• canvas: address canvas render review issues (70df3f6)

3.3 is primarily a security-hardening release. A defence-in-depth pass tightens the HTTP API entry points, switches random-id generation to a CSPRNG, escapes exported data-* attributes, and flips the shipped Docker deployment defaults so a fresh install no longer boots with implicit credentials or a trusting proxy. Alongside that, the ep_* pad-options passthrough that shipped opt-in in 3.0.0 is now on by default, the in-pad timeslider learns to honour the editor's view settings (authorship colours, font family, line numbers), and a long tail of pad-editor layout, RTL, and URL-encoding fixes lands. The release also carries the root-cause fix for the long-standing Windows backend-test "silent ELIFECYCLE" flake.

• Plugin pad options on by default — settings.enablePluginPadOptions now defaults to true (#7841). The flag that gates the ep_* passthrough on pad options (shipped opt-in in 3.0.0, #7698) is flipped to default-on, so plugins such as ep_plugin_helpers' padToggle / padSelect ride the existing broadcast/persist rail out of the box. This closes ep_comments_page#422 — stock 3.x deployments console.warned on every pad load because the helper detected enablePluginPadOptions === false. The settings.json.template env-var default is flipped to match, so Docker/supervisor configs without an explicit value get the new behaviour. Existing deployments with an explicit "enablePluginPadOptions": false keep that value — no migration needed — and the protocol shape is unchanged for older clients.
• Timeslider — honour the editor's view settings (#7899). The in-pad timeslider now respects showAuthorshipColors, padFontFamily, and line-numbers, bridged from the pad-settings checkboxes into the embedded timeslider iframe so the two views agree. nice-select.ts dispatches a native change event after the jQuery trigger so the addEventListener-based bridge in pad_mode.ts fires (jQuery 3.7.1's trigger() does not dispatch native DOM events), and the font-family reset is fixed for jQuery 3 (which ignores a null css value). The five ad-hoc listener stores in pad_mode.ts are consolidated into one bindOuter() path and the three view-setting bridges into a single data-driven bridgeView() (refactor only).
• Admin settings — explain env-var substitution and surface auth errors (#7819 / #7826). Three env-var-only UX improvements driven by #7819 (a Docker operator saved an ep_oauth block in the Raw view and reported it "disappeared", not realising settings.json on disk is a template, not the effective config): a banner above the editor explaining the template/substitution model (rendered only when the loaded file contains a ${VAR} placeholder); a read-only Effective tab exposing the redacted runtime settings the backend already emitted as resolved (also gated on ${VAR}); and an admin_auth_error event so a misrouted Traefik+SSO session that isn't admin gets a clear toast instead of a silent "save did nothing". A reconnect-loop guard suppresses the SPA's auto-reconnect once an auth error has been received. No behaviour change for installs without ${VAR} placeholders.

A defence-in-depth pass across the API, token, export, and deployment surfaces:

• HTTP API request handling, random IDs, and plugin loading (#7906). pad_utils.randomString now generates random IDs via crypto.getRandomValues (CSPRNG) instead of Math.random. OAuth2Provider compares passwords with crypto.timingSafeEqual on the raw UTF-8 bytes (resolving the CodeQL "insufficient computational effort" alert) behind a uniform failure delay, and looks users up via own-property access only. API.appendChatMessage throws padID does not exist rather than creating the pad, consistent with the other content API methods. The /api/2 REST router forwards only the authorization header (not the full request header set) and falls back to it whenever the field is falsy, matching the openapi.ts handler so both routers authenticate identically. LinkInstaller validates plugin dependency names before building filesystem paths from them, and the admin file server returns a generic error while logging details server-side.
• Escape exported data-* attributes; warn on default/placeholder credentials (#7905). ExportHtml now escapes the name and value of attributes emitted by the exportHtmlAdditionalTagsWithData hook, consistent with the URL/text escaping already applied to exported HTML. Settings logs a warning (error level under NODE_ENV=production) when an account uses a default/placeholder password from the shipped config, and the check is extended to cover sso.clients[].client_secret so enabling SSO without setting ADMIN_SECRET / USER_SECRET is flagged the same way.
• Docker deployment defaults — require explicit credentials, default TRUST_PROXY off (#7907). The shipped docker-compose now requires ADMIN_PASSWORD and the database password to be provided explicitly (no implicit fallback) and defaults TRUST_PROXY to false. Operators relying on the previous implicit defaults must now set these values explicitly.

