Files
truecharts/charts/stable/etherpad
TrueCharts Bot 8d20d91147 feat(etherpad): update image ghcr.io/ether/etherpad 3.1.0 → 3.2.0 (#48459)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/ether/etherpad](https://redirect.github.com/ether/etherpad) |
minor | `7bae8bd` → `ba06bc0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>ether/etherpad (ghcr.io/ether/etherpad)</summary>

###
[`v3.2.0`](https://redirect.github.com/ether/etherpad/blob/HEAD/CHANGELOG.md#320)

[Compare
Source](https://redirect.github.com/ether/etherpad/compare/3.1.0...3.2.0)

3.2 adds first-class reverse-proxy / ingress support —
`X-Forwarded-Prefix` and `X-Ingress-Path` are now honoured under
`trustProxy`, so Etherpad can live under a subpath (Traefik, Nginx,
Kubernetes Ingress) without breaking the PWA manifest, social-meta URLs,
or any of the bootstrap asset links. The admin settings page learns to
show *resolved* runtime values next to `${VAR:default}` placeholders,
the v3.1.0 admin pad-list filter chips now apply server-side (so "show
empty pads" no longer returns 0–12 of hundreds), and the v3.1.0
redesigned outdated-version gritter actually fires in production now
(the session-based author lookup it shipped with always returned null
for pad visitors).

##### Notable enhancements

- **HTTP — accept `X-Forwarded-Prefix` and `X-Ingress-Path` under
`trustProxy`
([#&#8203;7802](https://redirect.github.com/ether/etherpad/issues/7802)
/
[#&#8203;7806](https://redirect.github.com/ether/etherpad/issues/7806)).**
With `trustProxy: true`, Etherpad now honours `X-Forwarded-Prefix`
(de-facto Traefik / Spring) and `X-Ingress-Path` (Kubernetes Ingress) in
addition to the prefix it already inferred from the request path. The
shared `sanitizeProxyPath` helper added in 3.1.0 (defence-in-depth:
`[A-Za-z0-9_./-]` only, `//+` collapsed, `..` traversal rejected) is
extended to the new headers and applied consistently across
`/manifest.json`, `socialMeta` `og:url` / `og:image`, and the
`index.html` / `pad.html` / `timeslider.html` / `export_html.html`
templates (manifest links, jslicense links, reconnect URLs). A
pre-existing `..` segment-count miscalculation in `pad.html` /
`timeslider.html` that broke the manifest link when served from a deep
subpath is also fixed in passing. New end-to-end suite covers the
prefix-applied / prefix-ignored matrix under `trustProxy=true|false` for
both header names. `settings.json.template` documents the new headers
alongside the existing `trustProxy` notes.
- **Admin settings — resolved runtime values surface on env-pill chips
([#&#8203;7803](https://redirect.github.com/ether/etherpad/issues/7803)
/
[#&#8203;7807](https://redirect.github.com/ether/etherpad/issues/7807)).**
The `/admin/settings` socket payload now carries a new `resolved` field
alongside the existing raw-file `results` blob, carrying the actual
in-memory settings module run through a new redactor
(`AdminSettingsRedact`) that replaces known-sensitive paths
(`users.*.password`, `dbSettings.password`,
`sso.clients[*].client_secret`, `sessionKey`, …) with `[REDACTED]`. The
admin SPA's `EnvPill` renders a `→ active value` chip when the path is
resolved, or `→ ••••••` with a redacted tooltip when the server returned
the sentinel — so `port: ${PORT:9001}` now shows `→ 9001` (or whatever
the live value is) instead of silently falling back to the template
default. Old admin SPAs that don't read `resolved` continue to work; the
save round-trip is unchanged so `${VAR:default}` literals are still
preserved verbatim on disk. The admin test script glob picks up
`.test.tsx` alongside `.test.ts` so the new `EnvPill` and
`resolveByPath` tests run under `tsx --test`.

