Files
TrueCharts Bot ac8abbc8a5 fix(etherpad): update image ghcr.io/ether/etherpad 3.3.1 → 3.3.2 (#49348)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/ether/etherpad](https://redirect.github.com/ether/etherpad) |
patch | `c4bcd4b` → `044e5b5` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>ether/etherpad (ghcr.io/ether/etherpad)</summary>

###
[`v3.3.2`](https://redirect.github.com/ether/etherpad/blob/HEAD/CHANGELOG.md#332)

[Compare
Source](https://redirect.github.com/ether/etherpad/compare/3.3.1...3.3.2)

3.3.2 is a bug-fix and dependency-hardening follow-up to 3.3.1. It
rounds out the pad-deletion UX rework (suppressing the recovery token
for durable identities, keeping the token-less Delete button reachable,
and closing a read-only deletion hole), restores the saved-revision
markers that went missing from in-pad history mode in 3.3.x, and adds
env-var overrides so air-gapped installs can switch off Etherpad's
outbound calls without editing the image. It also fixes the `migrateDB`
/ `importSqlFile` / `migrateDirtyDBtoRealDB` CLI scripts against the
promise-based ueberdb2 API, rejects unreachable `.`/`..` pad ids, and
clears a batch of dependency security advisories (including
CVE-2026-54285). On the CI side it unblocks the installer smoke test
(which had been hanging the full 6-hour job ceiling since 3.2.0) and
pins ueberdb2 past a startup-exit regression in the packaged boot.

##### Security

- **Force `@opentelemetry/core` ≥ 2.8.0 (GHSA-8988-4f7v-96qf /
CVE-2026-54285,
[#&#8203;7975](https://redirect.github.com/ether/etherpad/issues/7975)).**
The transitive dep (pulled in via `@elastic/elasticsearch` →
`@elastic/transport`) had a `W3CBaggagePropagator.extract()` that did
not enforce W3C size limits on inbound baggage headers, allowing
unbounded memory allocation. Pinned via a `pnpm-workspace.yaml`
override; satisfies the existing `2.x` range with no parent bump.
- **Resolve open Dependabot security alerts
([#&#8203;7967](https://redirect.github.com/ether/etherpad/issues/7967)).**
Refreshes stale override floors and adds new ones via `pnpm-workspace`
overrides: `form-data` ≥ 4.0.6, `ws` ≥ 8.21.0, `esbuild` ≥ 0.28.1,
`basic-ftp` ≥ 5.3.1 (capped `<6.0.0` to avoid a surprise major on the
plugin-install path), `tar` ≥ 7.5.16, `js-yaml` ≥ 4.2.0, `qs` ≥ 6.15.2,
`ip-address` ≥ 10.1.1, and `@babel/core` ≥ 7.29.6.
- **Reject read-only deletion via token-less paths (part of
[#&#8203;7959](https://redirect.github.com/ether/etherpad/issues/7959) /
[#&#8203;7960](https://redirect.github.com/ether/etherpad/issues/7960)).**
Under `allowPadDeletionByAllUsers` a read-only viewer was granted
`canDeletePad=true`, and the server's `flagOk`/`creatorOk` branches
never checked `session.readonly` — so a read-only link holder could
delete a pad without a token. Read-only sessions are now excluded from
both the client var and the server's token-less authorization paths; a
valid recovery token stays sufficient regardless of session mode.