• History mode — lay the timeslider iframe in the editor's flex slot (#7903). In-pad history mode positioned #history-frame-mount as an inset:0 absolute overlay over #editorcontainerbox, which took the iframe out of flow and hid any in-flow side panel (e.g. ep_webrtc's #rtcbox video column) beneath it — so history mode and live mode disagreed. The iframe now occupies the same in-flow flex slot the live editor uses, and a latent specificity bug (the body.history-mode #editorcontainer { display: none } hide rule was outranked by the two-id layout rule, so the live editor was only ever painted over) is fixed by giving the hide rule matching specificity. Adds a padmode.spec.ts regression test.
• Pad editor — restore URL wrapping (#7894 / #7896). Long URLs in the pad editor overflowed instead of wrapping because the global a { white-space: nowrap } rule overrode the wrapping properties on #innerdocbody. Explicit white-space / word-wrap / overflow-wrap on #innerdocbody a restores wrapping inside the editor while preserving no-wrap for links elsewhere in the UI.
• RTL content option no longer flips the whole page (#7900 / #7901). The per-pad RTL content option (rtlIsTrue) wrote the direction to the top-level document.documentElement, flipping the entire page — toolbar and chrome included. The content direction is now applied to the inner editor document (targetDoc.documentElement); page direction stays owned by the UI language (l10n.ts). Adds a frontend test asserting the inner editor flips while the top-level <html> dir is unchanged.
• Pad-wide view settings apply to the creator's own view (#7900 / #7902). Because a creator is never "enforced upon themselves", a stale personal view-override cookie (e.g. rtlIsTrue=false from an earlier toggle) silently masked the pad-wide value they later set, so the control appeared to do nothing on their own screen. Changing a pad-wide view option now syncs the creator's personal pref to the chosen value; the precedence model is unchanged (the creator can still override afterwards via "My view").
• URL view-option params lost to a padeditor.init race (#7840 / #7843). ?showLineNumbers=false and ?useMonospaceFont=true were silently clobbered shortly after load — the same race #7464 fixed for ?rtl=false, but the neighbouring showLineNumbers / noColors / useMonospaceFontGlobal blocks were left at the synchronous-tail site. The fix is generalised to all three (moved into postAceInit). Mostly observable in cross-context iframe embeds that start with no prefs cookie. Adds url_view_options.spec.ts.
• Default welcome text attributed to the system author (#7885 / #7887). Auto-generated default pad content (settings.defaultPadText / padDefaultContent hook) carried the creating user's author attribute and rendered in their authorship colour, even though they never wrote it. The welcome text's author attribute is now Pad.SYSTEM_AUTHOR_ID, while revision 0's meta.author stays the real creator so ownership (pad-wide settings gate, deletion token) is preserved. Explicitly provided text (e.g. HTTP API createPad with text + author) keeps the real author.
• URL-encode pad names in the admin 'Open' button and recent pads (#7865 / #7895). Pad names are encodeURIComponent-d in the admin PadPage Open href and the colibris recent-pads href, and decodeURIComponent-d when read back from the URL pathname; legacy URL-encoded recent-pads names are normalised before re-encoding to prevent double-encoding (%2F → %252F). The admin Open window.open gains noopener,noreferrer.
• OIDC — fix broken OIDCAdapter flows (#7837). Repairs the adapter flows and widens the storage type to include string for the userCode index; adds regression tests.
• Accessibility — dialog titles/descriptions and a missing l10n key (#7835 / #7836). Adds the index.code key referenced by index.html but never defined (which produced a "Couldn't find translation key" console error on the landing page), and gives every admin @radix-ui/react-dialog Dialog.Content a Dialog.Title and Dialog.Description (visually hidden where there's no visible heading), silencing Radix's a11y warnings. A new backend spec fails CI if any data-l10n-id in src/templates/*.html is missing from en.json.
• Offline/air-gapped Docker boot — stop pnpm self-provisioning a pinned version (issue #7911). The official image installs pnpm directly (corepack was dropped for Node 25+). Because the image's pnpm intentionally lags the packageManager pin in package.json (pnpm 11.1.x enforces a minimum-release-age policy the frozen-lockfile build can't satisfy), pnpm treated every call — including the informational pnpm --version probe Etherpad runs at startup — as a request to download the pinned build. Behind a firewall that download failed (Failed to get pnpm version: … Command exited with code 1), breaking startup. The Dockerfile now sets pnpm_config_pm_on_fail=ignore, and the startup probe plus the updater's pnpm-on-PATH checks run with the same flag, so pnpm uses the installed version instead of reaching for the network (without changing which pnpm runs the build-time install). A backend spec fails CI if that guard is dropped while a version gap exists.
• Firefox authorship colours — tag early keystrokes with the right author (#7910). The inner editor's thisAuthor starts empty and is only populated when collab_client's queued setProperty('userAuthor', userId) reaches the iframe (applied asynchronously via pendingInit). Under Firefox timing the first keystrokes could beat it, so freshly typed text — and early line-attribute changes (lists, headings, alignment) — were tagged author='', which canonicalises to an unattributed insert that the server's pad-corruption guard rejects, dropping the whole change and losing authorship (the intermittent clear_authorship_color flake, where undo couldn't restore the author colour). A getLocalAuthor() helper now falls back to clientVars.userId (the same id, available synchronously) whenever thisAuthor is still empty, applied at the text-insert sites and to seed documentAttributeManager.author; the intentional clear-authorship path and the server-side guard are unchanged.
• Dark mode — fix the white address bar and the light-flash on load (#7909, issue #7606). Dark-mode users still saw a white mobile address bar above the dark toolbar, and the whole page flashed light before going dark. Both came from rendering the light state server-side and switching to dark only after the JS bundle ran: iOS Safari reads theme-color at parse time and doesn't reliably repaint on a later JS mutation, and the page painted light before the bundle applied the dark skin classes. The server now emits a prefers-color-scheme-scoped theme-color pair so the address bar is correct at first paint, plus a small blocking <head> script that applies the dark skin classes before the stylesheet paints. Both are gated on enableDarkMode (default on) and the colibris skin; pad.ts still runs on init to wire up the #options-darkmode toggle (which now updates every theme-color meta) and theme the editor iframes. Applies to the pad and timeslider views.

