3.2 adds first-class reverse-proxy / ingress support — X-Forwarded-Prefix and X-Ingress-Path are now honoured under trustProxy, so Etherpad can live under a subpath (Traefik, Nginx, Kubernetes Ingress) without breaking the PWA manifest, social-meta URLs, or any of the bootstrap asset links. The admin settings page learns to show resolved runtime values next to ${VAR:default} placeholders, the v3.1.0 admin pad-list filter chips now apply server-side (so "show empty pads" no longer returns 0–12 of hundreds), and the v3.1.0 redesigned outdated-version gritter actually fires in production now (the session-based author lookup it shipped with always returned null for pad visitors).

• HTTP — accept X-Forwarded-Prefix and X-Ingress-Path under trustProxy (#7802 / #7806). With trustProxy: true, Etherpad now honours X-Forwarded-Prefix (de-facto Traefik / Spring) and X-Ingress-Path (Kubernetes Ingress) in addition to the prefix it already inferred from the request path. The shared sanitizeProxyPath helper added in 3.1.0 (defence-in-depth: [A-Za-z0-9_./-] only, //+ collapsed, .. traversal rejected) is extended to the new headers and applied consistently across /manifest.json, socialMeta og:url / og:image, and the index.html / pad.html / timeslider.html / export_html.html templates (manifest links, jslicense links, reconnect URLs). A pre-existing .. segment-count miscalculation in pad.html / timeslider.html that broke the manifest link when served from a deep subpath is also fixed in passing. New end-to-end suite covers the prefix-applied / prefix-ignored matrix under trustProxy=true|false for both header names. settings.json.template documents the new headers alongside the existing trustProxy notes.
• Admin settings — resolved runtime values surface on env-pill chips (#7803 / #7807). The /admin/settings socket payload now carries a new resolved field alongside the existing raw-file results blob, carrying the actual in-memory settings module run through a new redactor (AdminSettingsRedact) that replaces known-sensitive paths (users.*.password, dbSettings.password, sso.clients[*].client_secret, sessionKey, …) with [REDACTED]. The admin SPA's EnvPill renders a → active value chip when the path is resolved, or → •••••• with a redacted tooltip when the server returned the sentinel — so port: ${PORT:9001} now shows → 9001 (or whatever the live value is) instead of silently falling back to the template default. Old admin SPAs that don't read resolved continue to work; the save round-trip is unchanged so ${VAR:default} literals are still preserved verbatim on disk. The admin test script glob picks up .test.tsx alongside .test.ts so the new EnvPill and resolveByPath tests run under tsx --test.

• Admin pads — filter chip now applies server-side, before pagination (#7798). The 3.1.0 admin pad-list filter chips (active / recent / empty / stale) ran on the client after the 12-row page slice had already arrived. On a deployment with hundreds of pads, clicking "empty pads" on page 1 only matched the 0–12 empties that happened to land in the current page, with the pagination footer reporting nonsense totals (reported on a 3.1.0 deployment). The filter is now part of the padLoad socket query — pattern filter on names runs first (cheap), metadata hydration for the matching pad universe is gated on a non-all filter or a non-padName sort and runs under a 16-way concurrency cap (was unbounded Promise.all, which fanned out to thousands of in-flight padManager.getPad() reads on busy deployments), then the filter chip, then sort + slice. total reflects the filtered universe so the footer makes sense. Older admin clients that don't send filter keep working — the server defaults to all. The if/else if ladder that duplicated the hydrate-and-sort loop per sortBy is folded into one pipeline with a single comparator switch.
• Pad outdated notice — author now resolved from token cookie, not session (Qodo #7804 / #7805). The 3.1.0 redesigned outdated-version gritter never fired in production. resolveRequestAuthor() looked for an authorID on req.session.user, which Etherpad does not populate for pad visitors (express-session only carries the admin-login user), so computeOutdated() always returned EMPTY. The lookup now mirrors how the socket.io handshake resolves pad-visitor identity — read the HttpOnly token (or <prefix>token) cookie and call authorManager.getAuthorId(token, user) via a dynamic import (same circular-init guard pattern the file already uses for PadManager). The admin OpenAPI document gains a description note clarifying that /api/version-status is a public pad-side endpoint that lives in the admin doc only because it shares the same internal route registration.
• Localisation — silence spurious "could not translate element content" warning (#7797). <select data-l10n-id="…"> with <option> element children — the pattern used by ep_headings2, ep_align, ep_font_size, ep_font_family, … — used to drop into the textContent branch of html10n.translateNode, hunt for a text-node child to overwrite, find none, and emit Unexpected error: could not translate element content for key … on every pad load. The SELECT / INPUT / TEXTAREA aria-label fallback already lived inside the same else-branch after the warning, so the accessible name landed correctly but the noisy console line still fired. Form-control elements now short-circuit into the aria-label path before the text-node hunt — aria-label is the only sensible localization target for these elements (a <select>'s text is its <option> labels, not its own name). Closes the console warning reported on Etherpad 3.1.0.

