• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics. #4227

• Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps. #4314

• Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer. #4355

• Require prebuilt binaries using static paths to aid code bundling. #4380

• TypeScript: Ensure FormatEnum keys match reality. #4475

• Add margin option to trim operation. #4480 @eddienubes

• Ensure HEIF primary item is used as default page/frame. #4487

• Add image Media Type (MIME Type) to metadata response. #4492

• Add withDensity to set output density in EXIF metadata. #4496

• Improve pkg-config path discovery. #4504

• Add WebP exact option for control over transparent pixel colour values.

• Add support for ECMAScript Modules (ESM). #4509 @florian-lefebvre

• background: Correct background image position in canvas (34009de)
• canvas: align rendering and touch interaction parity (5944cab)

3.3.1 is a small bug-fix and hardening follow-up to 3.3.0. It closes a stored-XSS vector in the numbered-list start attribute, hardens the database layer so a dropped connection to PostgreSQL / Redis / RethinkDB no longer crashes the process (via ueberdb2 6.1.9), and fixes a handful of pad and admin regressions — the iOS dark-mode status bar, the settings language dropdown, the pad-deletion modal under allowPadDeletionByAllUsers, and a single unreadable pad blanking the admin Manage-pads list.

• Pad editor — escape and integer-coerce the numbered-list start attribute (GHSA-f7h5-v9hm-548j, #7937). A crafted <ol start> value flowed unescaped into domline.ts, a distinct client-side sink from the export-path fix in 3.3.0's #7905. The value is now integer-coerced and HTML-escaped before it reaches the DOM. A jsdom regression test covers the sink.

• Skin — paint the root canvas so iOS dark mode has no white status bar (#7606 / #7931). iOS Safari paints the top safe area from the html root background, which theme-color (an Android address-bar hint) does not affect, so dark-mode pads showed a white status-bar strip on iOS. Colibris now sets the root background and color-scheme so the safe area matches the editor.
• Settings — show the detected language in the dropdown (#7925 / #7928). The settings language <select> did not reflect the language Etherpad had actually auto-detected; it now shows the active selection.
• Pad — don't issue a deletion token (or show its modal) when allowPadDeletionByAllUsers is on (#7929). With pad deletion open to all users the client still minted a deletion token and surfaced the confirm modal; both are now suppressed in that configuration.
• Admin — one unreadable pad no longer empties the Manage-pads list (#7935 / #7938). A single pad that failed to read could throw out of the list-hydration path and blank the entire admin Manage-pads view; the read is now guarded per-pad so the rest of the list still renders.

• CI — downstream client compatibility gate (#7923 / #7924 / #7927). A new gate smoke-tests the published etherpad-pad, etherpad-cli, and etherpad-desktop clients against the server build (Phase 1 + Phase 2), with robust per-client error handling in run-clients.sh so one client's failure is reported rather than masking the others.
• CI — verify Etherpad boots offline (#7936). Adds a test step that confirms a built Etherpad starts with no network access.

• ueberdb2 6.1.8 → 6.1.9 — PostgreSQL pool errors are now handled and TCP keep-alive is enabled (fixes #7878), and the Redis and RethinkDB drivers attach connection-error handlers so a dropped database connection no longer crashes the Etherpad process.
• semver 7.8.2 → 7.8.3 (#7933), rate-limiter-flexible 11.1.1 → 11.2.0 (#7934), plus a dev-dependencies group update (#7932).

3.3.1 is a small bug-fix and hardening follow-up to 3.3.0. It closes a stored-XSS vector in the numbered-list start attribute, hardens the database layer so a dropped connection to PostgreSQL / Redis / RethinkDB no longer crashes the process (via ueberdb2 6.1.9), and fixes a handful of pad and admin regressions — the iOS dark-mode status bar, the settings language dropdown, the pad-deletion modal under allowPadDeletionByAllUsers, and a single unreadable pad blanking the admin Manage-pads list.

• Pad editor — escape and integer-coerce the numbered-list start attribute (GHSA-f7h5-v9hm-548j, #7937). A crafted <ol start> value flowed unescaped into domline.ts, a distinct client-side sink from the export-path fix in 3.3.0's #7905. The value is now integer-coerced and HTML-escaped before it reaches the DOM. A jsdom regression test covers the sink.

• Skin — paint the root canvas so iOS dark mode has no white status bar (#7606 / #7931). iOS Safari paints the top safe area from the html root background, which theme-color (an Android address-bar hint) does not affect, so dark-mode pads showed a white status-bar strip on iOS. Colibris now sets the root background and color-scheme so the safe area matches the editor.
• Settings — show the detected language in the dropdown (#7925 / #7928). The settings language <select> did not reflect the language Etherpad had actually auto-detected; it now shows the active selection.
• Pad — don't issue a deletion token (or show its modal) when allowPadDeletionByAllUsers is on (#7929). With pad deletion open to all users the client still minted a deletion token and surfaced the confirm modal; both are now suppressed in that configuration.
• Admin — one unreadable pad no longer empties the Manage-pads list (#7935 / #7938). A single pad that failed to read could throw out of the list-hydration path and blank the entire admin Manage-pads view; the read is now guarded per-pad so the rest of the list still renders.

