From 8d20d9114709448686c51c9f10ee47246739a20d Mon Sep 17 00:00:00 2001 From: TrueCharts Bot Date: Wed, 27 May 2026 07:19:58 +0200 Subject: [PATCH] =?UTF-8?q?feat(etherpad):=20update=20image=20ghcr.io/ethe?= =?UTF-8?q?r/etherpad=203.1.0=20=E2=86=92=203.2.0=20(#48459)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/ether/etherpad](https://redirect.github.com/ether/etherpad) | minor | `7bae8bd` → `ba06bc0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/18710) for more information. Add the preset `:preserveSemverRanges` to your config if you don't want to pin your dependencies. --- ### Release Notes
ether/etherpad (ghcr.io/ether/etherpad) ### [`v3.2.0`](https://redirect.github.com/ether/etherpad/blob/HEAD/CHANGELOG.md#320) [Compare Source](https://redirect.github.com/ether/etherpad/compare/3.1.0...3.2.0) 3.2 adds first-class reverse-proxy / ingress support — `X-Forwarded-Prefix` and `X-Ingress-Path` are now honoured under `trustProxy`, so Etherpad can live under a subpath (Traefik, Nginx, Kubernetes Ingress) without breaking the PWA manifest, social-meta URLs, or any of the bootstrap asset links. The admin settings page learns to show *resolved* runtime values next to `${VAR:default}` placeholders, the v3.1.0 admin pad-list filter chips now apply server-side (so "show empty pads" no longer returns 0–12 of hundreds), and the v3.1.0 redesigned outdated-version gritter actually fires in production now (the session-based author lookup it shipped with always returned null for pad visitors). ##### Notable enhancements - **HTTP — accept `X-Forwarded-Prefix` and `X-Ingress-Path` under `trustProxy` ([#​7802](https://redirect.github.com/ether/etherpad/issues/7802) / [#​7806](https://redirect.github.com/ether/etherpad/issues/7806)).** With `trustProxy: true`, Etherpad now honours `X-Forwarded-Prefix` (de-facto Traefik / Spring) and `X-Ingress-Path` (Kubernetes Ingress) in addition to the prefix it already inferred from the request path. The shared `sanitizeProxyPath` helper added in 3.1.0 (defence-in-depth: `[A-Za-z0-9_./-]` only, `//+` collapsed, `..` traversal rejected) is extended to the new headers and applied consistently across `/manifest.json`, `socialMeta` `og:url` / `og:image`, and the `index.html` / `pad.html` / `timeslider.html` / `export_html.html` templates (manifest links, jslicense links, reconnect URLs). A pre-existing `..` segment-count miscalculation in `pad.html` / `timeslider.html` that broke the manifest link when served from a deep subpath is also fixed in passing. New end-to-end suite covers the prefix-applied / prefix-ignored matrix under `trustProxy=true|false` for both header names. `settings.json.template` documents the new headers alongside the existing `trustProxy` notes. - **Admin settings — resolved runtime values surface on env-pill chips ([#​7803](https://redirect.github.com/ether/etherpad/issues/7803) / [#​7807](https://redirect.github.com/ether/etherpad/issues/7807)).** The `/admin/settings` socket payload now carries a new `resolved` field alongside the existing raw-file `results` blob, carrying the actual in-memory settings module run through a new redactor (`AdminSettingsRedact`) that replaces known-sensitive paths (`users.*.password`, `dbSettings.password`, `sso.clients[*].client_secret`, `sessionKey`, …) with `[REDACTED]`. The admin SPA's `EnvPill` renders a `→ active value` chip when the path is resolved, or `→ ••••••` with a redacted tooltip when the server returned the sentinel — so `port: ${PORT:9001}` now shows `→ 9001` (or whatever the live value is) instead of silently falling back to the template default. Old admin SPAs that don't read `resolved` continue to work; the save round-trip is unchanged so `${VAR:default}` literals are still preserved verbatim on disk. The admin test script glob picks up `.test.tsx` alongside `.test.ts` so the new `EnvPill` and `resolveByPath` tests run under `tsx --test`. ##### Notable fixes - **Admin pads — filter chip now applies server-side, before pagination ([#​7798](https://redirect.github.com/ether/etherpad/issues/7798)).