Web v2026.4.2

Overview

• Added event logs for phishing blocker
• Refactor unlock service to use Bitwarden SDK
• Updated account recovery to include managing member two-step login methods
• Updates to prevent losing unsaved changes when creating a Send
• Updated default clipboard clearing time to 5 minutes
• Various under-the-hood improvements and minor bug fixes

What's Changed

Feature Development

• [PM-8458] Change ClearClipboardDelay to strings and change default by @bensbits91 in #17756
• [CL-966] Updated Progress Component by @lxiong-livefront in #19072
• [PM-28167] Desktop - migrate vault drawers UI to shared lib by @iivins-livefront in #19341
• [PM-30584] Add unlock for key connector with SDK by @quexten in #19367
• [PM-31778] Multi-step policy edit dialog by @JaredScar in #19406
• [PM-31438] Send unsaved edits dialog by @mcamirault in #19425
• [CL-1110] Migrate tools CTAs to new icon API by @BryanCunningham in #19485
• [PM-26713] Refactor Attachment Uploads to use XMLHTTPRequest by @nick-livefront in #19634
• [PM-29927] update reseller notifications by @kdenney in #19690
• Auth/Innovation/PM-4659 - Device Management - Add Last Activity Date by @JaredSnider-Bitwarden in #19784
• [PM-31901] Remove m3 flagged logic by @connerbw in #19868
• [PM-31906] Remove m3 flag definition by @connerbw in #19870
• [PM-15489] 2fa account recovery by @kspearrin in #19894
• [PM-31942] Handle load/save Access Intelligence reports as files (pt. 1) by @lastbestdev in #19922
• [Shared Unlock] [PM-34073] Implement vault timeout supression by @quexten in #19934
• [PM-34119] Web New Item Dialog by @nick-livefront in #19953
• Add PM-34500-strict-cipher-decryption feature flag by @nikwithak in #19973
• [PM-31119] Run side-effects in sdk unlock service by @quexten in #20004
• [PM-34230] Blumira Integration using HEC by @voommen-livefront in #20008
• [PM-26383] Remove feature flag to enable autoconfirm by @JaredScar in #20015
• [PM-34690] - add quick actions feature flag by @jaasen-livefront in #20019
• [PM-31875] Client changes for async sdk client get/set by @Hinton in #20032
• [PM-34177] Add feature flag for Organization Invite Links by @r-tome in #20033
• [PM-34177] Fix feature flag key value for Organization Invite Links by @r-tome in #20039
• [PM-24927] Add payment optional support to trial initiation flow and Remove payment-optional feature flag by @cyprain-okeke in #20053
• [PM-34037] New event log for 2fa recovery by @kspearrin in #20055
• [PM-31270] New default argon2id in change kdf component by @mzieniukbw in #20058
• [PM-34396] Create dialog structure for new invite link that supports tab views by @BTreston in #20063
• [PM-22228] Phishing events by @voommen-livefront in #20065
• [PM-25627] convert policy dialogs to drawers by @JaredScar in #20078
• [PM-35072] Allow account recovery for revoked members by @kspearrin in #20100
• [PM-32853] Add FromMarketing Property for TrialInitiation Path by @sbrown-livefront in #20144
• PM-33122: Rename feature flag pm-34500-strict-cipher-decryption by @nikwithak in #20151
• [PM-26383] Remove AutoConfirm feature flag from the FeatureFlag enum by @JaredScar in #20179
• [PM-27887] Keeper json importer by @itsadrago in #20200

