Commit graph

146 commits

Author SHA1 Message Date
SamTV12345
ce27525d97 chore: reinstall lockfile 2026-07-07 21:31:25 +02:00
SamTV12345
9c48900092 chore: updated lockfile 2026-07-07 21:27:35 +02:00
Etherpad Release Bot
93e5bcc1e2 bump version 2026-06-21 18:45:43 +00:00
Etherpad Release Bot
59062ce11a bump version 2026-06-10 10:03:40 +00:00
Etherpad Release Bot
bb2ef93a1b bump version 2026-06-09 08:54:32 +00:00
SamTV12345
d09227b1e7 3.2.0 2026-06-08 22:19:50 +02:00
SamTV12345
1510e1e6f6 bump version
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 20:04:29 +02:00
Etherpad Release Bot
0b392e13da bump version 2026-05-22 17:44:57 +00:00
Etherpad Release Bot
8fb20384dc bump version 2026-05-17 14:59:42 +00:00
Etherpad Release Bot
1864cd2fc1 bump version 2026-05-16 19:00:08 +00:00
John McLear
04045fe532
Roll Node.js floor back to >= 24 (Active LTS) — closes #7779 (#7781)
* Roll Node.js floor back to >= 24 (Active LTS)

Closes #7779.

#7779 originally proposed bumping past the Node 25 stop-gap to Node 26.
After re-checking the release schedule, the cleaner LTS target is
actually Node 24:

- Node 24 (Krypton) is currently in Active LTS, supported until ~May 2028.
- Node 25 hit end-of-life on April 10 2026 — the floor merged in
  #7752 / #7749 / #7754 a day ago ships an already-EOL major.
- Node 26 was released May 5 2026 and does not enter Active LTS until
  October 2026.

So this PR reverts the Node 25 ratchet from those three PRs and lands
on Node 24 — Etherpad's runtime floor stays on a supported LTS for the
next ~2 years.

Runtime / infra
- `package.json` + `src/package.json`: `engines.node` `>=25.0.0` -> `>=24.0.0`
- `bin/functions.sh`, `bin/installer.sh`, `bin/installer.ps1`:
  `REQUIRED_NODE_MAJOR` 25 -> 24
- `Dockerfile`: `node:25-alpine` -> `node:24-alpine` (both stages).
  Corepack-via-npm workaround is intentionally kept: it works on
  Node 24 (which still ships corepack) and on Node 25+ (which doesn't),
  so the same recipe survives the next LTS bump without churn. Comments
  reworded accordingly.
- `snap/snapcraft.yaml`: pinned `NODE_VERSION` 25.9.0 -> 24.15.0; design
  notes + corepack comment adjusted
- `packaging/nfpm.yaml`: `nodejs (>= 25)` -> `nodejs (>= 24)` in
  top-level depends + deb/rpm overrides
- `packaging/bin/etherpad`: comment matches the new pin
- `packaging/README.md`: build prereqs + apt install snippet point at
  `node_24.x`; the long-stale "engines.node floor is 20" line is fixed
  while we're here
- `.github/workflows/*.yml`: setup-node `node-version` 25 -> 24 across
  every workflow; backend / frontend-admin / upgrade matrices
  `[25]` -> `[24]`
- `.github/workflows/deb-package.yml`: `NODE_MAJOR=25` + `node_25.x`
  smoke-test installer -> 24
- `bin/plugins/lib/npmpublish.yml`: 25 -> 24 (template propagates to
  the ~80 ether/* plugins via update-plugins workflow)

Docs
- `README.md`: install one-liner + Requirements -> Node.js >= 24
- `doc/npm-trusted-publishing.md`: runner requirement -> Node 24
- `doc/plugins.md` / `doc/plugins.adoc`: plugin metadata example
  `engines.node` -> `">=24.0.0"`

@types/node is left at ^25.8.0 — newer type definitions cover Node 24
runtime fine and avoid an unnecessary lockfile churn.