##### Notable enhancements

- **Pad deletion — suppress the recovery token for durable identities
and relabel the action
([#&#8203;7926](https://redirect.github.com/ether/etherpad/issues/7926)
/
[#&#8203;7930](https://redirect.github.com/ether/etherpad/issues/7930)).**
Building on the `allowPadDeletionByAllUsers` suppression, a creator's
deletion token is now also withheld when they have a *durable* identity
— authenticated (`req.session.user` with a username) **and** the
deployment pins that identity to a stable `authorID` via a `getAuthorId`
hook — since only then does the creator survive a cookie clear or a
different device, making the token redundant. This tightens the previous
"require authentication ⇒ always suppress" rule: without `getAuthorId`
the authorID still comes from the per-browser cookie, so an
authenticated user on a second device is *not* the creator and keeps
getting a token. A new `canDeleteWithoutToken` client var hides the
whole recovery-token disclosure (label, field, submit) when no token is
needed, and the recovery form now renders for all sessions (hidden by
default) so an authenticated creator without a durable mapping still has
UI to enter their token. `API.createPad` returns a `null`
`deletionToken` under `allowPadDeletionByAllUsers`, matching the
socket/UI path.
- **Offline/air-gapped installs — env-var overrides for the update
check, plugin catalog, and updater
([#&#8203;7917](https://redirect.github.com/ether/etherpad/issues/7917),
addresses
[#&#8203;7911](https://redirect.github.com/ether/etherpad/issues/7911)).**
Firewalled deployments could not disable Etherpad's outbound calls
without editing `settings.json` inside the image. The relevant keys are
now wired through the `${ENV:default}` substitution in
`settings.json.docker` and `settings.json.template`:
`PRIVACY_UPDATE_CHECK`, `PRIVACY_PLUGIN_CATALOG`, `UPDATES_TIER` (`off`
= no calls), `UPDATE_SERVER`, plus the docker-only `UPDATES_SOURCE` /
`UPDATES_CHANNEL` / `UPDATES_CHECK_INTERVAL_HOURS` /
`UPDATES_GITHUB_REPO` / `UPDATES_REQUIRE_ADMIN_FOR_STATUS`. A new
"Updates & privacy" section in `doc/docker.md` documents the set;
backend tests parse the shipped configs and fail if the `${ENV}`
placeholders are dropped. Config, docs, and tests only — no runtime code
change.

##### Notable fixes

- **Pad — keep the token-less Delete button reachable without pad-wide
settings
([#&#8203;7959](https://redirect.github.com/ether/etherpad/issues/7959)
/
[#&#8203;7960](https://redirect.github.com/ether/etherpad/issues/7960)).**
The token-less `#delete-pad` button was nested inside the
`enablePadWideSettings`-gated section, so disabling pad-wide settings
removed the only no-token deletion path — and combined with
[#&#8203;7926](https://redirect.github.com/ether/etherpad/issues/7926)
hiding the token disclosure when no token is needed, a user allowed to
delete could be left with no deletion UI at all. The button is now
always rendered (hidden by default) and driven by a `canDeletePad`
client var (creator or `allowPadDeletionByAllUsers`, excluding read-only
sessions), so the plain button and the recovery-token disclosure are
mutually coherent and neither depends on pad-wide settings.
- **History mode — restore the saved-revision markers
([#&#8203;7946](https://redirect.github.com/ether/etherpad/issues/7946)
/
[#&#8203;7948](https://redirect.github.com/ether/etherpad/issues/7948)).**
When
[#&#8203;7659](https://redirect.github.com/ether/etherpad/issues/7659)
moved the timeslider into the pad as an embedded iframe, the user-facing
control became the outer `#history-slider-input`, but the saved-revision
stars were still drawn into the now-hidden iframe `#ui-slider-bar`, so
"Save Revision" appeared to do nothing in in-pad history mode (a 3.3.x
regression). `pad_mode.ts` now bridges the embedded slider's saved
revisions onto the outer slider as percentage-positioned, aria-hidden
star markers (with click-to-seek for mouse users), and the server's
`SAVE_REVISION` handler broadcasts `NEW_SAVEDREV` to the pad room so a
revision saved by a collaborator appears live on an already-open history
slider. A single revision saved at rev 0 now renders too. Adds
Playwright coverage for both the single-client and two-client live
paths.
- **Import dialog — correct the outdated "no converter" help message
([#&#8203;7988](https://redirect.github.com/ether/etherpad/issues/7988)
/
[#&#8203;7989](https://redirect.github.com/ether/etherpad/issues/7989)).**
The notice claimed only plain text and HTML could be imported and linked
to the legacy AbiWord wiki, prompting LibreOffice installs for formats
that already work natively. Etherpad imports `.txt`, `.html`, `.docx`
(via mammoth) and `.etherpad` without LibreOffice; only
`.pdf`/`.odt`/`.doc`/`.rtf` still need it. The message now says so and
points at the documentation site.
- **PadManager — reject unreachable `.` and `..` pad ids
([#&#8203;7962](https://redirect.github.com/ether/etherpad/issues/7962)).**
`isValidPadId` accepted ids consisting only of URL dot-segments, but per
the WHATWG URL standard a browser normalises `/p/.` to `/p/` and `/p/..`
to `/`, so such a pad could be created in the database yet never opened
or exported. These ids are now rejected, and the admin `deletePad`
handler falls back to a raw key purge when `getPad()` throws so any
legacy `.`/`..` pad can still be removed.

