Release Notes - Back to Release Notes
We are excited to announce the release of DocumentDB for VS Code Extension v0.9.
This release expands the extension’s multicloud reach with first-class Kubernetes service discovery, letting you connect to DocumentDB clusters running on AKS, EKS, GKE, on-premises, or local Kubernetes without writing connection strings or running kubectl port-forward manually. It also delivers a dramatically improved Query Insights experience with progressive streaming of AI-generated recommendations, so you can follow along as analysis unfolds rather than staring at a spinner for 15+ seconds.
We are introducing Kubernetes service discovery, bringing true multicloud and hybrid-cloud support to the extension. If you run DocumentDB-compatible clusters in any Kubernetes environment (AKS, EKS, GKE, OpenShift, or local clusters like kind, minikube, k3s, or Docker Desktop), the extension can now find them automatically and connect you without manual configuration.

The new Kubernetes Clusters root in the Discovery view lets you register one or more kubeconfig sources side by side, each expanding independently into its own contexts → namespaces → targets subtree:
KUBECONFIG or the Kubernetes default path (~/.kube/config).
The extension discovers DocumentDB Kubernetes Operator (DKO) managed clusters first, surfacing them as named first-class cluster nodes. Generic services that opt in via an annotation or expose known DocumentDB-compatible ports are discovered as a fallback. No changes to your cluster manifests are required for DKO-managed clusters.
ClusterIP services are reached through a local port-forward tunnel. The extension establishes and restores the tunnel automatically. When you open a saved connection, the tunnel restarts behind the scenes with no extra clicks. The reachability model is honest and visible:
| Connectivity label | What it means |
|---|---|
| (none) | LoadBalancer with a public address; the connection string is portable. |
node-routed |
NodePort or node-addressed LoadBalancer; only reachable if the node is accessible. |
port-forward |
ClusterIP; requires a local port-forward tunnel. The connection string only works on this machine while the tunnel is active. |
pending |
LoadBalancer awaiting an external IP. |
Hover any discovered target for a rich tooltip that explains reachability, lists the service type, port, namespace, and cloud provider.
For ClusterIP targets, the Copy Connection String command opens a grouped picker. The Connection string group offers connection string variants with and without the password. The Kubernetes group adds a ready-to-run kubectl port-forward command you can paste to re-establish the same tunnel or share with a teammate. See Copy Connection String for details.
Context names auto-generated by cloud CLIs (clusterUser_*, arn:aws:eks:*, gke_*) are often opaque. You can now right-click any context and choose Rename Context… to assign a friendly display name without touching the underlying kubeconfig file.
A toggle on each context node lets you switch between:
For the full feature reference, see the Kubernetes Service Discovery user manual. For a step-by-step walkthrough that creates a local or AKS cluster and validates the full flow, see the Kubernetes Service Discovery Getting Started guide.
Query Insights now streams AI-generated recommendations progressively, eliminating the ~15-second blank wait that existed before. After clicking Get AI Performance Insights, results appear as they are generated: you can read the summary while individual index recommendations are still being produced.

Previously, the extension buffered the entire AG-generated response (which took 10–20 s to generate) before parsing and rendering it all at once. Users had no signal that anything was happening past the first second. The new experience connects the model’s natural streaming output directly to the UI:
For information on which AI model is used and how billing works, see AI Performance Insights: Model and Billing.
Security: ws DoS Vulnerability Fixed: Upgraded ws from 8.20.0 to 8.21.0, which fixes a remote memory exhaustion denial-of-service vulnerability where a peer could crash a server or client using a high volume of tiny WebSocket fragments with modest network traffic. #744
Security: form-data Encoding Fix: Upgraded form-data from 4.0.5 to 4.0.6, which fixes improper escaping of CR, LF, and " characters in multipart field names and filenames. #745
Dependency Update: launch-editor: Upgraded launch-editor from 2.13.2 to 2.14.1, including a fix for UNC path rejection. #747
See the full changelog entry for this release: ➡️ CHANGELOG.md#090
This patch introduces a first-class “No Authentication” connection mode for credential-free clusters, fixes a critical bug where the Query Playground’s Run button vanishes after saving a file, extends Entra ID authentication to Azure sovereign clouds, resolves long-standing issues with non-ObjectId _id types and shell completions, and delivers several performance and reliability improvements.
A heartfelt thank you to everyone who contributed to this release!
