the repository setup wizard as it is no longer up to date with code hosts. Site admins are encouraged to add repositories via the "Code Host Connections" section of the site admin page.
Anthropic deprecated Sonnet 3.5 and Haiku 3.5. These models are no longer available in Cody. Make sure to upgrade to a recent Cody client release to ensure all features are still functional.