diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 6cd9d981d..849beebad 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -35,6 +35,8 @@ jobs:
 
           ---
 
+          cc: @github/cli
+
           > $BODY
           EOF
 
@@ -63,5 +65,7 @@ jobs:
 
           ---
 
+          cc: @github/cli
+
           > $BODY
           EOF
diff --git a/internal/codespaces/rpc/invoker.go b/internal/codespaces/rpc/invoker.go
index b9d321802..6ba8843ac 100644
--- a/internal/codespaces/rpc/invoker.go
+++ b/internal/codespaces/rpc/invoker.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -241,6 +242,9 @@ func (i *invoker) StartSSHServerWithOptions(ctx context.Context, options StartSS
 		return 0, "", fmt.Errorf("failed to parse SSH server port: %w", err)
 	}
 
+	if !isUsernameValid(response.User) {
+		return 0, "", fmt.Errorf("invalid username: %s", response.User)
+	}
 	return port, response.User, nil
 }
 
@@ -300,3 +304,10 @@ func (i *invoker) notifyCodespaceOfClientActivity(ctx context.Context, activity
 
 	return nil
 }
+
+func isUsernameValid(username string) bool {
+	// assuming valid usernames are alphanumeric, with these special characters allowed: . _ -
+	var validUsernamePattern = `^[a-zA-Z0-9_][-.a-zA-Z0-9_]*$`
+	re := regexp.MustCompile(validUsernamePattern)
+	return re.MatchString(username)
+}
diff --git a/pkg/cmd/root/extension.go b/pkg/cmd/root/extension.go
index fcf0549c2..52250a432 100644
--- a/pkg/cmd/root/extension.go
+++ b/pkg/cmd/root/extension.go
@@ -72,7 +72,7 @@ func NewCmdExtension(io *iostreams.IOStreams, em extensions.ExtensionManager, ex
 					fmt.Fprintf(stderr, "%s\n\n",
 						cs.Yellow(releaseInfo.URL))
 				}
-			case <-time.After(3 * time.Second):
+			case <-time.After(1 * time.Second):
 				// Bail on checking for new extension update as its taking too long
 			}
 		},