1Password Browser Extension Code Syntax Rendering Issue

Update

Incident Postmortem - 1Password Browser Extension Code Syntax Rendering Issue

Customer impact began (stable rollout start): 2025-12-09

Investigation Started: 2025-12-17

Incident Declared (UTC): 2025-12-30 13:13

Fixed Release First Available: 2026-01-01

Fixed Release Fully Available and Verified: 2026-01-05

Incident Marked Resolved (UTC): 2026-01-05 02:15

Service(s) Affected: 1Password browser extension

Summary

The 1Password browser extension, which works by injecting code into web pages, inadvertently included code from PrismJS, a third party dependency, breaking syntax highlighting on some websites that display code blocks. The issue was reported in beta in early December, escalated after additional customer reports and a report from an external partner, and required releasing a stable update to remove the problematic dependency chain. This issue affected page rendering only and did not expose vault data or credentials.

Impact on Customers

Customers experienced broken code-block syntax highlighting on websites with <code> HTML elements while using the 1Password browser extension version 8.11.22 across all major browsers.

• Code snippet rendering issue: Syntax highlighting for code blocks was broken on sites that display code snippet; impacted sites included developer documentation pages, technical forums, and blogs with code snippets.
• Browser scope: Reported in Chromium-based browsers initially, and confirmed to affect all major browsers.
• Customer reports: Started in beta with a single report on December 3, 2025, with additional reports in stable December 15–16, 2025. From December 9, 2025 through January 3, 2026 we received 55 unique customer reports. The issue was later observed in stable and amplified via social media.

What Happened?

The injected content script in the 1Password browser extension was able to include UI-related dependencies from other parts of the 1Password codebase in a context where they should not exist. This happened due to a small change that accidentally pulled in additional libraries caused by insufficient restrictions/guardrails on what dependencies could be imported into injected scripts.

• Detection and Escalation:

  On December 3, 2025, we received a beta report that syntax highlighting was broken when the 1Password extension was enabled. That report was incorrectly tagged and did not reach the owning team for timely triage, so we did not recognize it as a potential release blocker before version 8.11.22 rolled out to stable on December 9, 2025.

  On December 17, 2025, an external partner reported the issue affecting stable. That report was routed correctly, we connected it to the earlier beta issue, and we began investigation and remediation.

• Timeline of Events (UTC):

  • 2025-12-03: Internal ticket created after beta report of broken syntax highlighting.
  • 2025-12-09: Bug released to stable version 8.11.22.
  • 2025-12-15 to 2025-12-16: Three additional customers reported the issue (not yet routed to the owning team).
  • 2025-12-17: An external partner reported the issue affecting stable via a shared Slack channel; the Filling & Saving team began investigation.
  • 2025-12-22: Fix merged (script pruning applied broadly to remove PrismJS from injected scripts).
  • 2025-12-30: Reports surfaced that social media users observed the issue; stable update coordination began.
  • 2025-12-31: Releases published across all browser platforms.
  • 2026-01-01: Release approved by web stores.

• Root Cause Analysis: We did not have an enforced dependency boundary for injected content scripts, which allowed unexpected UI and runtime dependencies to be bundled into the page-injected context.

• Trigger: A new import introduced an indirect dependency chain from an injected script to a UI module and ultimately to PrismJS.

• Contributing Factors (if any):

  • Mis-triage of beta report
  • Missing side-effect regression tests

How Was It Resolved?

We removed PrismJS from the scripts the extension injects into web pages by eliminating the import chain that pulled it into the injected bundle. We then shipped an updated extension across all supported browsers.

• Mitigation Steps:

  • Coordinated releasing a stable update once stable impact and broader visibility were confirmed.

• Resolution Steps:

  • Fix merged on 2025-12-22.
  • Fix was applied to the previous stable release.
  • New beta/stable builds created and published across platforms.
  • Fix approved by web stores as of 2026-01-01.
  • Releases published across nightly, beta, and stable.
  • Because extension updates roll out via browser web stores and auto-update schedules, we consider the fix fully available once all stores had approved the release and we verified the issue could no longer be reproduced on known affected sites.

• Verification of Resolution:

  • We tested the new builds on known affected websites, validating that code block formatting is working as expected.
  • We confirmed that the browser extension build no longer contained the PrismJS library.

What We Are Doing to Prevent Future Incidents

• Added lint rules to block disallowed imports into injected scripts.
• Added internal documentation describing how to avoid dangerous imports and the potential impacts.
• Ensure new lint rules to prevent dangerous imports are blocking in CI pipelines.
• Add an automated test to internal testing sites to ensure injected content scripts don’t introduce side effects.
• Implement automated rules + a triage SLA so new beta issues are reviewed by the owning team before stable release decisions.
• Ensure bundle size changes are blocking changes, enforced by our automated build systems as part of the code review process.

Next Steps and Communication

• Most browsers will auto-update extensions via their web stores. If the issue persists, customers should manually check for updates and verify they are on the fixed extension versions (8.11.27 and newer). Customers can verify their version in their browser’s extension/add-ons settings (1Password extension version 8.11.27 or newer).
• We will continue monitoring for regressions and follow up on guardrails (blocking lint rules, bundle-size checks, and automated website-side-effect tests).

We are committed to providing a reliable and stable service, and we are taking the necessary steps to learn from this event and prevent it from happening again. Thank you for your understanding.

Sincerely,

The 1Password Team

Resolved

The 1Password browser extension, which works by injecting code into web pages, inadvertently included code from PrismJS, a third party dependency, breaking syntax highlighting on some websites that display code blocks.