• Root-caused and fixed the Windows backend-test "silent ELIFECYCLE" flake (#7866). The ~22% Windows flake — rotating across random spec files, no mocha summary, no JS trace — was diagnosed from a full-memory dump as two distinct causes. (1) A timing-fragile test abandoned by mocha keeps running and later throws an orphan unhandled rejection; server.ts's process-global uncaughtException/unhandledRejection handlers (correct for a real Etherpad process) escalated that into a clean process.exit. They are now gated behind require.main === module, and the backend-test bootstraps (common.ts, diagnostics.ts) log orphan rejections instead of rethrowing. (2) A stack-buffer overrun in Node 24.x's bundled libuv Windows TCP-connect path (uv__tcp_connect) corrupts memory under the suite's localhost-connection churn; CI pins the Windows backend job to Node 24.16.0 (libuv 1.52.1, the bisected fix), referencing upstream nodejs/node#63620. Linux stays on Node 24 LTS.
• Removed the now-unneeded ELIFECYCLE diagnostic scaffolding (#7846 / #7838 / #7842 / #7868). The OS-level sidecar watcher, the diagnostics heartbeat/running-test pointer, and the mid-test snapshot — added to chase the flake above — are removed now that the cause is known.
• Docs — document the Docker settings.json writable-layer and env-var-vs-file semantics (#7819 / #7827). Two operator-facing gaps surfaced by #7819: that the on-disk settings.json is a template (env substitution happens in memory at load time), and that the default compose puts settings.json in the container's writable layer with no host mount, so admin edits are lost on down/pull/watchtower but survive a plain restart. Adds prose + a recreate-vs-restart table to doc/docker.md and a commented-out opt-in bind mount to the compose files.
• Docs refresh for 3.2.0 (#7888), dropped three redundant top-level files (#7839), dropped a fragile viewport assertion in the enter test (#7845), and a backend-test fix-up.

