feat(etherpad): update image ghcr.io/ether/etherpad 3.0.0 → 3.1.0 (#48307)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/ether/etherpad](https://redirect.github.com/ether/etherpad) |
minor | `037ce33` → `7bae8bd` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>ether/etherpad (ghcr.io/ether/etherpad)</summary>

###
[`v3.1.0`](https://redirect.github.com/ether/etherpad/blob/HEAD/CHANGELOG.md#310)

[Compare
Source](https://redirect.github.com/ether/etherpad/compare/3.0.0...3.1.0)

3.1 ships the self-update programme's **Tier 4 — autonomous in a
maintenance window** for real (the v3.0.0 notes documented the design;
this is the release the code actually lands in), adds first-class SMTP
delivery so update failures email the admin, and bundles a
defence-in-depth pass across the HTTP/API entry points. Two new
admin-facing escape hatches arrive: a preflight check that aborts an
update *before* it mutates the working tree when the target tag's
`engines.node` doesn't match the running runtime, and email
notifications for every auto-rollback / preflight outcome (not just the
terminal `rollback-failed` state).

##### Notable enhancements

- **Self-update — Tier 4 (autonomous in a maintenance window).** Set
`updates.tier: "autonomous"` together with `updates.maintenanceWindow:
{"start":"HH:MM","end":"HH:MM","tz":"local"|"utc"}` to constrain
autonomous updates to a nightly window. The scheduler snaps
`scheduledFor` forward to the next window opening when grace would
otherwise land outside the window, and defers the fire when the window
has closed by the timer callback. Cross-midnight windows (`end < start`)
are supported; DST transitions are absorbed by host wall-clock
arithmetic. A missing or malformed window degrades the policy to Tier 3
with an explicit `policy.reason` of `maintenance-window-missing` /
`maintenance-window-invalid`; an admin banner surfaces the
misconfiguration so autonomous behaviour is not silently disabled. The
admin update page shows a "Maintenance window" section with the parsed
window summary, the next opening, and a "deferred until <iso>" subtitle
on the scheduled panel when the timer has been snapped forward. Closes
[#&#8203;7607](https://redirect.github.com/ether/etherpad/issues/7607)
([#&#8203;7753](https://redirect.github.com/ether/etherpad/issues/7753)).
- **Updater — real SMTP via nodemailer (new top-level `mail.*` block).**
Replaces the "(would send email)" stub. New settings: `mail.host`,
`mail.port`, `mail.secure`, `mail.from`, `mail.auth.{user,pass}`.
`mail.host=null` keeps the legacy log-only behaviour. The `nodemailer`
dependency is lazy-imported on first send so installs that don't
configure mail pay no runtime cost; the transport is cached on the full
SMTP options tuple so a `reloadSettings()` change to
host/port/credentials invalidates the cache. `settings.json.docker`
reads `MAIL_HOST` / `MAIL_FROM` / `MAIL_PORT` / `MAIL_SECURE` from env.
Send errors are logged warn and swallowed so a transient SMTP failure
can never poison the updater state machine.
- **Updater — preflight against the target tag's `engines.node`.**
Before mutating the working tree, `runPreflight` now runs `git show
<tag>:package.json` and verifies `process.versions.node` satisfies the
target's `engines.node`. A mismatch fails cleanly at `preflight-failed`
with the detail `target requires Node >=X, running Y` — no drain, no
restart, no rollback. The check runs *after* signature verification so
we only trust signed `package.json`. New `PreflightReason:
'node-engine-mismatch'`.
- **Updater — email admin on rollback / preflight-failed (not just
`rollback-failed`).** Before this release only the terminal
`rollback-failed` state emailed. Auto-recovered failures
(`rolled-back-install-failed`, `rolled-back-build-failed`,
`rolled-back-health-check`, `rolled-back-crash-loop`) and
`preflight-failed` now also fire one email per `<outcome>:<targetTag>`
(dedupe key in `EmailSendLog.lastFailureKey`). A 3am autonomous update
that rolls back because of, say, a Node engine bump now lands in the
admin inbox at 3am instead of staying invisible until the next admin
login. Boot-path catch-up covers cases where the failure preceded a
clean process exit (timer-fired health-check rollback, crash-loop forced
rollback, preflight-failed that didn't get to email before exit).
- **API — `listAuthorsOfPad` filters the synthetic system author.**
`Pad.SYSTEM_AUTHOR_ID` (`a.etherpad-system`) is the placeholder Etherpad
attributes to when the HTTP API receives a call without an `authorId`
(setText, setHTML, appendText, server-side import). It was leaking
through `listAuthorsOfPad`, making pads with only API-driven content
appear to have one "real" author. The synthetic id is now filtered at
that API surface only — `getAllAuthors()` and downstream callers (copy,
anonymize, atext verification) still see it. Fixes
[#&#8203;7785](https://redirect.github.com/ether/etherpad/issues/7785) /
[#&#8203;7790](https://redirect.github.com/ether/etherpad/issues/7790)
([#&#8203;7793](https://redirect.github.com/ether/etherpad/issues/7793)).