Companion homepage one-liner change to follow on ether/ether.github.com.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(plugins): example engines.node = ">=22.0.0", not core's floor

Plugin code is overwhelmingly ace-hook glue and rarely uses Node-version-
specific APIs, so plugin engines.node should reflect the plugin's own
requirements, not track core. Showing core's 24-floor in the example
encouraged plugin authors to blindly copy a tighter pin than necessary
and locked plugins out of being installable on older Etherpad/Node
deployments. Use the most-recent Node LTS that has actually reached EOL
(20 -> EOL April 2026) as the example floor, i.e. >=22.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 13:07:59 +01:00
John McLear
7d537f3deb
Require Node.js >= 25 (engines, installers, Dockerfile, snap, CI, docs) (#7749)
* docs: bump documented Node.js minimum to 25

Etherpad is moving its supported Node.js floor to >= 25 (CI matrix is
already pinned to 25 across all workflows on the node25-corepack-pnpm11
work). Sync the user-facing documentation so the install instructions,
requirements section, and plugin metadata example all reflect the new
minimum instead of Node 22 / 12.17.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: require Node.js >= 25 (engines, installers, Dockerfile, snap, CI)

#7747 added Node 25 *support* but left the floor at Node 22. This
commit completes the cutover so the runtime requirement matches the
documentation bumped in the previous commit.

- package.json: engines.node ">=22.13.0" → ">=25.0.0"
- bin/functions.sh, bin/installer.sh, bin/installer.ps1: REQUIRED_NODE
  bumped to 25 (controls the error message users see when they invoke
  the installer or pnpm scripts on an older Node)
- Dockerfile: base image node:22-alpine → node:25-alpine (×2). Corepack
  comment updated: Node 25 no longer ships corepack at all, so we
  install it from npm rather than refreshing a stale signing-key list
- snap/snapcraft.yaml: pinned NODE_VERSION 22.22.2 → 25.9.0 and the
  surrounding design notes rewritten to reflect Node 25 instead of 22
- .github/workflows/*.yml: matrix dropped from [22, 24, 25] to just
  [25] (anything older now fails engines anyway). Stale comments in
  build-and-deploy-docs.yml referencing vite 8's 22.12 floor cleaned up
- bin/plugins/lib/npmpublish.yml: setup-node 22 → 25 so the plugin
  template propagated to every ether/* plugin matches the new minimum

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(docker): install pnpm directly on Node 25 (no corepack)

node:25-alpine doesn't ship corepack but does pre-install yarn at
/usr/local/bin/yarn, so `npm install -g corepack@latest` fails with
EEXIST trying to register its yarn shim. Per #7747, end-users install
pnpm via plain `npm install -g pnpm` on Node 25 — use the same flow in
the Dockerfile (and remove the unused yarn binary so it doesn't sit on
PATH inside the image). Drops COREPACK_HOME and the related
issue-7687 cache-sharing tweak since there's no corepack shim to share.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 10:04:24 +01:00
John McLear
99f8258811
Support Node 25 (#7747)
Bumps the workflow Node version (PR matrix → [25], full push matrix
stays at [22, 24, 25]) and the pinned pnpm to 11.1.2 with a matching
`engines.pnpm` minimum. End-users install pnpm the same way they
always have (`npm install -g pnpm` works on Node 25 — only Corepack
was dropped from the official Node 25 distribution).

Also includes two workflow fixes that were entangled with the
Node-version edits in the same files:

- `upgrade-from-latest-release.yml` now actually checks out the
  latest release tag instead of `ref: develop #FIXME`, so the job
  finally exercises what its name implies.
- `installer-test.yml` resolves `ETHERPAD_REPO` / `ETHERPAD_BRANCH`
  from the PR head when running on a fork, so the smoke test exercises
  the PR branch rather than the base.

Verified end-to-end against `node:25-bookworm-slim` (no corepack):
`npm install -g pnpm` → `pnpm i` → `pnpm run build:etherpad` →
`pnpm run prod` boots and listens on 9001.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 09:40:46 +01:00
Etherpad Release Bot
db602bcb70 bump version 2026-05-06 21:41:46 +00:00
John McLear
958590d1c8
chore(docker): clear most CVEs in published image (npm/pnpm/uuid + drop curl) (#7674)
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl

Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages
to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl,
git, busybox) are all upstream Alpine 3.23 packages with "not fixed"
status — libcurl is pulled in transitively by git and cannot be
removed independently.

Changes:

- Provision pnpm via corepack instead of `npm install -g pnpm`, then
  remove the bundled npm. The base image's npm@10.9.7 ships old
  transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion
  2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime;
  corepack handles pnpm directly without npm. Fixes 1H + 1M.

- Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the
  workflow and pull in pnpm's patched bundled brace-expansion (5.0.5
  vs 5.0.4). Fixes 1M.

- Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides
  (GHSA-w5hq-g745-h8pq). Fixes 1M.

- Drop `curl` from the runtime apk add list and switch HEALTHCHECK to
  wget (busybox built-in). curl was only invoked by the healthcheck and
  by dev/CI scripts that don't run in the container. Removes the curl
  CLI binary; libcurl remains as a git transitive dep, so the
  `apk/alpine/curl` advisories scout reports against libcurl persist
  but aren't reachable from any code we ship. As a side-effect this
  also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep.

- Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl
  resolves localhost to ::1 first and Etherpad only binds IPv4.

Verified locally: docker build → docker run → healthy → docker scout
cves shows 12 CVEs / 3 packages.

* fix(docker): refresh corepack before preparing pnpm (Qodo)

Node 22's bundled corepack ships a stale signing-key list and can reject
newer pnpm releases (nodejs/corepack#612), which would fail the image
build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround:
`npm install -g corepack@latest` before activating pnpm, in both
adminbuild and build stages. npm is still removed afterwards.

* docs(changelog): note docker image dropping curl/npm/npx (Qodo)

Address Qodo's "backwards-incompatible change without mitigation" rule
violations by documenting the removal in the 2.7.3 breaking-changes
section. Operators who exec into the container can apk add curl on
demand or use the busybox wget / pnpm already present.

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2026-05-06 22:00:13 +02:00
John McLear
b8d1c8a192
ci(docs): build on PRs and pin Node 22 (Qodo follow-up to #7640) (#7645)
* ci(docs): build on PRs and pin Node 22 (Qodo follow-up to #7640)

Qodo flagged two reliability gaps on the oxc-minify fix that landed in
#7640:

  1. The Deploy Docs to GitHub Pages workflow only ran on push to
     develop, so a PR that broke `pnpm run docs:build` was not caught
     until after merge — exactly how the dead-link regression in #7546
     escaped. Add a pull_request trigger that runs the same build but
     skips the deploy/upload steps via `if: github.event_name ==
     'push'`. Also include the workflow file itself in the path filter
     so changes to it are exercised on PR.
  2. oxc-minify@0.128.0 requires Node ^20.19.0 || >=22.12.0, but the
     workflow did not pin Node and the repo declared engines.node
     >=22.0.0 with engineStrict: true — a runner image (or local dev)
     on Node 22.0–22.11 would refuse to install. Pin Node 22 in the
     docs workflow with actions/setup-node@v6 (matching the rest of
     CI), and bump engines.node to >=22.12.0 so the project's
     engineStrict gate matches the actual minimum.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(docs): split build and deploy so PR runs do not hit pages env protection

The previous attempt put `if: github.event_name == 'push'` on individual
deploy steps but kept the single job's `environment: github-pages`
binding. Environment protection rules reject any non-develop ref
(including `refs/pull/N/merge`), so the runner failed the entire job
at creation time before any step could execute:

    Branch "refs/pull/7645/merge" is not allowed to deploy to
    github-pages due to environment protection rules.

Split into two jobs: `build` runs on every trigger (PR + push) and
uploads the artifact only on push, `deploy` depends on `build`,
runs only on push, and is the only job bound to the github-pages
environment. Standard GHA pages-deploy pattern; PR builds never
attempt to enter the protected environment.

* docs: align Node minimum references with bumped engines.node (Qodo round 2 on #7645)

Qodo flagged that engines.node moved from >=22.0.0 to >=22.12.0 in
this PR but documentation still claimed the old requirement. Sync the
three places that pinned a specific minimum:

  - README.md installation requirements (>= 22 → >= 22.12)
  - doc/npm-trusted-publishing.md publish prerequisites
    (>=22.0.0 → >=22.12.0, with oxc-minify cited as the driver)
  - CHANGELOG.md 2.7.3 breaking-changes entry (22 → 22.12, with the
    same oxc-minify justification)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 17:12:23 +01:00
SamTV12345
c55007361c
chore: updated node to supported 22,24,25 (#7628)
* chore: updated node to supported 22,24,25

* chore: updated node to supported 22,24,25

* chore: updated node to supported 22,24,25

* chore: updated node to supported 22,24,25

* chore: upgrade deb

* chore: upgrade dockerfile

* chore: use explicit node

* chore: use node 22

* chore: use node 22
2026-04-28 22:45:28 +02:00
Etherpad Release Bot
dad6cc8eef bump version 2026-04-26 09:35:14 +00:00
Etherpad Release Bot
249241d9a4 bump version 2026-04-23 21:08:25 +00:00
Etherpad Release Bot
3005f2aeaf bump version 2026-04-22 07:07:10 +00:00
John McLear
f3f6829f8f
chore(deps): pin transitive deps to patched versions for 33 Dependabot alerts (#7556)
Adds a pnpm.overrides block to force-upgrade vulnerable transitive
dependencies to their patched versions. All 33 open Dependabot alerts on
ether/etherpad are against pnpm-lock.yaml; none of these packages are
direct dependencies of the workspace.