• Two major bumps: redis 5.12.1 → 6.0.0 (#7869) and ejs 5.0.2 → 6.0.1 (#7860).
• ueberdb2 6.1.2 → 6.1.8, mssql 12.5.3 → 12.5.5, nodemailer 8.0.7 → 8.0.10, mysql2 3.22.3 → 3.22.5 (#7915), undici 8.3.0 → 8.4.1 (#7914), pdfkit 0.18.0 → 0.19.0 (#7916), oidc-provider 9.8.3 → 9.8.4, @elastic/elasticsearch 9.4.1 → 9.4.2, lru-cache 11.5.0 → 11.5.1, rate-limiter-flexible 11.1.0 → 11.1.1, semver 7.8.1 → 7.8.2, js-cookie 3.0.7 → 3.0.8, tsx 4.22.3 → 4.22.4, @radix-ui/react-switch 1.2.6 → 1.3.0 (#7913), @tanstack/react-query 5.100.11 → 5.101.0 (+ devtools), plus i18next, react-router-dom, and several dev-dependency group bumps (#7912).

• Multiple updates from translatewiki.net.

3.3 is primarily a security-hardening release. A defence-in-depth pass tightens the HTTP API entry points, switches random-id generation to a CSPRNG, escapes exported data-* attributes, and flips the shipped Docker deployment defaults so a fresh install no longer boots with implicit credentials or a trusting proxy. Alongside that, the ep_* pad-options passthrough that shipped opt-in in 3.0.0 is now on by default, the in-pad timeslider learns to honour the editor's view settings (authorship colours, font family, line numbers), and a long tail of pad-editor layout, RTL, and URL-encoding fixes lands. The release also carries the root-cause fix for the long-standing Windows backend-test "silent ELIFECYCLE" flake.

• Plugin pad options on by default — settings.enablePluginPadOptions now defaults to true (#7841). The flag that gates the ep_* passthrough on pad options (shipped opt-in in 3.0.0, #7698) is flipped to default-on, so plugins such as ep_plugin_helpers' padToggle / padSelect ride the existing broadcast/persist rail out of the box. This closes ep_comments_page#422 — stock 3.x deployments console.warned on every pad load because the helper detected enablePluginPadOptions === false. The settings.json.template env-var default is flipped to match, so Docker/supervisor configs without an explicit value get the new behaviour. Existing deployments with an explicit "enablePluginPadOptions": false keep that value — no migration needed — and the protocol shape is unchanged for older clients.
• Timeslider — honour the editor's view settings (#7899). The in-pad timeslider now respects showAuthorshipColors, padFontFamily, and line-numbers, bridged from the pad-settings checkboxes into the embedded timeslider iframe so the two views agree. nice-select.ts dispatches a native change event after the jQuery trigger so the addEventListener-based bridge in pad_mode.ts fires (jQuery 3.7.1's trigger() does not dispatch native DOM events), and the font-family reset is fixed for jQuery 3 (which ignores a null css value). The five ad-hoc listener stores in pad_mode.ts are consolidated into one bindOuter() path and the three view-setting bridges into a single data-driven bridgeView() (refactor only).
• Admin settings — explain env-var substitution and surface auth errors (#7819 / #7826). Three env-var-only UX improvements driven by #7819 (a Docker operator saved an ep_oauth block in the Raw view and reported it "disappeared", not realising settings.json on disk is a template, not the effective config): a banner above the editor explaining the template/substitution model (rendered only when the loaded file contains a ${VAR} placeholder); a read-only Effective tab exposing the redacted runtime settings the backend already emitted as resolved (also gated on ${VAR}); and an admin_auth_error event so a misrouted Traefik+SSO session that isn't admin gets a clear toast instead of a silent "save did nothing". A reconnect-loop guard suppresses the SPA's auto-reconnect once an auth error has been received. No behaviour change for installs without ${VAR} placeholders.

