The releaseEtherpad workflow renames ep_etherpad-lite -> ep_etherpad and
publishes ./src to npm, but that publish is not load-bearing:
- `ep_etherpad` has 0 dependents on npm; nothing in this repo depends on it.
- Plugins import `ep_etherpad-lite` resolved from the LOCAL core install, and
plugin CI clones `ether/etherpad` rather than `npm install`-ing core.
- Etherpad is run via git clone / Docker / zip / snap, never `npm install`.
It has been failing with E404 (the ep_etherpad package has no OIDC trusted
publisher configured on npmjs.com), which is why npm is stuck at 2.5.0 while
3.0/3.1/3.2/3.3 shipped fine without it.
Rather than chase a trusted-publisher setup for a publish nobody consumes,
park the workflow: gate the job behind an explicit `confirm: true` dispatch
input so a stray run fails fast with a clear message instead of a confusing
404, and document the status in the header + the AGENTS.MD Releasing section.
This is the package owner's (samtv12345) call: either finish the trusted-
publisher config to revive it, or remove the workflow. Parked pending that
decision; nothing about the release depends on it.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore(release): remove deprecated bin/createRelease.sh
This script has carried a "DEPRECATED since Etherpad 1.7.0 (2018-08-17),
left here just for documentation" banner for years and is dead code:
- It authenticates to the GitHub API with the `?access_token=` query
parameter, which GitHub removed in 2021 — every API call (token check,
branch merge, release publish) now fails outright.
- It targets the old `ether/etherpad-lite` repo paths and calls
`bin/buildForWindows.sh` / `make docs`, neither of which is how releases
are built anymore.
- Nothing references it (no workflow, script, or doc).
The current release flow is the "Release etherpad" workflow
(.github/workflows/release.yml) driving bin/release.ts, then the tag-push
triggers handleRelease.yml + releaseEtherpad.yml. createRelease.sh only adds
confusion, so remove it.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* docs(agents): document the release procedure and docs publishing
Add a "Releasing" section to AGENTS.MD so maintainers have a single
reference for cutting a release, instead of reverse-engineering it from
bin/release.ts and the workflow files.
Covers:
- Prerequisites: the CHANGELOG `# X.Y.Z` guard, and the requirement that all
four package.json files agree (release.ts reads the current version from
src/package.json) — the desync that blocked the 3.3.0 release.
- The one-dispatch flow: "Release etherpad" -> bin/release.ts -> tag push,
and what the vX.Y.Z tag auto-triggers (handleRelease GitHub Release,
docker, snap-publish), plus the separate manual npm publish dispatch.
- Documentation: the two distinct kinds of doc work — per-PR doc/ updates in
behaviour-change PRs, and the automated release-time versioned-docs publish
into the ether.github.com sibling repo.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(admin): replace ~50 hardcoded German strings with i18n keys (#7735)
PR #7716 ("chore: fixed admin design rework") rebuilt admin/src/pages
with literal German copy inline — "Update verfügbar", "Aktualisieren",
"Keine Pads gefunden", "Hook-Bindings", "de-DE" date formatters, etc.
Non-DE users see a French/English/German salad: <Trans i18nKey="…"/>
calls resolve correctly via translatewiki, but every literal stays
German regardless of browser locale.
This change:
- Adds 90+ keys to src/locales/en.json under admin.*, admin_login.*,
admin_pads.*, admin_plugins.*, admin_plugins_info.*, admin_settings.*,
admin_shout.*, and the previously-orphaned update.page.{disabled,
unauthorized,error}.
- Replaces every hardcoded literal in admin/src/{App,LoginScreen,
HomePage,HelpPage,PadPage,SettingsPage,ShoutPage,UpdatePage}.tsx with
t() or <Trans>.
- Threads i18n.language into PadPage so relativeTime() and
toLocale*() honour the user's locale instead of forcing de-DE.
Test coverage:
- src/tests/backend-new/specs/admin-i18n-source-lint.test.ts (vitest):
scans admin/src/pages/*.tsx + App.tsx for a denylist of German
literals introduced by #7716, asserts PadPage no longer hardcodes
'de-DE', and pins the set of new en.json keys.
- src/tests/frontend-new/admin-spec/admini18n.spec.ts (Playwright):
extended to assert rendered English text on every page (Home, Pads,
Help, Login) and verify no German leakage on the English path.
Non-EN locales pick up translations from translatewiki on its normal
cadence; until then i18next falls back to en.json.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(admin): reuse existing ep_admin_pads:* keys instead of duplicating
Pre-rework admin already had:
ep_admin_pads:ep_adminpads2_action ("Action")
ep_admin_pads:ep_adminpads2_last-edited ("Last edited")
ep_admin_pads:ep_adminpads2_no-results ("No results")
Initial pass added admin_pads.{col.action, col.last_edited,
sort.last_edited, empty_state} duplicating those — drop the duplicates
from en.json and point PadPage.tsx at the existing translatewiki-fed
keys. Stats/column heads that genuinely didn't exist before
(admin_pads.col.{pad,users,revisions}, the filter chips, relative-time,
pagination, etc.) stay as new keys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(admin): address Qodo finding + restore #7716 regressions
Qodo flagged a reliability bug in PadPage on PR #7736: i18n.language
flows from user-controlled ?lng= straight into Intl.* formatters, which
throw RangeError on malformed tags (e.g. 'en_US', '💥'). Crashing the
pads page on a crafted URL.
Wrap the locale in a sanitizeLocale() helper that normalises '_' → '-'
and validates via Intl.DateTimeFormat.supportedLocalesOf(), falling back
to 'en' so dates render in a sane locale rather than the user's browser
default fighting page copy.