##### Notable fixes

- **Admin pads — filter chip now applies server-side, before pagination
([#&#8203;7798](https://redirect.github.com/ether/etherpad/issues/7798)).**
The 3.1.0 admin pad-list filter chips (`active` / `recent` / `empty` /
`stale`) ran on the client *after* the 12-row page slice had already
arrived. On a deployment with hundreds of pads, clicking "empty pads" on
page 1 only matched the 0–12 empties that happened to land in the
current page, with the pagination footer reporting nonsense totals
(reported on a 3.1.0 deployment). The filter is now part of the
`padLoad` socket query — pattern filter on names runs first (cheap),
metadata hydration for the matching pad universe is gated on a non-`all`
filter or a non-`padName` sort and runs under a 16-way concurrency cap
(was unbounded `Promise.all`, which fanned out to thousands of in-flight
`padManager.getPad()` reads on busy deployments), then the filter chip,
then sort + slice. `total` reflects the filtered universe so the footer
makes sense. Older admin clients that don't send `filter` keep working —
the server defaults to `all`. The `if/else if` ladder that duplicated
the hydrate-and-sort loop per `sortBy` is folded into one pipeline with
a single comparator switch.
- **Pad outdated notice — author now resolved from token cookie, not
session (Qodo
[#&#8203;7804](https://redirect.github.com/ether/etherpad/issues/7804) /
[#&#8203;7805](https://redirect.github.com/ether/etherpad/issues/7805)).**
The 3.1.0 redesigned outdated-version gritter never fired in production.
`resolveRequestAuthor()` looked for an `authorID` on `req.session.user`,
which Etherpad does not populate for pad visitors (express-session only
carries the admin-login user), so `computeOutdated()` always returned
EMPTY. The lookup now mirrors how the socket.io handshake resolves
pad-visitor identity — read the HttpOnly `token` (or `<prefix>token`)
cookie and call `authorManager.getAuthorId(token, user)` via a dynamic
import (same circular-init guard pattern the file already uses for
`PadManager`). The admin OpenAPI document gains a `description` note
clarifying that `/api/version-status` is a public pad-side endpoint that
lives in the admin doc only because it shares the same internal route
registration.
- **Localisation — silence spurious "could not translate element
content" warning
([#&#8203;7797](https://redirect.github.com/ether/etherpad/issues/7797)).**
`<select data-l10n-id="…">` with `<option>` element children — the
pattern used by `ep_headings2`, `ep_align`, `ep_font_size`,
`ep_font_family`, … — used to drop into the textContent branch of
`html10n.translateNode`, hunt for a text-node child to overwrite, find
none, and emit `Unexpected error: could not translate element content
for key …` on every pad load. The `SELECT` / `INPUT` / `TEXTAREA`
aria-label fallback already lived inside the same else-branch *after*
the warning, so the accessible name landed correctly but the noisy
console line still fired. Form-control elements now short-circuit into
the aria-label path *before* the text-node hunt — aria-label is the only
sensible localization target for these elements (a `<select>`'s text is
its `<option>` labels, not its own name). Closes the console warning
reported on Etherpad 3.1.0.