_id support (#719), multi-select context menu cleanup (#693), Azure tenant throttling (#694), SchemaStore memory ceiling (#724), URI handler diagnostics (#723), shell completion fixes (#712), and more.You can now connect to DocumentDB clusters that require no credentials at all — no username, no password, no Entra ID. This is useful for exploratory work against clusters intentionally running without authentication, such as local development instances or clusters behind a network perimeter that handles access control externally.
“No Authentication” appears as a first-class option in the connection wizard alongside Native and Microsoft Entra ID auth. The selection is honored throughout: the tree expands without prompting for credentials, the integrated shell shows No Authentication in the connection summary, and the query playground routes through the credential-free connection string. TLS/SSL overrides in the connection string (e.g., tls=false) are fully honored.
If you switch an existing connection from Native or Entra ID to “No Authentication”, any previously stored credentials are automatically cleared so they cannot leak back in on the next load.
Playground files now have a first-class way to connect, reconnect, and switch databases — and the connection is no longer lost when you save.
Connect on demand: Unconnected playground files now show a $(plug) Connect CodeLens at the top. Clicking it opens a tree-based database picker that drills the Connections view (folders → clusters → databases). Running a playground that has no connection opens the same picker automatically and continues the run as soon as a database is selected; pressing Escape cancels without error.
Switch databases: Clicking the connection lens while a playground is already connected opens a picker to point it at a different cluster or database. The existing connection is only replaced after a new database is picked, so cancelling preserves the current one.
Connections survive saves (fixes #740): The Run, Collection View, and Shell CodeLens buttons previously disappeared after saving a .documentdb.js file because saving changed the document URI and the connection binding was keyed on the old URI. Connections now survive saving an untitled scratch file to disk, Save As to a different path, and reopening a playground in the same VS Code session (provided the target cluster’s credentials are still cached).
_id Types in Document Operations (#217, #719)Documents with string, numeric, UUID, or embedded-document _id values now work correctly across all operations. Previously, attempting to delete, read, or upsert such a document threw an “Invalid document ID” error because the extension assumed every _id was an ObjectId. The fix extracts _id parsing into a shared utility that uses EJSON round-tripping as the ground truth, handling every BSON type the driver supports.
The OIDC ALLOWED_HOSTS list for Entra ID authentication is no longer hardcoded to *.azure.com. It is now derived from the connection string’s hostname, widening coverage to non-public-cloud Azure endpoints while preserving the security control (non-Azure hosts remain untrusted). This removes a restriction that could block token delivery when the connection string host does not end in .azure.com.
Field-name completions now appear correctly when a query contains parentheses inside string literals, regex literals, or line and block comments. Previously, a literal ) inside ")", /foo(bar)/, or // comment ) confused the method-argument context detector into thinking the cursor was outside the filter object, suppressing completions entirely.
When the TypeScript plugin fails to bootstrap (a common scenario in container-based remote environments or corporate installs with read-only extension directories), the extension now shows a status bar warning with a click-to-retry action instead of failing silently. If TypeScript-powered completions in the playground are unavailable, the warning tells you why and lets you retry without reloading VS Code.
Single-item context menu commands in the Connections view are now hidden when multiple items are selected. Previously, right-clicking a multi-selection showed the full single-item menu, and most commands would silently act on only the first selected item. Now only the two commands that genuinely support multi-select (Remove Connection and Move Items) remain visible in that context.
Azure tenant sign-in checks are now throttled to a maximum of 5 concurrent requests. For users in organizations with many Azure tenants, the previous unbounded Promise.all fan-out against Microsoft Entra could cause timeouts and noticeably slow the credential and subscription filtering dialogs. The new shared concurrency limiter caps in-flight isSignedIn checks across both wizard steps.
The schema cache now enforces an LRU-based entry limit. In long-running sessions with many collections, the _analyzers map in SchemaStore could grow without bound, gradually increasing memory usage. Once the limit is reached, the least-recently-used entries are evicted to keep the footprint bounded.
Fields with special characters in their names (e.g., order-items, my field) now produce correct aggregation reference text in completions. Previously, they emitted $order-items or $my field, which is invalid MQL. Flat fields with unsafe names now use { $getField: "order-items" } form; nested paths with an unsafe segment omit the reference to avoid emitting broken MQL.
Failures in the VS Code URI handler (used when clicking links that open the extension from external applications) now surface a user-visible warning notification and emit structured diagnostic telemetry. Previously, errors at this entry point were swallowed silently.
undici Update (#754)Updated undici from 7.25.0 to 7.28.0 to address security vulnerabilities.
See the full changelog entry for this release: ➡️ CHANGELOG.md#091