A defence-in-depth pass across the API, token, export, and deployment surfaces:

• HTTP API request handling, random IDs, and plugin loading (#7906). pad_utils.randomString now generates random IDs via crypto.getRandomValues (CSPRNG) instead of Math.random. OAuth2Provider compares passwords with crypto.timingSafeEqual on the raw UTF-8 bytes (resolving the CodeQL "insufficient computational effort" alert) behind a uniform failure delay, and looks users up via own-property access only. API.appendChatMessage throws padID does not exist rather than creating the pad, consistent with the other content API methods. The /api/2 REST router forwards only the authorization header (not the full request header set) and falls back to it whenever the field is falsy, matching the openapi.ts handler so both routers authenticate identically. LinkInstaller validates plugin dependency names before building filesystem paths from them, and the admin file server returns a generic error while logging details server-side.
• Escape exported data-* attributes; warn on default/placeholder credentials (#7905). ExportHtml now escapes the name and value of attributes emitted by the exportHtmlAdditionalTagsWithData hook, consistent with the URL/text escaping already applied to exported HTML. Settings logs a warning (error level under NODE_ENV=production) when an account uses a default/placeholder password from the shipped config, and the check is extended to cover sso.clients[].client_secret so enabling SSO without setting ADMIN_SECRET / USER_SECRET is flagged the same way.
• Docker deployment defaults — require explicit credentials, default TRUST_PROXY off (#7907). The shipped docker-compose now requires ADMIN_PASSWORD and the database password to be provided explicitly (no implicit fallback) and defaults TRUST_PROXY to false. Operators relying on the previous implicit defaults must now set these values explicitly.