• CI — downstream client compatibility gate (#7923 / #7924 / #7927). A new gate smoke-tests the published etherpad-pad, etherpad-cli, and etherpad-desktop clients against the server build (Phase 1 + Phase 2), with robust per-client error handling in run-clients.sh so one client's failure is reported rather than masking the others.
• CI — verify Etherpad boots offline (#7936). Adds a test step that confirms a built Etherpad starts with no network access.

• ueberdb2 6.1.8 → 6.1.9 — PostgreSQL pool errors are now handled and TCP keep-alive is enabled (fixes #7878), and the Redis and RethinkDB drivers attach connection-error handlers so a dropped database connection no longer crashes the Etherpad process.
• semver 7.8.2 → 7.8.3 (#7933), rate-limiter-flexible 11.1.1 → 11.2.0 (#7934), plus a dev-dependencies group update (#7932).

• fix(core): floor adaptive precision at float resolution to let springs settle on sub-precision drift by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2520
• chore(deps): update build-tooling by @renovate[bot] in https://github.com/pmndrs/react-spring/pull/2524
• chore(deps): update commitlint to v21.0.2 by @renovate[bot] in https://github.com/pmndrs/react-spring/pull/2525
• fix(parallax): pin container to top-left to prevent double scrollbar by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2527
• docs(core): clarify null/undefined goals are skipped, not animated by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2528
• fix(shared): guard string interpolator against number-less output values by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2529
• test(parallax): pin #2052 sticky-layer-in-component regression by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2530
• test(core): cover declarative useSpring auto-start under StrictMode (#2361) by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2531
• fix(core): auto-start useTransition when props is a function (#2287) by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2532
• fix(three): drive demand-mode frameloop so looping animations don't freeze by @joshuaellis in https://github.com/pmndrs/react-spring/pull/2536
• chore: version packages by @github-actions[bot] in https://github.com/pmndrs/react-spring/pull/2521

Full Changelog: https://github.com/pmndrs/react-spring/compare/v10.1.0...v10.1.1

• #5002 by @kiranmagic7 – Clear stale DnD drop indicators when dragging from a block into editor whitespace.

• #4997 by @WilliamPeralta – Forward two dropped options in exportToDocx:

  • pageSize — the html-to-docx engine accepts a page size, but exportToDocx only forwarded margins and orientation, so the document was always the default (US Letter). You can now pass e.g. pageSize: { width: 11906, height: 16838 } to export A4.
  • fontFamily — it was only applied to the serialized HTML (and only when an EditorStaticComponent was provided), so the document default font was never set and Word fell back to Times New Roman. It now also sets the document default font (documentOptions.font).

Thanks to everyone who contributed to this release:

@kiranmagic7, @WilliamPeralta

Full changelog: v53.0.9...v53.1.0

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file. Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics. #4227

• Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps. #4314

• Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer. #4355

• Require prebuilt binaries using static paths to aid code bundling. #4380

• TypeScript: Ensure FormatEnum keys match reality. #4475

• Add margin option to trim operation. #4480 @eddienubes

• Ensure HEIF primary item is used as default page/frame. #4487

• Add image Media Type (MIME Type) to metadata response. #4492

• Add withDensity to set output density in EXIF metadata. #4496

• Improve pkg-config path discovery. #4504

• Add WebP exact option for control over transparent pixel colour values.

• Add support for ECMAScript Modules (ESM). #4509 @florian-lefebvre

• Rename prefetch option force-runtime to allow-runtime: #94568
• Remove unstable_instant agent hints; insights validate by default: #94577
• [turbopack] Use an arena for JSValues: #94297
• Stabilize export const prefetch: #94571
• Fix node:stream leak in webpack edge bundles: #94585
• docs: fix 'time zone' spelling in FOUC guide: #93244
• docs: add pnpm installation step to module-not-found error page: #93773
• Stream Cache Components dev render instead of restarting on cache miss: #94457
• instant: polish client-hook overlay wording, cards, and docs links: #94496
• Fix Navigation Inspector Continue Rendering with loading.tsx: #94355
• disallow reads from .next-profiles: #94570
• [turbopack] add an extension to trace files: #94587
• [ci] Remove dead playwright docker image creation logic: #94576
• [cd] Ensure release can be triggered on old branches: #94596
• Make router-act ignore App Shell prefetch requests: #94580
• Enable experimental.appShells by default with cacheComponents: #94516
• [turbopack] Lazily allocate the BlockCaches: #94562
• Stabilize catchError and retry by removing unstable_ prefix: #94610
• Revert "Stabilize catchError and retry by removing unstable_ prefix": #94617
• docs: root-params highligth fixes: #94620
• Stabilize unstable_instant: #94578
• docs: remove unstable_disableValidation recommendations: #94608
• doc: instant navs runtime story: #93204
• Reapply "Stabilize catchError and retry by removing unstable_ prefix": #94623

Huge thanks to @gnoff, @gaojude, @sampoder, @karlhorky, @MikhailStn, @unstubbable, @aurorascharff, @samselikoff, @lukesandberg, @bgw, @eps1lon, @acdlite, @devjiwonchoi, and @icyJoseph for helping!

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

• [cd] Ensure wasm binaries get tagged properly: #94621

Huge thanks to @eps1lon for helping!