• CI — swap archived ep_readonly_guest for ep_guest in the plugin matrix (#7795 / #7808). ep_readonly_guest is archived (read-only on GitHub) and its authenticate hook unconditionally swapped req.session.user with a read-only guest, even when the request carried an HTTP Authorization header. That silently demoted admin login attempts and stalled the anonymizeAuthorSocket tests for 14 min/run on every with-plugins CI matrix. The pre-fix theory from 3.1.0 (#7796) blamed ep_hash_auth.handleMessage; that was a red herring — handleMessage only fires on the /pad namespace, never on /settings. ep_guest is the maintained successor (same authors, same purpose); 1.0.72 on npm already defers to basic auth / admin paths. Swapping the matrix unblocks the anonymizeAuthorSocket suite on Linux, Windows, and the upgrade-from-latest-release workflow. The runtime probe added in #7796 stays — it still catches any other authenticate-hook plugin that rejects the test's plain-text credentials (e.g. a future hashed-only plugin).
• Tests — admin saveSettings round-trip + cross-restart persistence (#7819 / #7820 / #7821). The admin saveSettings socket had zero direct backend coverage and the existing e2e "restart works" test only checked that the page renders after a restart, neither of which catches a deployment that resets settings.json on restart, nor the user-visible workflow that triggered #7819 (add a top-level plugin block via Raw, save, watch it disappear). Three new backend specs (adminSettingsSave.ts) verify byte-for-byte write, top-level-block augmentation round-tripping through the next load, and /* */ comments surviving the write path. A new e2e spec mirrors the #7819 user workflow — open Raw, prepend an ep_oauth-shaped top-level block, save, restartEtherpad(), re-login, confirm the block is still in Raw and surfaces as its own Form-view section (Ep oauth from humanize()). A separate docker.yml job (adminSettings_7819.ts) authenticates via POST /admin-auth/ (always-requireAdmin, regardless of settings.requireAuthentication), saves a hand-built minimal-but-viable settings document containing a marker block, docker exec test greps for it, docker restarts the container, waits for the health probe, and re-greps. Both checks must pass.
• Bug report template now asks contributors whether the abstraction in their proposed fix matches the rest of the codebase, to head off premature-generalisation fixes earlier in review.

• ueberdb2 6.0.3 → 6.1.2 (two patch releases of cleanup on top of the 6.1.0 findKeysPaged API that the 3.1.0 sessionstorage OOM fix relies on).
• semver 7.8.0 → 7.8.1, lru-cache 11.3.6 → 11.5.0, @elastic/elasticsearch 9.4.0 → 9.4.1, pg 8.20.0 → 8.21.0, openapi-backend 5.16.1 → 5.17.0, tsx 4.22.0 → 4.22.3, @tanstack/react-query 5.100.10 → 5.100.11 + @tanstack/react-query-devtools, js-cookie 3.0.6 → 3.0.7, plus two dev-dependency group bumps.

• Multiple updates from translatewiki.net.

3.1 ships the self-update programme's Tier 4 — autonomous in a maintenance window for real (the v3.0.0 notes documented the design; this is the release the code actually lands in), adds first-class SMTP delivery so update failures email the admin, and bundles a defence-in-depth pass across the HTTP/API entry points. Two new admin-facing escape hatches arrive: a preflight check that aborts an update before it mutates the working tree when the target tag's engines.node doesn't match the running runtime, and email notifications for every auto-rollback / preflight outcome (not just the terminal rollback-failed state).