Same audit surfaced four additional regressions from #7716 still on
develop, fixed here on-theme:
- HomePage dropped <a href="https://npmjs.com/..."> wrappers on both
installed and available plugin rows. Restored with .pm-plugin-link.
- "Downloads" column / "Most popular" default sort / "Popular" tag
were dead UI — src/static/js/pluginfw/installer.ts::search() never
populates `downloads`. Removed the column, default sort, and tag;
dropped `downloads` from PluginDef + SearchParams.sortBy.
- PadPage sort dropdown hardcoded `ascending: e.target.value ===
'padName'`, leaving no way to invert direction. Replaced with a
paired ↑/↓ button (.pm-sort-dir) for both HomePage and PadPage.
- "1 Core" stat hint hardcoded count=1. Derived from
installedPlugins.filter(p => p.name === 'ep_etherpad-lite').length.
- Deleted orphan modules SearchField.tsx and sorting.ts (no longer
imported anywhere after #7716).
Tests:
- admin-i18n-source-lint.test.ts: +3 assertions (sanitizeLocale
pattern, dead-downloads check, orphan-module deletion, sort-dir
toggle) → 14 passing.
- admini18n.spec.ts: +2 assertions (npmjs link on ep_etherpad-lite
row, sort-direction toggle visible).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(agents): add mandatory i18n + a11y guardrails
PR #7716 ("admin design rework") shipped ~50 hardcoded German literals,
dropped npmjs.com link affordances, removed the sort-direction control
on PadPage, and forced `de-DE` into Intl formatters — none of which the
AGENTS.MD guide explicitly forbade. Document the rules so the next UI
refresh cannot regress these in the same way:
- i18n section spells out which slots must be localised (JSX text,
placeholders, titles, aria-labels, alts, toasts, options, alerts),
which API to use per surface (<Trans>/t() in React, data-l10n-id in
the legacy pad UI, never window._ rebound), where keys live
(src/locales/en.json — never hand-edit non-EN locales), to reuse
existing keys before duplicating, pluralisation via _one/_other,
defaultValue is safety not a substitute, and points at the
source-lint test that enforces the denylist.
- a11y section spells out the lessons surfaced by the audit: icon-only
buttons need aria-label AND title (both localised), sort controls
must be focusable + reversible, semantic HTML over div soup, external
navigation is <a>, "don't drop affordances when restyling" is a
hard rule, Playwright specs must assert rendered strings + at least
one structural affordance for UI changes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl
Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages
to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl,
git, busybox) are all upstream Alpine 3.23 packages with "not fixed"
status — libcurl is pulled in transitively by git and cannot be
removed independently.
Changes:
- Provision pnpm via corepack instead of `npm install -g pnpm`, then
remove the bundled npm. The base image's npm@10.9.7 ships old
transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion
2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime;
corepack handles pnpm directly without npm. Fixes 1H + 1M.
- Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the
workflow and pull in pnpm's patched bundled brace-expansion (5.0.5
vs 5.0.4). Fixes 1M.
- Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides
(GHSA-w5hq-g745-h8pq). Fixes 1M.
- Drop `curl` from the runtime apk add list and switch HEALTHCHECK to
wget (busybox built-in). curl was only invoked by the healthcheck and
by dev/CI scripts that don't run in the container. Removes the curl
CLI binary; libcurl remains as a git transitive dep, so the
`apk/alpine/curl` advisories scout reports against libcurl persist
but aren't reachable from any code we ship. As a side-effect this
also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep.
- Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl
resolves localhost to ::1 first and Etherpad only binds IPv4.
Verified locally: docker build → docker run → healthy → docker scout
cves shows 12 CVEs / 3 packages.
* fix(docker): refresh corepack before preparing pnpm (Qodo)
Node 22's bundled corepack ships a stale signing-key list and can reject
newer pnpm releases (nodejs/corepack#612), which would fail the image
build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround:
`npm install -g corepack@latest` before activating pnpm, in both
adminbuild and build stages. npm is still removed afterwards.
* docs(changelog): note docker image dropping curl/npm/npx (Qodo)
Address Qodo's "backwards-incompatible change without mitigation" rule
violations by documenting the removal in the 2.7.3 breaking-changes
section. Operators who exec into the container can apk add curl on
demand or use the busybox wget / pnpm already present.
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
* chore: pnpm
---------
Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
* chore: Rename some occurences of etherpad-lite to etherpad
* chore: Adjust etherpad git urls
* chore: Rename more occurences from etherpad-lite to etherpad
* chore: Adjust default text
* docs: add detailed local test running guide to AGENTS.md
Expand the Testing & Validation section with step-by-step instructions
for running backend (Mocha), frontend E2E (Playwright), and admin panel
tests locally, including prerequisites and single-file examples.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add Playwright browser prerequisite check to AGENTS.md
Agents and developers should verify Playwright browsers and system
dependencies are installed before running frontend/admin tests to
avoid silent failures and timeouts (especially webkit).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: fix plugin test path and browser list per review
- Plugin tests are at repo-root node_modules/, not src/node_modules/
- Playwright runs chromium and firefox only (webkit is disabled)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: fix install-deps working directory to run from src/
Playwright is a devDependency of the src workspace, so install-deps
must also run from src/ to match the correct Playwright version.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add AGENTS.MD for AI and developer guidance
* docs: update project name from Etherpad Lite to Etherpad
* docs: fix incorrect test directory path in AGENTS.MD
* docs: correct test stack description in AGENTS.MD (Mocha is primary)
* docs: fix incorrect easysync documentation path in AGENTS.MD
* chore: add .pr_agent.toml to enable automatic PR review/description on push
* docs: remove nodejs version from README and AGENTS.MD (prefer package.json)
* docs: standardize all indentation to 2 spaces
* chore: update src/package.json node engine to match root (>=20.0.0)