releases.shpreview

Critical codespace Jupyter RCE fixed; public release downloads

v2.96.0

July 2, 2026GitHub CLIView original ↗
3 features5 fixesThis release3 featuresNew capabilities5 fixesBug fixesAI-tallied from the release notes

Security

A security vulnerability has been identified, and fixed, that could allow command execution on a user's computer when connecting to a malicious Codespace via gh codespace jupyter.

Users of gh codespace jupyter are advised to update gh to version v2.96.0 as soon as possible.

For more information see: https://github.com/cli/cli/security/advisories/GHSA-8cg3-r6g9-fpg2

Download release assets without authentication

gh release download now works against public repositories without authentication, matching gh extension install. A token is still used when one is present:

# Download assets from a public repository, no login required
gh release download v2.96.0 --repo cli/cli

What's Changed

✨ Features

  • Allow gh release download without authentication on public repositories by @BagToad in #13723
  • Detect additional third-party coding agents by @BagToad in #13722
  • Support antigravity-cli and antigravity2.0 in gh skill by @BagToad in #13784

🐛 Fixes

📚 Docs & Chores

:dependabot: Dependencies

  • chore(deps): bump github.com/microsoft/dev-tunnels from 0.1.19 to 0.1.27 by @dependabot in #13708
  • chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 by @dependabot in #13703
  • chore(deps): bump github.com/google/go-containerregistry from 0.21.6 to 0.21.7 by @dependabot in #13702
  • chore(deps): bump actions/setup-go from 6.4.0 to 6.5.0 by @dependabot in #13740
  • chore(deps): bump actions/attest from 4.1.0 to 4.1.1 by @dependabot in #13754
  • chore(deps): bump goreleaser/goreleaser-action from 7.2.2 to 7.2.3 by @dependabot in #13759
  • chore(deps): bump golangci/golangci-lint-action from 9.2.1 to 9.3.0 by @dependabot in #13779

New Contributors

Full Changelog: https://github.com/cli/cli/compare/v2.95.0...v2.96.0

Fetched July 2, 2026