• Self-update — Tier 4 (autonomous in a maintenance window). Set updates.tier: "autonomous" together with updates.maintenanceWindow: {"start":"HH:MM","end":"HH:MM","tz":"local"|"utc"} to constrain autonomous updates to a nightly window. The scheduler snaps scheduledFor forward to the next window opening when grace would otherwise land outside the window, and defers the fire when the window has closed by the timer callback. Cross-midnight windows (end < start) are supported; DST transitions are absorbed by host wall-clock arithmetic. A missing or malformed window degrades the policy to Tier 3 with an explicit policy.reason of maintenance-window-missing / maintenance-window-invalid; an admin banner surfaces the misconfiguration so autonomous behaviour is not silently disabled. The admin update page shows a "Maintenance window" section with the parsed window summary, the next opening, and a "deferred until " subtitle on the scheduled panel when the timer has been snapped forward. Closes #7607 (#7753).
• Updater — real SMTP via nodemailer (new top-level mail.* block). Replaces the "(would send email)" stub. New settings: mail.host, mail.port, mail.secure, mail.from, mail.auth.{user,pass}. mail.host=null keeps the legacy log-only behaviour. The nodemailer dependency is lazy-imported on first send so installs that don't configure mail pay no runtime cost; the transport is cached on the full SMTP options tuple so a reloadSettings() change to host/port/credentials invalidates the cache. settings.json.docker reads MAIL_HOST / MAIL_FROM / MAIL_PORT / MAIL_SECURE from env. Send errors are logged warn and swallowed so a transient SMTP failure can never poison the updater state machine.
• Updater — preflight against the target tag's engines.node. Before mutating the working tree, runPreflight now runs git show <tag>:package.json and verifies process.versions.node satisfies the target's engines.node. A mismatch fails cleanly at preflight-failed with the detail target requires Node >=X, running Y — no drain, no restart, no rollback. The check runs after signature verification so we only trust signed package.json. New PreflightReason: 'node-engine-mismatch'.
• Updater — email admin on rollback / preflight-failed (not just rollback-failed). Before this release only the terminal rollback-failed state emailed. Auto-recovered failures (rolled-back-install-failed, rolled-back-build-failed, rolled-back-health-check, rolled-back-crash-loop) and preflight-failed now also fire one email per <outcome>:<targetTag> (dedupe key in EmailSendLog.lastFailureKey). A 3am autonomous update that rolls back because of, say, a Node engine bump now lands in the admin inbox at 3am instead of staying invisible until the next admin login. Boot-path catch-up covers cases where the failure preceded a clean process exit (timer-fired health-check rollback, crash-loop forced rollback, preflight-failed that didn't get to email before exit).
• API — listAuthorsOfPad filters the synthetic system author. Pad.SYSTEM_AUTHOR_ID (a.etherpad-system) is the placeholder Etherpad attributes to when the HTTP API receives a call without an authorId (setText, setHTML, appendText, server-side import). It was leaking through listAuthorsOfPad, making pads with only API-driven content appear to have one "real" author. The synthetic id is now filtered at that API surface only — getAllAuthors() and downstream callers (copy, anonymize, atext verification) still see it. Fixes #7785 / #7790 (#7793).

• Export HTML — ordered-list counter no longer poisoned by a sibling unordered list. When an ordered-list level was the only consumer of olItemCounts, closing any list at that depth (including a <ul> that happened to share the level) reset the counter to 0. A subsequent unrelated <ol> at the same depth then took the "counter exists but is 0" branch and emitted <ol class="..."> without the start= attribute. The reset is now gated on line.listTypeName === 'number' so closing an unordered list never touches the ol bookkeeping. Fixes #7786 / #7787 (#7791).
• Export — bad :rev returns a meaningful 500 body, not Express's HTML error page. A non-numeric :rev (e.g. /p/foo/test1/export/txt) reached checkValidRev which throws CustomError('rev is not a number', 'apierror'); the message fell through .catch(next) and Express's default renderer returned an HTML 500 page. The route handler now catches the apierror and emits err.message as a deterministic text/plain 500. As a follow-up, checkValidRev runs before res.attachment() so an invalid rev no longer leaves a Content-Disposition header in place (browsers were offering to save the error message as a file), and unrelated export failures (conversion, fs, soffice) are surfaced as text/plain rather than the HTML stack page. Fixes #7788 (#7792).

A bundle of defence-in-depth tightening picked up during an internal audit pass (#7784):