##### Internal / contributor-facing

- **CLI — fix the database migration/import scripts against the ueberdb2
promise API
([#&#8203;7982](https://redirect.github.com/ether/etherpad/issues/7982)
/
[#&#8203;7983](https://redirect.github.com/ether/etherpad/issues/7983)).**
`migrateDB.ts` opened source and target databases, copied all keys, then
resolved without closing either — so under ueberdb2 6.1.x the keep-alive
timer kept the process hanging after "Done syncing dbs", and buffered
target writes were only guaranteed flushed on `close()`. It now closes
both databases (flushing writes, clearing the timer) on success and
error paths and exits with an explicit status. `importSqlFile.ts` and
`migrateDirtyDBtoRealDB.ts` were ported off the pre-v6 callback API to
`await db.init()` / `db.set(k, v)` / `db.close()`, removing two
`@ts-ignore`s that hid broken calls and fixing an undefined `length` in
a progress log; `tsc --noEmit` on the bin package is now clean.
- **CI — stop the installer smoke test hanging the 6-hour job ceiling
([#&#8203;7981](https://redirect.github.com/ether/etherpad/issues/7981)).**
The "Installer test" had hung on every ubuntu/macOS run since 3.2.0:
`pnpm run prod` is a nested launcher, so `kill "$PID"; wait "$PID"` only
signalled the outer pnpm and blocked forever if the node server didn't
exit on SIGTERM. Teardown now runs the launcher in its own process
group, kills the whole group (SIGTERM then SIGKILL), drops the blocking
`wait`, and adds an 8-minute `timeout-minutes` backstop to both smoke
steps.
- **CI — run the Debian-package smoke test on PRs
([#&#8203;7969](https://redirect.github.com/ether/etherpad/issues/7969)).**
The packaged-boot smoke test previously ran only on push to `develop` —
i.e. after merge — which is why the ueberdb2 startup-exit regression
turned `develop` red instead of being blocked at PR time. A
`pull_request` trigger (scoped to production-footprint paths) now runs
the build+smoke job on PRs; the release/apt-publish jobs stay
tag-guarded.
- **Release — park the non-functional `ep_etherpad` npm publish
([#&#8203;7922](https://redirect.github.com/ether/etherpad/issues/7922)).**
The `releaseEtherpad` workflow republished `./src` as `ep_etherpad`, a
package with zero dependents that nothing in the repo or any deployment
path consumes, and it had been failing with E404 (no OIDC trusted
publisher configured). The job is now gated behind an explicit `confirm:
true` dispatch input so a stray run fails fast with a clear message,
with the status documented in the workflow header and `AGENTS.MD`.
- **Tests — port the orphaned legacy timeslider specs to Playwright
([#&#8203;7949](https://redirect.github.com/ether/etherpad/issues/7949)).**
The `src/tests/frontend/specs/` mocha suite is run by no CI workflow, so
its timeslider coverage was dead — which is how the
[#&#8203;7946](https://redirect.github.com/ether/etherpad/issues/7946)
history-mode regression reached a release. The still-meaningful cases
(revision labels, export links, deep-link entry) were ported to
`frontend-new` Playwright specs re-targeted at the real in-pad UI, and
the three now-ported legacy specs were deleted.