** The 3.1.0 admin pad-list filter chips (`active` / `recent` / `empty` / `stale`) ran on the client *after* the 12-row page slice had already arrived. On a deployment with hundreds of pads, clicking "empty pads" on page 1 only matched the 0–12 empties that happened to land in the current page, with the pagination footer reporting nonsense totals (reported on a 3.1.0 deployment). The filter is now part of the `padLoad` socket query — pattern filter on names runs first (cheap), metadata hydration for the matching pad universe is gated on a non-`all` filter or a non-`padName` sort and runs under a 16-way concurrency cap (was unbounded `Promise.all`, which fanned out to thousands of in-flight `padManager.getPad()` reads on busy deployments), then the filter chip, then sort + slice. `total` reflects the filtered universe so the footer makes sense. Older admin clients that don't send `filter` keep working — the server defaults to `all`. The `if/else if` ladder that duplicated the hydrate-and-sort loop per `sortBy` is folded into one pipeline with a single comparator switch. - **Pad outdated notice — author now resolved from token cookie, not session (Qodo [#​7804](https://redirect.github.com/ether/etherpad/issues/7804) / [#​7805](https://redirect.github.com/ether/etherpad/issues/7805)).** The 3.1.0 redesigned outdated-version gritter never fired in production. `resolveRequestAuthor()` looked for an `authorID` on `req.session.user`, which Etherpad does not populate for pad visitors (express-session only carries the admin-login user), so `computeOutdated()` always returned EMPTY. The lookup now mirrors how the socket.io handshake resolves pad-visitor identity — read the HttpOnly `token` (or `token`) cookie and call `authorManager.getAuthorId(token, user)` via a dynamic import (same circular-init guard pattern the file already uses for `PadManager`). The admin OpenAPI document gains a `description` note clarifying that `/api/version-status` is a public pad-side endpoint that lives in the admin doc only because it shares the same internal route registration. - **Localisation — silence spurious "could not translate element content" warning ([#​7797](https://redirect.github.com/ether/etherpad/issues/7797)).** ``'s text is its `
--- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). --- charts/stable/etherpad/Chart.yaml | 4 ++-- charts/stable/etherpad/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/stable/etherpad/Chart.yaml b/charts/stable/etherpad/Chart.yaml index ea984da6742..f1ef7f3b488 100644 --- a/charts/stable/etherpad/Chart.yaml +++ b/charts/stable/etherpad/Chart.yaml @@ -9,7 +9,7 @@ annotations: trueforge.org/min_helm_version: "3.14" trueforge.org/train: stable apiVersion: v2 -appVersion: 3.1.0 +appVersion: 3.2.0 dependencies: - name: common version: 29.3.4 @@ -39,5 +39,5 @@ sources: - https://github.com/ether/etherpad-lite - https://github.com/trueforge-org/truecharts/tree/master/charts/stable/etherpad type: application -version: 22.1.0 +version: 22.2.0 diff --git a/charts/stable/etherpad/values.yaml b/charts/stable/etherpad/values.yaml index 81688ab16d6..c4c418f69fc 100644 --- a/charts/stable/etherpad/values.yaml +++ b/charts/stable/etherpad/values.yaml @@ -2,7 +2,7 @@ image: repository: ghcr.io/ether/etherpad pullPolicy: IfNotPresent - tag: 3.1.0@sha256:7bae8bdb87559debbbb17a45eb72f8ae776af4088b1dba5620face5085f14b99 + tag: 3.2.0@sha256:ba06bc08f0ac918956b6347f722deaf8a5cf35881531edd6626fa7fa1930de14 securityContext: container: readOnlyRootFilesystem: false