• History mode — lay the timeslider iframe in the editor's flex slot (#7903). In-pad history mode positioned #history-frame-mount as an inset:0 absolute overlay over #editorcontainerbox, which took the iframe out of flow and hid any in-flow side panel (e.g. ep_webrtc's #rtcbox video column) beneath it — so history mode and live mode disagreed. The iframe now occupies the same in-flow flex slot the live editor uses, and a latent specificity bug (the body.history-mode #editorcontainer { display: none } hide rule was outranked by the two-id layout rule, so the live editor was only ever painted over) is fixed by giving the hide rule matching specificity. Adds a padmode.spec.ts regression test.
• Pad editor — restore URL wrapping (#7894 / #7896). Long URLs in the pad editor overflowed instead of wrapping because the global a { white-space: nowrap } rule overrode the wrapping properties on #innerdocbody. Explicit white-space / word-wrap / overflow-wrap on #innerdocbody a restores wrapping inside the editor while preserving no-wrap for links elsewhere in the UI.
• RTL content option no longer flips the whole page (#7900 / #7901). The per-pad RTL content option (rtlIsTrue) wrote the direction to the top-level document.documentElement, flipping the entire page — toolbar and chrome included. The content direction is now applied to the inner editor document (targetDoc.documentElement); page direction stays owned by the UI language (l10n.ts). Adds a frontend test asserting the inner editor flips while the top-level <html> dir is unchanged.
• Pad-wide view settings apply to the creator's own view (#7900 / #7902). Because a creator is never "enforced upon themselves", a stale personal view-override cookie (e.g. rtlIsTrue=false from an earlier toggle) silently masked the pad-wide value they later set, so the control appeared to do nothing on their own screen. Changing a pad-wide view option now syncs the creator's personal pref to the chosen value; the precedence model is unchanged (the creator can still override afterwards via "My view").
• URL view-option params lost to a padeditor.init race (#7840 / #7843). ?showLineNumbers=false and ?useMonospaceFont=true were silently clobbered shortly after load — the same race #7464 fixed for ?rtl=false, but the neighbouring showLineNumbers / noColors / useMonospaceFontGlobal blocks were left at the synchronous-tail site. The fix is generalised to all three (moved into postAceInit). Mostly observable in cross-context iframe embeds that start with no prefs cookie. Adds url_view_options.spec.ts.
• Default welcome text attributed to the system author (#7885 / #7887). Auto-generated default pad content (settings.defaultPadText / padDefaultContent hook) carried the creating user's author attribute and rendered in their authorship colour, even though they never wrote it. The welcome text's author attribute is now Pad.SYSTEM_AUTHOR_ID, while revision 0's meta.author stays the real creator so ownership (pad-wide settings gate, deletion token) is preserved. Explicitly provided text (e.g. HTTP API createPad with text + author) keeps the real author.
• URL-encode pad names in the admin 'Open' button and recent pads (#7865 / #7895). Pad names are encodeURIComponent-d in the admin PadPage Open href and the colibris recent-pads href, and decodeURIComponent-d when read back from the URL pathname; legacy URL-encoded recent-pads names are normalised before re-encoding to prevent double-encoding (%2F → %252F). The admin Open window.open gains noopener,noreferrer.
• OIDC — fix broken OIDCAdapter flows (#7837). Repairs the adapter flows and widens the storage type to include string for the userCode index; adds regression tests.
• Accessibility — dialog titles/descriptions and a missing l10n key (#7835 / #7836). Adds the index.code key referenced by index.html but never defined (which produced a "Couldn't find translation key" console error on the landing page), and gives every admin @radix-ui/react-dialog Dialog.Content a Dialog.Title and Dialog.Description (visually hidden where there's no visible heading), silencing Radix's a11y warnings. A new backend spec fails CI if any data-l10n-id in src/templates/*.html is missing from en.json.
• Offline/air-gapped Docker boot — stop pnpm self-provisioning a pinned version (issue #7911). The official image installs pnpm directly (corepack was dropped for Node 25+). Because the image's pnpm intentionally lags the packageManager pin in package.json (pnpm 11.1.x enforces a minimum-release-age policy the frozen-lockfile build can't satisfy), pnpm treated every call — including the informational pnpm --version probe Etherpad runs at startup — as a request to download the pinned build. Behind a firewall that download failed (Failed to get pnpm version: … Command exited with code 1), breaking startup. The Dockerfile now sets pnpm_config_pm_on_fail=ignore, and the startup probe plus the updater's pnpm-on-PATH checks run with the same flag, so pnpm uses the installed version instead of reaching for the network (without changing which pnpm runs the build-time install). A backend spec fails CI if that guard is dropped while a version gap exists.
• Firefox authorship colours — tag early keystrokes with the right author (#7910). The inner editor's thisAuthor starts empty and is only populated when collab_client's queued setProperty('userAuthor', userId) reaches the iframe (applied asynchronously via pendingInit). Under Firefox timing the first keystrokes could beat it, so freshly typed text — and early line-attribute changes (lists, headings, alignment) — were tagged author='', which canonicalises to an unattributed insert that the server's pad-corruption guard rejects, dropping the whole change and losing authorship (the intermittent clear_authorship_color flake, where undo couldn't restore the author colour). A getLocalAuthor() helper now falls back to clientVars.userId (the same id, available synchronously) whenever thisAuthor is still empty, applied at the text-insert sites and to seed documentAttributeManager.author; the intentional clear-authorship path and the server-side guard are unchanged.
• Dark mode — fix the white address bar and the light-flash on load (#7909, issue #7606). Dark-mode users still saw a white mobile address bar above the dark toolbar, and the whole page flashed light before going dark. Both came from rendering the light state server-side and switching to dark only after the JS bundle ran: iOS Safari reads theme-color at parse time and doesn't reliably repaint on a later JS mutation, and the page painted light before the bundle applied the dark skin classes. The server now emits a prefers-color-scheme-scoped theme-color pair so the address bar is correct at first paint, plus a small blocking <head> script that applies the dark skin classes before the stylesheet paints. Both are gated on enableDarkMode (default on) and the colibris skin; pad.ts still runs on init to wire up the #options-darkmode toggle (which now updates every theme-color meta) and theme the editor iframes. Applies to the pad and timeslider views.