##### Notable fixes

- **Export HTML — ordered-list counter no longer poisoned by a sibling
unordered list.** When an ordered-list level was the only consumer of
`olItemCounts`, closing *any* list at that depth (including a `<ul>`
that happened to share the level) reset the counter to 0. A subsequent
unrelated `<ol>` at the same depth then took the "counter exists but is
0" branch and emitted `<ol class="...">` without the `start=` attribute.
The reset is now gated on `line.listTypeName === 'number'` so closing an
unordered list never touches the ol bookkeeping. Fixes
[#&#8203;7786](https://redirect.github.com/ether/etherpad/issues/7786) /
[#&#8203;7787](https://redirect.github.com/ether/etherpad/issues/7787)
([#&#8203;7791](https://redirect.github.com/ether/etherpad/issues/7791)).
- **Export — bad `:rev` returns a meaningful 500 body, not Express's
HTML error page.** A non-numeric `:rev` (e.g. `/p/foo/test1/export/txt`)
reached `checkValidRev` which throws `CustomError('rev is not a number',
'apierror')`; the message fell through `.catch(next)` and Express's
default renderer returned an HTML 500 page. The route handler now
catches the apierror and emits `err.message` as a deterministic
`text/plain` 500. As a follow-up, `checkValidRev` runs *before*
`res.attachment()` so an invalid rev no longer leaves a
`Content-Disposition` header in place (browsers were offering to save
the error message as a file), and unrelated export failures (conversion,
fs, soffice) are surfaced as text/plain rather than the HTML stack page.
Fixes
[#&#8203;7788](https://redirect.github.com/ether/etherpad/issues/7788)
([#&#8203;7792](https://redirect.github.com/ether/etherpad/issues/7792)).

##### Security hardening

A bundle of defence-in-depth tightening picked up during an internal
audit pass
([#&#8203;7784](https://redirect.github.com/ether/etherpad/issues/7784)):

- **HTTP API — OAuth JWT path.** Verify the signature *before* reading
any claim off the payload; require `admin: true` strictly (presence is
no longer sufficient). The apikey comparison switches to
`crypto.timingSafeEqual`.
- **Import/Export temp-file path tokens.** Derived from
`crypto.randomBytes(16)` instead of `Math.random()`.
- **Token transfer.** Records now have a 5-minute TTL and are single-use
(removed from the store before responding). The author token is no
longer in the redemption response body — the `HttpOnly` cookie is the
only delivery channel.
- **`x-proxy-path` header sanitiser (new
`src/node/utils/sanitizeProxyPath.ts`).** Shared by `admin.ts` and
`specialpages.ts`. Strips characters outside `[A-Za-z0-9_./-]`,
collapses leading `//+` to a single `/`, rejects `..` traversal.
`admin.ts` also emits `Vary: x-proxy-path` and `Cache-Control: private,
no-store` so a poisoned response can never be reused for another origin.
- **`Pad.appendRevision` insert-op author invariant.** Centralises the
"every insert op carries an `author` attribute" rule the socket handler
already enforced, so non-wire callers (`setText`, `setHTML`,
`restoreRevision`, plugin paths) get the same check. `Pad.init` and
`setPadHTML` substitute `SYSTEM_AUTHOR_ID` when no author is supplied —
same pattern `setText` / `spliceText` already used.
- **`setPadRaw` legacy-import rewrite.** Bulk-import bypasses
`appendRevision`, so a hand-crafted `.etherpad` file could persist
non-conforming records that any subsequent `setText` / `setHTML` would
refuse to extend. A pre-pass now walks revs in order, sanitises each
changeset's `+` ops against the cumulative pad pool (substituting
`SYSTEM_AUTHOR_ID` where needed), and re-applies each changeset to a
running atext so the head atext and key-rev `meta.atext` / `meta.pool`
snapshots stay in lock-step. Conforming payloads round-trip unchanged.