##### Internal / contributor-facing

- **CI — swap archived `ep_readonly_guest` for `ep_guest` in the plugin
matrix
([#&#8203;7795](https://redirect.github.com/ether/etherpad/issues/7795)
/
[#&#8203;7808](https://redirect.github.com/ether/etherpad/issues/7808)).**
`ep_readonly_guest` is archived (read-only on GitHub) and its
`authenticate` hook unconditionally swapped `req.session.user` with a
read-only guest, *even when the request carried an HTTP Authorization
header*. That silently demoted admin login attempts and stalled the
`anonymizeAuthorSocket` tests for 14 min/run on every with-plugins CI
matrix. The pre-fix theory from 3.1.0
([#&#8203;7796](https://redirect.github.com/ether/etherpad/issues/7796))
blamed `ep_hash_auth.handleMessage`; that was a red herring —
`handleMessage` only fires on the `/pad` namespace, never on
`/settings`. `ep_guest` is the maintained successor (same authors, same
purpose); 1.0.72 on npm already defers to basic auth / admin paths.
Swapping the matrix unblocks the `anonymizeAuthorSocket` suite on Linux,
Windows, and the upgrade-from-latest-release workflow. The runtime probe
added in
[#&#8203;7796](https://redirect.github.com/ether/etherpad/issues/7796)
stays — it still catches any other authenticate-hook plugin that rejects
the test's plain-text credentials (e.g. a future hashed-only plugin).
- **Tests — admin `saveSettings` round-trip + cross-restart persistence
([#&#8203;7819](https://redirect.github.com/ether/etherpad/issues/7819)
/ [#&#8203;7820](https://redirect.github.com/ether/etherpad/issues/7820)
/
[#&#8203;7821](https://redirect.github.com/ether/etherpad/issues/7821)).**
The admin `saveSettings` socket had zero direct backend coverage and the
existing e2e "restart works" test only checked that the page renders
after a restart, neither of which catches a deployment that resets
`settings.json` on restart, nor the user-visible workflow that triggered
[#&#8203;7819](https://redirect.github.com/ether/etherpad/issues/7819)
(add a top-level plugin block via Raw, save, watch it disappear). Three
new backend specs (`adminSettingsSave.ts`) verify byte-for-byte write,
top-level-block augmentation round-tripping through the next `load`, and
`/* */` comments surviving the write path. A new e2e spec mirrors the
[#&#8203;7819](https://redirect.github.com/ether/etherpad/issues/7819)
user workflow — open Raw, prepend an `ep_oauth`-shaped top-level block,
save, `restartEtherpad()`, re-login, confirm the block is still in Raw
and surfaces as its own Form-view section (`Ep oauth` from
`humanize()`). A separate `docker.yml` job (`adminSettings_7819.ts`)
authenticates via `POST /admin-auth/` (always-requireAdmin, regardless
of `settings.requireAuthentication`), saves a hand-built
minimal-but-viable settings document containing a marker block, `docker
exec test grep`s for it, `docker restart`s the container, waits for the
health probe, and re-greps. Both checks must pass.
- **Bug report template** now asks contributors whether the abstraction
in their proposed fix matches the rest of the codebase, to head off
premature-generalisation fixes earlier in review.

##### Dependencies

- `ueberdb2` 6.0.3 → 6.1.2 (two patch releases of cleanup on top of the
6.1.0 `findKeysPaged` API that the 3.1.0 sessionstorage OOM fix relies
on).
- `semver` 7.8.0 → 7.8.1, `lru-cache` 11.3.6 → 11.5.0,
`@elastic/elasticsearch` 9.4.0 → 9.4.1, `pg` 8.20.0 → 8.21.0,
`openapi-backend` 5.16.1 → 5.17.0, `tsx` 4.22.0 → 4.22.3,
`@tanstack/react-query` 5.100.10 → 5.100.11 +
`@tanstack/react-query-devtools`, `js-cookie` 3.0.6 → 3.0.7, plus two
dev-dependency group bumps.

##### Localisation

- Multiple updates from translatewiki.net.

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImFwcC9ldGhlcnBhZCIsImF1dG9tZXJnZSIsInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWlub3IiXX0=-->
2026-05-27 07:19:58 +02:00
..

title
title
README

General Info

For more information about this Chart, please check the docs on the TrueCharts website

This chart is not maintained by the upstream project and any issues with the chart should be raised here

Installation

Helm-Chart installation

To install TrueCharts Helm charts using Helm, you can use our OCI Repository.

helm install mychart oci://oci.trueforge.org/truecharts/etherpad

For more information on how to install TrueCharts Helm charts, checkout the instructions on the website

Chart Specific Guides and information

All our charts have dedicated documentation pages. The documentation for this chart can be found here: https://truecharts.org/charts/stable/etherpad

Configuration Options

To view the chart specific options, please view Values.yaml included in the chart. The most recent version of which, is available here: https://github.com/trueforge-org/truecharts/blob/master/charts/stable/etherpad/values.yaml

All our Charts use a shared "common" library chart that contains most of the templating and options. For the complete overview of all available options, please checkout the documentation for them on the common docs on our website

For information about the common chart and all defaults included with it, please review its values.yaml file available here: https://github.com/trueforge-org/truecharts/blob/master/charts/library/common/values.yaml

Support


Sponsor TrueCharts

TrueCharts can only exist due to the incredible effort of our staff. Please consider making a donation or contributing back to the project any way you can!

All Rights Reserved - The TrueCharts Project