• Root-caused and fixed the Windows backend-test "silent ELIFECYCLE" flake (#7866). The ~22% Windows flake — rotating across random spec files, no mocha summary, no JS trace — was diagnosed from a full-memory dump as two distinct causes. (1) A timing-fragile test abandoned by mocha keeps running and later throws an orphan unhandled rejection; server.ts's process-global uncaughtException/unhandledRejection handlers (correct for a real Etherpad process) escalated that into a clean process.exit. They are now gated behind require.main === module, and the backend-test bootstraps (common.ts, diagnostics.ts) log orphan rejections instead of rethrowing. (2) A stack-buffer overrun in Node 24.x's bundled libuv Windows TCP-connect path (uv__tcp_connect) corrupts memory under the suite's localhost-connection churn; CI pins the Windows backend job to Node 24.16.0 (libuv 1.52.1, the bisected fix), referencing upstream nodejs/node#63620. Linux stays on Node 24 LTS.
• Removed the now-unneeded ELIFECYCLE diagnostic scaffolding (#7846 / #7838 / #7842 / #7868). The OS-level sidecar watcher, the diagnostics heartbeat/running-test pointer, and the mid-test snapshot — added to chase the flake above — are removed now that the cause is known.
• Docs — document the Docker settings.json writable-layer and env-var-vs-file semantics (#7819 / #7827). Two operator-facing gaps surfaced by #7819: that the on-disk settings.json is a template (env substitution happens in memory at load time), and that the default compose puts settings.json in the container's writable layer with no host mount, so admin edits are lost on down/pull/watchtower but survive a plain restart. Adds prose + a recreate-vs-restart table to doc/docker.md and a commented-out opt-in bind mount to the compose files.
• Docs refresh for 3.2.0 (#7888), dropped three redundant top-level files (#7839), dropped a fragile viewport assertion in the enter test (#7845), and a backend-test fix-up.

• Two major bumps: redis 5.12.1 → 6.0.0 (#7869) and ejs 5.0.2 → 6.0.1 (#7860).
• ueberdb2 6.1.2 → 6.1.8, mssql 12.5.3 → 12.5.5, nodemailer 8.0.7 → 8.0.10, mysql2 3.22.3 → 3.22.5 (#7915), undici 8.3.0 → 8.4.1 (#7914), pdfkit 0.18.0 → 0.19.0 (#7916), oidc-provider 9.8.3 → 9.8.4, @elastic/elasticsearch 9.4.1 → 9.4.2, lru-cache 11.5.0 → 11.5.1, rate-limiter-flexible 11.1.0 → 11.1.1, semver 7.8.1 → 7.8.2, js-cookie 3.0.7 → 3.0.8, tsx 4.22.3 → 4.22.4, @radix-ui/react-switch 1.2.6 → 1.3.0 (#7913), @tanstack/react-query 5.100.11 → 5.101.0 (+ devtools), plus i18next, react-router-dom, and several dev-dependency group bumps (#7912).

• Multiple updates from translatewiki.net.

• 图标自动解析导入新增 Divider1 、Keyboard1 和 VoiceWave 三个图标
• mobile-vue 自动解析导入 Segmented 和 Typography 组件

• Fixed a browser process crash when calling webContents.reload() or navigating synchronously from the render-process-gone event; the event is now emitted after the renderer's teardown notification has completed. #51916 ^{(Also in 43)}
• Fixed an issue on Linux and Windows where frameless windows would shrink when calling win.center(). Additionally, fixed an issue where frameless windows would appear slightly off-center on Windows. #51921 ^{(Also in 41, 43)}
• Fixed an issue where the "Toggle Developer Tools" menu item failed to function correctly with BaseWindow. #51903 ^{(Also in 41, 43)}
• Fixed sandboxed preload scripts running a stale cached version after the script was modified without its file size changing. #51933 ^{(Also in 43)}
• Fixed the context menu in a detached DevTools window focusing the inspected page's window instead of the DevTools window. #51864 ^{(Also in 43)}