Bumps (vulnerable range → pinned):

- basic-ftp                ≤5.2.2  → ≥5.3.0   (GHSA-5rq4-664w-9x2c,
                                                GHSA-6v7q-wjvx-w8wg,
                                                GHSA-rp42-5vxx-qpwr)
- brace-expansion          <2.0.3  → ≥2.0.3   (GHSA-f886-m6hf-6m8v)
- diff                     <8.0.3  → ≥8.0.3   (GHSA-73rr-hh4g-fpgx)
- flatted                  <3.4.2  → ≥3.4.2   (GHSA-25h7-pfq9-p65f,
                                                GHSA-rf6f-7fwh-wjgh)
- follow-redirects         ≤1.15.11 → ≥1.16.0 (GHSA-r4q5-vmmm-2653)
- glob (10.x CLI)          <10.5.0 → ≥10.5.0  (GHSA-5j98-mcp5-4vw2)
- js-yaml                  <4.1.1  → ≥4.1.1   (GHSA-mh29-5h37-fv8m)
- lodash                   ≤4.17.23 → ≥4.18.0 (GHSA-f23m-r3pf-42rh,
                                                GHSA-r5fr-rjxr-66jc)
- minimatch (9.x)          <9.0.7  → ≥9.0.7   (GHSA-23c5-xmqv-rm74,
                                                GHSA-3ppc-4f35-3m26,
                                                GHSA-7r86-cg39-jmmj)
- path-to-regexp (8.x)     <8.4.0  → ≥8.4.0   (GHSA-27v5-c462-wpq7,
                                                GHSA-j3q9-mxjg-w52f)
- picomatch (4.x)          <4.0.4  → ≥4.0.4   (GHSA-3v7f-55p6-f55p,
                                                GHSA-c2c7-rcm5-vvqj)
- qs                       <6.14.2 → ≥6.14.2  (GHSA-6rw7-vpxm-498p,
                                                GHSA-w7fw-mjwx-w883)
- serialize-javascript     ≤7.0.2  → ≥7.0.5   (GHSA-5c6j-r48x-rmvq,
                                                GHSA-qj8w-gfj5-8c6v)
- socket.io-parser         <4.2.6  → ≥4.2.6   (GHSA-677m-j7p3-52f9)
- tar                      <7.5.11 → ≥7.5.11  (GHSA-8qq5-rm4j-mr97,
                                                GHSA-34x7-hfp2-rc4v,
                                                GHSA-r6q2-hw4h-h46w,
                                                GHSA-83g3-92jg-28cx,
                                                GHSA-qffp-2rhf-9h96,
                                                GHSA-9ppj-qmqm-q256)
- vite (non-aliased)       <7.3.2  → ≥7.3.2   (GHSA-p9ff-h696-f583,
                                                GHSA-v2wj-q39q-566r,
                                                GHSA-4w7w-66w2-5vf9)

Scoped overrides are used where the vulnerable range is a specific major
line — e.g. `minimatch@>=9.0.0 <9.0.7` — so that 3.x/10.x lines resolving
via unrelated dependency chains are not disturbed. Otherwise the override
targets the bare package name.

Note: admin/ui/doc packages alias `vite` to `rolldown-vite@7.2.10`; those
are a separate package on npm and the vite CVEs do not apply to them.

- `pnpm install` succeeds
- `pnpm run ts-check` clean
- No source code changes; `tar` and `glob` are not directly imported by
  etherpad-lite sources, so the major-version bumps (tar 6→7, glob 10→13)
  affect only transitive consumers that already declare compatibility.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 17:06:23 +01:00
Stefan Müller
e8c9efb5c5
chore: Rename some occurences of etherpad-lite to etherpad (#7552)
* chore: Rename some occurences of etherpad-lite to etherpad

* chore: Adjust etherpad git urls

* chore: Rename more occurences from etherpad-lite to etherpad

* chore: Adjust default text
2026-04-19 16:53:57 +02:00
John McLear
58c8e26eb1
fix: also declare pnpm build-script policy in package.json (#7525)
Some pnpm versions don't read onlyBuiltDependencies / ignoredBuiltDependencies
from pnpm-workspace.yaml — leaving CI on plugin repos to fail with
ERR_PNPM_IGNORED_BUILDS even after #7523 added the workspace.yaml entries.