🐛 Bug fixes

• [PM-33480] Fix false success toasts in integration save/delete by @AlexRubik in #19544
• [PM-33877] - handle blank custom field values in cipher form by @jaasen-livefront in #19676
• [PM-32456] - set canEdit and canDelete in onCipherSaved by @jaasen-livefront in #19694
• PM-33194 show appropriate error message for 409 by @voommen-livefront in #19713
• [PM-34064] - remove unnecessary wrapper div around web extension prompt dialog by @jaasen-livefront in #19739
• [PM-33301] Prevent Unverified Bank Account from Upgrade to Premium by @sbrown-livefront in #19745
• [PM-33524] Not able to set new Master Password in a previously TDE org by @enmande in #19810
• PM-33905 resolved plaholder text issue by @bmbitwarden in #19862
• [CL-1124] updated badge max width by @BryanCunningham in #19864
• [CL-1130] Fix storybook a11y and console errors for billing files by @vleague2 in #19916
• [CL-1130] Fix storybook a11y and console errors for platform files by @vleague2 in #19918
• [CL-1130] Fix storybook a11y and console errors for vault files by @vleague2 in #19920
• Downloading an attachment, appends a file extension. Even if original file didn't have one by @jengstrom-bw in #19931
• [PM-33554] Don't log out when trust denied for sdk key rotation by @quexten in #19961
• Revert "Revert "[PM-33210] fix(login): clear validation errors on region change"" by @enmande in #20007
• Auth/pm-34506 - Login Strategy Session Cache Expiration Adjustment by @JaredSnider-Bitwarden in #20009
• [PM-34685][Defect] Subscription status for organizations not updating with feature flag enabled by @sbrown-livefront in #20018
• [PM-34142] BUGFIX: Allow moving a newly created cipher to org by @nikwithak in #20025
• [PM-34579] Update Access Intelligence chart to fit the entire selected timespan on x-axis by @lastbestdev in #20026
• [PM-32463] Do not filter disabled orgs for Admin Console by @shane-melton in #20027
• [PM-34255] - SCIM Key Fix by @jrmccannon in #20036
• [PM-34575] Stop allCiphers$ firing twice by @JaredScar in #20067
• [PM-34781] exclude "no folder" from key rotation by @mzieniukbw in #20068
• [PM-14883] Strip non-numeric characters in credit card number display… by @shane-melton in #20070
• [PM-33554] Fix emergency access fingerprint by @quexten in #20072
• [PM-34792] - Fix Mp/Key prompt for SCIM API KEY by @jrmccannon in #20074
• PM-34863 Org name has a contrast issue by @voommen-livefront in #20083
• [PM-35055] fix account recovery policy config checkbox states by @kspearrin in #20141
• [PM-35258] Add archive confirmation to Desktop and fix right click menu by @shane-melton in #20208
• [PM-35246] Fix IdentityTokenResponse kdfConfig error by @rr-bw in #20209
• [CL-1167] BUG FIX: Fixed nav switcher text colors by @lxiong-livefront in #20214
• Fix eslint on main by @quexten in #20225
• [PM-35187] Store new default avatar colors as hexes by @vleague2 in #20236
• [PM-35318] Desktop v3/4 - Showing two "Archived" badge by @gbubemismith in #20239
• [PM-35330] Fix state not being updated on change kdf by @quexten in #20259
• [PM-35335] Fix bug making discard edits dialog show on navigate after… by @mcamirault in #20267
• [PM-35335] Fix bug making discard edits dialog show on navigate after… by @mcamirault in #20274
• Remove the desktop-specific Archived badge from ItemDetailsV2Compone… by @gbubemismith in #20277
• PM-35363 resolved stale child controllers by @bmbitwarden in #20295
• PM-35363 resolved stale child controllers (#20295) by @bmbitwarden in #20307
• [PM-35458] fix status check by @BTreston in #20312
• fix status check (#20312) by @BTreston in #20313
• Auth/PM-35336 - TokenService - prevent stale access token retrieval to fix logout on org user confirm by @JaredSnider-Bitwarden in #20334
• [PM-35240] RC cherry-pick: Add sync before forced kdf migration by @Thomas-Avery in #20340
• [PM-35330] RC cherry-pick: Fix state not being updated on change kdf by @Thomas-Avery in #20341
• CherryPick/Auth/PM-35336 - TokenService - prevent stale access token retrieval to fix logout on org user confirm by @JaredSnider-Bitwarden in #20342
• [PM-35484] Remove exemption for owners/admins for mp policy by @BTreston in #20398
• [PM-35484] Remove exemption for owners/admins for mp policy by @BTreston in #20418
• Auth/PM-36080 by @JaredSnider-Bitwarden in #20452
• CherryPick/Auth/PM-36080 (#20452) by @JaredSnider-Bitwarden in #20463