• Backported fixes from upstream Chromium and V8. #51934
• Security: backported fixes for CVE-2026-9115, CVE-2026-9116. #51904
• Updated Chromium to 148.0.7778.254. #51878
• Updated Node.js to v24.16.0. #51747

• types: Add file extensions to types (02c7bf6), closes #4097
• types: Export shape option types from main entry point (#4109) (f4a236a), closes #4104
• util: camelCase SVG tag/attribute matching in sanitizer (631ddc5), closes #4078 #4106
• util: update sanitization function (#4105) (d492644)
• zoom: fix drag zoom boundary release and circle transition desync (00f6859), closes #4131

• canvas: add canvas rendering mode (200c99e), #4134
• esm: tree-shakable grid, regions, category modules (678e761), #4132

• esm: chart.export() and chart.flow() are no longer included automatically in the ESM build. Explicit import required:

import bb, { bar, exportApi, flow } from "billboard.js";

bb.generate({
 ...bar(),
 ...exportApi(),
 ...flow(),
 data: { ... } 
});

UMD bundle users are not affected.

This release includes fixes for the following security issues:

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

• docs: clarify next-env.d.ts regeneration: #94232
• docs: add updateTag example to cacheTag page: #94508
• Remove experimental.useNodeStreams flag as it's enabled: #93938
• Remove dead cacheComponents web streams path: #93944
• [ci] Disable on-call notification if manual deploy e2e tests failed: #94554
• Reduce new test concurrency to five: #94552
• fix(dev-overlay): Tidy up issues/insight menu and tab overlay: #94549
• [turbopack] Remove WebAssembly helpers from the default runtime: #94373
• docs: clarify use cache persistence across deploys: #93554
• enable eviction by default: #94452
• docs: fix onRequestError error type example: #94518
• docs: move insight error pages from vercel/front to canary: #94564

Huge thanks to @SJvaca30, @aurorascharff, @timneutkens, @eps1lon, @sampoder, @icyJoseph, @lukesandberg, and @danyalahmed1995 for helping!

Note: This is a beta release. Please file new issues for any bugs you find in it.

This release is published to npm under the beta tag and can be installed via npm install electron@beta, or npm install electron@43.0.0-beta.2.

• Fixed an issue where the "Toggle Developer Tools" menu item failed to function correctly with BaseWindow. #51901 ^{(Also in 41, 42)}

• Updated Node.js to v24.16.0. #51865

• [@mantine/notifications] Fix stale DOM nodes references not being cleaned up when notifications is closed (#8955)
• [@mantine/dates] DateInput: Add presets support (#8954)
• [@mantine/core] Collapse: Fix keepMounted prop not being set correctly (#8949)
• [@mantine/core] Menu: Add controlled state support for Menu.Sub opened state
• [@mantine/schedule] Fix incorrect current time indicator position when time does not divide evenly with interval minutes in DayView and WeekView (#8945)
• [@mantine/core] Popover: Fix context menu not working on iOS touch devices (#8942)
• [@mantine/core] SegemntedControl: Fix incorrect indicator border-radius calculation (#8904)
• [@mantine/core] PinInput: Fix incorrect placeholder text centering (#8943)
• [@mantine/core] Tree: Fix arrow key navigation focusing hidden nodes when keepMounted is set (#8939)
• [@mantine/core] MaskInput: Fix compatibility issues with uncontrolled use-form (#8947)
• [@mantine/hooks] use-id: Fix id changing to new value with Activity (#8925)

• @spokodev made their first contribution in https://github.com/mantinedev/mantine/pull/8925
• @cyphercodes made their first contribution in https://github.com/mantinedev/mantine/pull/8947
• @KasperiP made their first contribution in https://github.com/mantinedev/mantine/pull/8939

Full Changelog: https://github.com/mantinedev/mantine/compare/9.3.0...9.3.1