##### Dependencies

- `ueberdb2` pinned to `6.1.13`. 6.1.10 rewrote the cache/buffer layer
to lazily arm an `.unref()`'d flush timer only when there are dirty
keys, so on a fresh empty dirty DB nothing anchored Node's event loop
and the packaged (.deb/systemd) boot could exit cleanly (code 0) before
`server.listen()` bound the port — failing the Debian-package health
check. The dep was pinned back to the last green release (6.1.9,
[#&#8203;7969](https://redirect.github.com/ether/etherpad/issues/7969))
and then rolled forward to the now-fixed `6.1.13`
([#&#8203;7979](https://redirect.github.com/ether/etherpad/issues/7979)),
pinned exactly rather than with a caret.
- `nodemailer` 8.x → 9.0.1
([#&#8203;7965](https://redirect.github.com/ether/etherpad/issues/7965)
/ [#&#8203;7950](https://redirect.github.com/ether/etherpad/issues/7950)
/
[#&#8203;7976](https://redirect.github.com/ether/etherpad/issues/7976)),
`mongodb` 7.1.1 → 7.3.0
([#&#8203;7941](https://redirect.github.com/ether/etherpad/issues/7941)),
`pg` 8.21.0 → 8.22.0
([#&#8203;7985](https://redirect.github.com/ether/etherpad/issues/7985)),
`undici` → 8.5.0
([#&#8203;7980](https://redirect.github.com/ether/etherpad/issues/7980)
etc.), `oidc-provider` 9.8.4 → 9.8.5
([#&#8203;7973](https://redirect.github.com/ether/etherpad/issues/7973)),
`pdfkit` 0.19.0 → 0.19.1
([#&#8203;7945](https://redirect.github.com/ether/etherpad/issues/7945)),
`semver` 7.8.3 → 7.8.4
([#&#8203;7943](https://redirect.github.com/ether/etherpad/issues/7943)),
and `@radix-ui/react-switch` 1.3.0 → 1.3.1
([#&#8203;7974](https://redirect.github.com/ether/etherpad/issues/7974)).
- Dev/build dependency group updates
([#&#8203;7964](https://redirect.github.com/ether/etherpad/issues/7964),
[#&#8203;7970](https://redirect.github.com/ether/etherpad/issues/7970),
[#&#8203;7978](https://redirect.github.com/ether/etherpad/issues/7978),
[#&#8203;7987](https://redirect.github.com/ether/etherpad/issues/7987),
[#&#8203;7944](https://redirect.github.com/ether/etherpad/issues/7944),
[#&#8203;7951](https://redirect.github.com/ether/etherpad/issues/7951),
[#&#8203;7952](https://redirect.github.com/ether/etherpad/issues/7952),
and others), including `@types/node` 25 → 26, `esbuild` 0.28.0 → 0.28.1,
`eslint` 10.4.1 → 10.5.0, `@playwright/test` 1.60 → 1.61, `vitest` 4.1.8
→ 4.1.9, and `actions/checkout` 6 → 7
([#&#8203;7977](https://redirect.github.com/ether/etherpad/issues/7977)).

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImFwcC9ldGhlcnBhZCIsImF1dG9tZXJnZSIsInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvcGF0Y2giXX0=-->
2026-06-22 00:44:56 +00:00

52 lines
1.4 KiB
YAML

# yaml-language-server: $schema=./values.schema.json
image:
repository: ghcr.io/ether/etherpad
pullPolicy: IfNotPresent
tag: 3.3.2@sha256:044e5b58686f22e2c8b792ed0a7c35a83986458e1ee91f12119276c1e2572bce
securityContext:
container:
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
service:
main:
ports:
main:
port: 10060
targetPort: 9001
workload:
main:
podSpec:
containers:
main:
env:
DB_TYPE: "postgres"
DB_NAME: "{{ .Values.cnpg.main.database }}"
DB_USER: "{{ .Values.cnpg.main.user }}"
DB_PORT: "5432"
DB_PASS:
secretKeyRef:
name: cnpg-main-user
key: password
DB_HOST:
secretKeyRef:
name: cnpg-main-urls
key: host
# User Defined
TITLE: "Etherpad"
FAVICON: "favicon.ico"
DEFAULT_PAD_TEXT: "Welcome to Etherpad! This pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! Get involved with Etherpad at https://etherpad.org"
ADMIN_PASSWORD: "adminpass"
USER_PASSWORD: "firstuserpass"
persistence:
data:
enabled: true
mountPath: "/opt/etherpad-lite/var"
cnpg:
main:
enabled: true
user: etherpad
database: etherpad