⚙️ Maintenance

• [PM-25688] Migrate Folder API request model to TS strict by @shane-melton in #17269
• Added devcontainer setup (devcontainer.json, docker-compose.yml, postCreateCommand.sh) by @connerbw in #18541
• [deps]: Update actions/checkout action to v6.0.2 by @renovate in #18569
• [PM-31838] Update *ngIf/*ngFor to @if/@for in vault web components by @jengstrom-bw in #18820
• [PM-32864] Remove local masterkey hash by @quexten in #19277
• [PM-32919] Migrate DeleteAccountDialog to shared code by @djsmith85 in #19308
• Sanitize branch ref with toJSON by @mandreko-bitwarden in #19394
• [PM-18133] Remove generatePasswordCallback, rely on new service by @blackwood in #19400
• [CL-1113] Migrate auth CTAs to new icon API by @BryanCunningham in #19489
• [deps]: Update docker/setup-buildx-action action to v4 by @renovate in #19583
• [deps]: Update docker/setup-qemu-action action to v4 by @renovate in #19585
• DN Team Codeowners Rename by @coltonhurst in #19595
• [BRE 1670] update token for build workflows by @AmyLGalles in #19660
• [deps]: Update dtolnay/rust-toolchain digest to 29eef33 by @renovate in #19841
• [deps]: Update dorny/test-reporter action to v3 by @renovate in #19855
• Bitwarden IPC improvements/refactor by @coroiu in #19935
• Added ownership of sdk-update workflow. by @trmartin4 in #19980
• Enable the custom.regex package manager to enable rust toolchain updates by @neuronull in #20035
• eslint: error on importing bitwarden licensed code into /libs**/* by @djsmith85 in #20054
• [PM-34574] Remove personal vault decrypt from AC by @JaredScar in #20066
• [PM-33101] Remove master key from uv service by @quexten in #20076
• Remove unused signature type enum by @quexten in #20091
• Auth/PM-34506 - LoginStrategyService - Refactor cache and timeout out into own services by @JaredSnider-Bitwarden in #20108
• [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @aikido-autofix in #20113
• [AppSec] AI Fix for Template Injection in GitHub Workflows Action by @aikido-autofix in #20114
• [deps]: Update codecov/codecov-action action to v6 by @renovate in #20126
• [BRE-1004] Fix GHCR logic in Build Web and Publish Web by @vgrassia in #20163
• Add Skunkworks as co-owners of native passkeys by @iinuwa in #20184
• enable jest/no-alias-methods by @cd-bitwarden in #20187
• Add dev tag to GHCR by @vgrassia in #20234

📦 Dependency Updates

• [deps] SM: Update jest-diff to v30.3.0 by @renovate in #19843
• [deps] Platform: Update webpack-cli to v7 by @renovate in #19849
• Update sdk-internal to 0.2.0-main.646 by @bw-ghapp in #20057
• Update sdk-internal to 0.2.0-main.668 by @bw-ghapp in #20132
• Update sdk-internal to 0.2.0-main.672 by @bw-ghapp in #20140
• Update sdk-internal to 0.2.0-main.673 by @bw-ghapp in #20157
• Update sdk-internal to 0.2.0-main.681 by @bw-ghapp in #20194
• [SM-1762] Bump Jest to 30.3.0 by @djsmith85 in #20211
• Update sdk-internal to 0.2.0-main.687 by @bw-ghapp in #20220
• Update sdk-internal to 0.2.0-main.689 by @bw-ghapp in #20224
• Update sdk-internal to 0.2.0-main.692 by @bw-ghapp in #20251

🎨 Other

• [PM-32687] Create Claude skill to add more item types easily by @gbubemismith in #19301
• Add fix-angular-fixmes skill to resolve Angular FIXME migration comments by @JaredScar in #19426
• update gray-050 primitive by @BryanCunningham in #20016
• [PM-32091] Update postmessage by @enmande in #20064
• Autosync Crowdin Translations for web by @bw-ghapp in #20088
• Replace deprecated typescript.tsdk with js/ts.tsdk.path by @willmartian in #20146
• Autosync Crowdin Translations for web by @bw-ghapp in #20218
• [PM-25627] Fix type checks failing by @JaredScar in #20245
• Autosync Crowdin Translations for web by @bw-ghapp in #20264