• HTTP API — OAuth JWT path. Verify the signature before reading any claim off the payload; require admin: true strictly (presence is no longer sufficient). The apikey comparison switches to crypto.timingSafeEqual.
• Import/Export temp-file path tokens. Derived from crypto.randomBytes(16) instead of Math.random().
• Token transfer. Records now have a 5-minute TTL and are single-use (removed from the store before responding). The author token is no longer in the redemption response body — the HttpOnly cookie is the only delivery channel.
• x-proxy-path header sanitiser (new src/node/utils/sanitizeProxyPath.ts). Shared by admin.ts and specialpages.ts. Strips characters outside [A-Za-z0-9_./-], collapses leading //+ to a single /, rejects .. traversal. admin.ts also emits Vary: x-proxy-path and Cache-Control: private, no-store so a poisoned response can never be reused for another origin.
• Pad.appendRevision insert-op author invariant. Centralises the "every insert op carries an author attribute" rule the socket handler already enforced, so non-wire callers (setText, setHTML, restoreRevision, plugin paths) get the same check. Pad.init and setPadHTML substitute SYSTEM_AUTHOR_ID when no author is supplied — same pattern setText / spliceText already used.
• setPadRaw legacy-import rewrite. Bulk-import bypasses appendRevision, so a hand-crafted .etherpad file could persist non-conforming records that any subsequent setText / setHTML would refuse to extend. A pre-pass now walks revs in order, sanitises each changeset's + ops against the cumulative pad pool (substituting SYSTEM_AUTHOR_ID where needed), and re-applies each changeset to a running atext so the head atext and key-rev meta.atext / meta.pool snapshots stay in lock-step. Conforming payloads round-trip unchanged.

• Backend tests — tests/backend/specs/{api,admin}/* un-skipped. The pnpm test script's glob (tests/backend/specs/**.ts) only matched depth-1 files. Every spec under api/ (14 files) and admin/ (2 files) has been silently skipped by CI. Switched to --extension ts --recursive so mocha walks the tree as documented. A new vitest regression check reads the pnpm script, hands mocha the same arguments under --dry-run --list-files, and asserts representative specs from both subdirectories appear in the discovered list (#7789).
• CI — Windows npx ENOENT in the glob-discovery regression check. execFileSync('npx', ...) doesn't pick up npx.cmd on Windows runners. Resolved by running mocha's JS entry directly via require.resolve under the current node process. Path normalisation now goes through path.relative + replace([\\/]) so mixed-separator / drive-letter casing on Windows mocha output still matches the POSIX-relative assertions (#7794).
• CI — anonymizeAuthorSocket suite gated on admin-socket health when ep_hash_auth is installed. Un-hiding the suite in #7789 surfaced a 14-minute stall on every with-plugins matrix run because ep_hash_auth's handleMessage hook fires for every socket message regardless of namespace and reads from the deprecated client context (undefined for non-pad namespaces). Until the root cause lands (tracked in #7795), the suite skips itself when an application-level probe shows the admin /settings namespace isn't responding — keeps the no-plugin matrix covered and stops burning ~14 minutes per with-plugins run (#7796).

• Multiple updates from translatewiki.net.

3.0 is a feature-heavy release that closes out the self-update programme (Tiers 2 and 3 land alongside Tier 1 from 2.7.3), removes the last identified upstream telemetry vector, and ships a parsed JSONC settings editor, native DOCX export, in-place pad history scrubbing, and an admin UI for GDPR author erasure. It also marks the start of the broader Etherpad app ecosystem (see Companion apps below).

• Minimum required Node.js version is now 24. Node.js 22 is no longer supported. Node 25 was briefly the floor mid-cycle but was rolled back to 24 LTS (Krypton, supported through ~May 2028) because Node 25 reached end-of-life on 2026-04-10 (see #7779 / #7781). The CI matrix targets Node 24 and 26. Node 24 still ships Corepack, so existing bin/installer.sh / bin/installer.ps1 flows continue to work unchanged; the global pnpm install fallback added for the Node 25 detour is kept for forward-compatibility.
• pnpm floor raised to pnpm@11.1.2. packageManager is now pinned to pnpm@11.1.2 and engines.pnpm requires >=11.1.2. The Dockerfile, snap, .deb and all GitHub workflows are aligned.
• swagger-ui-express removed. /api-docs now serves a vendored, telemetry-free copy of Scalar (see the privacy item below). The route, the OpenAPI document, and the rendered output are unchanged for downstream consumers, but anything that introspected swagger-ui-express internals will need updating.
• Debian package depends on nodejs (>= 24). The signed apt repository at etherpad.org/apt is rebuilt against this floor; older Node packages are no longer acceptable as a dependency (#7754).

This release coincides with the launch of two ecosystem projects, both maintained under the ether org and able to talk to any 3.x Etherpad server over its existing HTTP / WebSocket API:

• ether/etherpad-desktop — a native desktop wrapper around Etherpad for macOS, Windows and Linux. Single-window editor experience, system-tray indicator, and an optional embedded server for fully offline pads.
• ether/pad — a portable cross-target client: an Android and iOS app for editing pads on the go, and a nano-style terminal client for headless / SSH workflows. Shares the same realtime client transport as the browser editor so changes propagate live across desktop, mobile, terminal and the web UI.

