Skip to content

Metalama 2026.1.19

Latest
Latest

Choose a tag to compare

View all tags
@gfraiteur gfraiteur released this 27 Jun 07:46
release/2026.1.19
b4adab0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Metalama 2026.1.19 is based on 2026.1.18 and 2026.0.23, plus the following changes.

This release is a comprehensive security and privacy overhaul, hardening telemetry, diagnostics reporting, the local setup server, and the design-time RPC channel, and giving users fine-grained, transparent control over what data Metalama collects.

This release updates Metalama.Compiler to 2026.1.11, which merges upstream Roslyn 5.6 (Visual Studio 2026 version 18.6.3).

Security & Privacy

  • #1707 Privacy options page now uses three-state controls for exception and performance reports.
  • #1701 Telemetry can now be disabled per repository with a metalama.json file.
  • #1672 Show a first-run telemetry notice in-product (toast + opt-out dialog).
  • #1674 Exception/performance reporting: local capture + toast, worker-page review with a Report button and per-category auto-report.
  • #1708 Redrew the privacy options web page to support three-state exception & performance report settings.
  • #1669 Removed the newsletter/email subscription from the product.
  • #1668 Use a separate device-identifier salt for first-party diagnostics vs. third-party (Matomo) analytics.
  • #1679 Bound the on-disk retention of locally stored telemetry data (payloads, exception reports, audit log) with a configurable retention period, defaulting to 30 days.
  • #1680 Hardened the exception-report scrubber (denylist secrets, allow-list Exception.Data).
  • #1670 Telemetry opt-out now also stops the RSS feed fetch.
  • #1711 Fixed an issue where license-usage audit data could be reported with an improperly randomized anonymization salt on first use, before activation completed.
  • #1655 Added Host-header filtering and removed the vestigial CORS / accept-any-cert callback from the local setup server.
  • #1654 Use a CSPRNG for the telemetry AES key and anonymization salt.
  • #1651 Fixed typeless MessagePack deserialization over the unauthenticated design-time RPC pipe.
  • #1650 Fixed predictable world-writable temp artifacts that could enable DLL planting (Linux/macOS).
  • #1649 Validate the reCAPTCHA site key format before reflecting it into the setup page.
  • #1648 Fixed an RSS feed title that could inject arbitrary arguments into the desktop process on Windows.
  • #1647 Prevented a hijacked RSS feed from triggering Windows protocol activation via an unrestricted URI scheme.

Enhancements

  • #1713 Improvements to the metalama telemetry status command.
  • #1685 metalama kill now also kills Metalama.Backstage.Worker and Metalama.Backstage.Desktop.Windows.
  • #1684 Added a telemetry reset-dedup command to clear the reported-issues dedup store.

Fixes

  • #1696 Fixed telemetry configuration update contention when building large solutions.
  • #1692 Throttle the VSX-install toast so it does not collide with the first-run telemetry notice.
  • #1690 Fixed RSS news never displaying (LastFetchTime was internal and not serialized).
  • #1689 Fixed license toasts never being displayed by the Premium build task (VerifyMetalamaLicense).
  • #1664 Fixed an InvalidCastException in MetadataReader when a referenced assembly has an assembly-level generic attribute.

Resources

Assets 2
Loading