Mirror the same configuration into package.json's "pnpm" field, which is
the older (and more widely supported) location. The two files are kept in
sync; whichever pnpm version reads the values picks them up from one or
the other.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 14:42:05 +01:00
Etherpad Release Bot
00d10f4a40 bump version 2026-01-26 21:26:21 +00:00
Etherpad Release Bot
d37ea75bcd bump version 2025-12-28 17:23:45 +00:00
Etherpad Release Bot
c8b68fa719 bump version 2025-11-05 21:22:47 +00:00
Etherpad Release Bot
af0c956a39 bump version 2025-10-29 19:44:04 +00:00
SamTV12345
be687d4d3b
chore: remove package manager declaration (#7203) 2025-10-29 18:59:26 +01:00
SamTV12345
8a8f292740
chore: pin version of oidc provider (#7201) 2025-10-29 18:54:47 +01:00
Etherpad Release Bot
6120caba85 bump version 2025-10-10 10:36:43 +00:00
SamTV12345
d5a23d5347
chore: use gnpm (#7156)
* chore: use gnpm

* chore: fixed pnpm

* chore: fixed gnpm

* chore: fixed jq

* chore: use 0.0.7

* chore: use flag for building

* chore: fixed all backend tests

* chore: continue with porting things

* chore: fixed path

* chore: fixed backend tests

* chore: upgraded all to gnpm

* chore: updated to gnpm 0.0.9

* chore: echo current env with debug logs

* chore: install with frozen lockfile

* chore: use 0.0.10

* chore: use 0.0.11

* chore: use 0.0.12 globally

* chore: reworked handleRelease workflow to be up to date and depend on other workflows
2025-10-05 22:56:14 +02:00
Etherpad Release Bot
1cb243f128 bump version 2025-08-24 20:36:27 +00:00
Etherpad Release Bot
340d9c28cd bump version 2025-08-03 14:02:31 +00:00
Etherpad Release Bot
edcd096ea7 bump version 2025-08-02 11:50:47 +00:00
Etherpad Release Bot
a1aad158df bump version 2025-08-02 11:46:15 +00:00
SamTV12345
eb1ebb1c43 bump version 2025-06-25 22:49:41 +02:00
SamTV12345
13834d7801 bump version 2025-06-25 13:14:12 +02:00
SamTV12345
49d2860b1e bump version 2025-04-07 20:59:08 +02:00
SamTV12345
ff24e1e80e bump version 2024-12-22 17:08:30 +01:00
SamTV12345
5b8be1cac4 bump version 2024-10-28 22:05:58 +01:00
SamTV12345
4034ee1e6e bump version 2024-09-21 13:07:21 +02:00
SamTV12345
15a9dfc992 bump version 2024-09-07 15:02:04 +02:00
SamTV12345
79da35c6a6 bump version 2024-09-05 18:55:46 +02:00
SamTV12345
84cfbe51e5 Added makedocs to root. 2024-09-05 18:55:25 +02:00
SamTV12345
bad5ac89c3 bump version 2024-08-09 11:40:31 +02:00
SamTV12345
133c94046e bump version 2024-08-08 22:52:13 +02:00
SamTV12345
59531d47e7 bump version 2024-08-08 21:31:37 +02:00
SamTV12345
550a29f3e6 Added new command to setup etherpad. Fixed Dockerfile 2024-07-23 17:43:32 +02:00
SamTV12345
d6d636955c
Feat/bundle js (#6511)
* Added minify

* Added POC for browser

* Moved first js files to ts

* Fixed caret positioning

* Added support for plugins

* Fixed get undefined.

* Removed require of socketio, l10n, html10n and error reporter

* Added minify

* Added POC for browser

* Moved first js files to ts

* Fixed caret positioning

* Added support for plugins

* Fixed get undefined.

* Removed require of socketio, l10n, html10n and error reporter

* Fixed popup not showing

* Fixed timeslider

* Reworked paths

* Fixed loading

* Don't generate sources map in production mode

* Non working hmr

* Added live reloading.

* Fixed timeslider when hot reloading

* Removed eval

* Fixed.

* Fixed env

* Fixed frontend tests.

* Added minifying via lightningcss

* Added minify via esbuild

* Fixed diagnostic url

* Removed lightningcss

* Fixed types

* Fixed alias

* Fixed loadtest

* Fixed

* Fixed loading ep_font_color3

* Restructure windows build

* Fixed windows build

* Fixed pnpm lock

---------

Co-authored-by: SamTv12345 <samtv12345@samtv12345.com>
2024-07-18 08:51:30 +02:00
SamTV12345
8a9bda71ab bump version 2024-07-07 20:53:01 +02:00