##### Internal / contributor-facing

- **Backend tests — `tests/backend/specs/{api,admin}/*` un-skipped.**
The pnpm test script's glob (`tests/backend/specs/**.ts`) only matched
depth-1 files. Every spec under `api/` (14 files) and `admin/` (2 files)
has been silently skipped by CI. Switched to `--extension ts
--recursive` so mocha walks the tree as documented. A new vitest
regression check reads the pnpm script, hands mocha the same arguments
under `--dry-run --list-files`, and asserts representative specs from
both subdirectories appear in the discovered list
([#&#8203;7789](https://redirect.github.com/ether/etherpad/issues/7789)).
- **CI — Windows `npx ENOENT` in the glob-discovery regression check.**
`execFileSync('npx', ...)` doesn't pick up `npx.cmd` on Windows runners.
Resolved by running `mocha`'s JS entry directly via `require.resolve`
under the current node process. Path normalisation now goes through
`path.relative` + `replace([\\/])` so mixed-separator / drive-letter
casing on Windows mocha output still matches the POSIX-relative
assertions
([#&#8203;7794](https://redirect.github.com/ether/etherpad/issues/7794)).
- **CI — `anonymizeAuthorSocket` suite gated on admin-socket health when
`ep_hash_auth` is installed.** Un-hiding the suite in
[#&#8203;7789](https://redirect.github.com/ether/etherpad/issues/7789)
surfaced a 14-minute stall on every with-plugins matrix run because
`ep_hash_auth`'s `handleMessage` hook fires for every socket message
regardless of namespace and reads from the deprecated `client` context
(undefined for non-pad namespaces). Until the root cause lands (tracked
in
[#&#8203;7795](https://redirect.github.com/ether/etherpad/issues/7795)),
the suite skips itself when an application-level probe shows the admin
`/settings` namespace isn't responding — keeps the no-plugin matrix
covered and stops burning \~14 minutes per with-plugins run
([#&#8203;7796](https://redirect.github.com/ether/etherpad/issues/7796)).

##### Localisation

- Multiple updates from translatewiki.net.

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImFwcC9ldGhlcnBhZCIsImF1dG9tZXJnZSIsInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWlub3IiXX0=-->
This commit is contained in:
TrueCharts Bot
2026-05-17 18:59:19 +02:00
committed by GitHub
parent c1f740038d
commit 52ec91d7d8
2 changed files with 3 additions and 3 deletions
+2 -2
View File
@@ -9,7 +9,7 @@ annotations:
trueforge.org/min_helm_version: "3.14"
trueforge.org/train: stable
apiVersion: v2
appVersion: 3.0.0
appVersion: 3.1.0
dependencies:
- name: common
version: 29.3.4
@@ -39,5 +39,5 @@ sources:
- https://github.com/ether/etherpad-lite
- https://github.com/trueforge-org/truecharts/tree/master/charts/stable/etherpad
type: application
version: 22.0.0
version: 22.1.0
+1 -1
View File
@@ -2,7 +2,7 @@
image:
repository: ghcr.io/ether/etherpad
pullPolicy: IfNotPresent
tag: 3.0.0@sha256:037ce33b51aa4997af6b953847631cb89bfc1d0d1c29598249a099dc2b990d1e
tag: 3.1.0@sha256:7bae8bdb87559debbbb17a45eb72f8ae776af4088b1dba5620face5085f14b99
securityContext:
container:
readOnlyRootFilesystem: false