Both clients hit the stable 3.x API surface, so server operators don't need to enable anything extra to support them — the OpenAPI clean-up landed in this release (see Notable enhancements) is what makes the shared client code generators viable.

• Self-update subsystem — Tier 2 (manual click).
  • Admins on a git install can click "Apply update" at /admin/update. Etherpad runs a 60s session drain (with T-60 / T-30 / T-10 broadcasts to every pad), git fetch / checkout / pnpm install --frozen-lockfile / pnpm run build:ui, and exits with code 75 so a process supervisor restarts it on the new version. The next boot runs a 60s health check; if /health doesn't come up the previous SHA + lockfile are restored automatically.
  • Crash-loop guard: if the new version reboots more than twice without the health check completing, RollbackHandler forces a rollback regardless of the timer.
  • Terminal rollback-failed state surfaces a strong banner; the admin clicks Acknowledge once they've manually recovered to clear the lock and re-allow Tier 2 attempts.
  • New settings under updates.*: preApplyGraceMinutes, drainSeconds, rollbackHealthCheckSeconds, diskSpaceMinMB, requireSignature, trustedKeysPath. Tag signature verification is opt-in (default false) — see doc/admin/updates.md for the keyring setup.
  • A process supervisor (systemd / pm2 / docker --restart=unless-stopped) is required to apply updates. Without one, exit 75 leaves the instance down.
• Self-update subsystem — Tier 3 (auto with grace window).
  • On a git install, set updates.tier: "auto" to have new releases applied automatically after preApplyGraceMinutes. During the grace window, /admin/update shows a live countdown plus Cancel and Apply now buttons. Schedules are persisted to var/update-state.json, so an Etherpad restart during the grace window rehydrates the timer instead of losing the schedule. A new release tag detected mid-grace re-arms the timer; if adminEmail is set, a one-shot grace-start notification fires per scheduled tag (issue #7607).
  • The terminal rollback-failed state continues to disable auto/autonomous attempts globally until acknowledged; manual click stays available because an admin click is the intervention the terminal state requires.
  • Tier 4 (autonomous in a maintenance window) remains designed but unimplemented and will land in a subsequent release.
• Privacy — drop swagger-ui telemetry, document phone-homes, add opt-outs.
  • Dropped swagger-ui-express because upstream injects a Scarf analytics pixel that cannot be disabled at install or runtime (see swagger-api/swagger-ui#10573). /api-docs now serves a vendored copy of Scalar (MIT) configured with withDefaultFonts: false and telemetry: false so no outbound calls are made.
  • New privacy.updateCheck (default true) — set to false to disable the hourly UpdateCheck.ts request to ${updateServer}/info.json.
  • New privacy.pluginCatalog (default true) — set to false to disable the admin plugins page fetch of ${updateServer}/plugins.json. CLI install-by-name still works.
  • New PRIVACY.md at repo root documenting both outbound calls, what they send, and how to turn each off.
  • bin/plugins/stalePlugins.ts now reads settings.updateServer (was hardcoded to static.etherpad.org) and honours the new flag.
  • Closes #7524.
• Parsed JSONC settings editor in /admin. The settings page now parses settings.json as JSONC (with comments and trailing commas preserved), validates edits in-browser, and writes the file back without clobbering comment blocks (#7709, closes #7603, takes over #7666).
• GDPR — admin UI for author erasure. Builds on the 2.7.3 author-erasure API: admins can now find an author by id or name in /admin and run a confirmed erasure flow from the UI (#7667, follow-up to #7550).
• Pad-wide settings on by default. padOptions-style settings can now be edited from the in-pad cog without flipping a flag, and the modal title no longer misleads about scope (#7679). Plugin-namespaced ep_* keys also flow through applyPadSettings so plugins can register their own pad-wide options (#7698).
• Scrub history in-place on the pad URL. A long-edited pad can now have its history rewritten in place (e.g. for compliance or to drop accidentally-pasted secrets), without changing the pad URL or breaking deep-links (#7710, closes #7659).
• bin/compactStalePads — staleness-gated bulk compaction. Companion to the 2.7.3 compactAllPads CLI: targets only pads not edited in the last --older-than N days, so hot pads in active timeslider use are left alone. Same --keep / --dry-run shape as compactAllPads (#7708, issue #7642).
• Native DOCX export (opt-in). A html-to-docx-based exporter lands as an alternative to the LibreOffice path, so installs that don't want soffice on the host can still produce .docx. soffice is now documented as optional for .docx and .pdf (#7568 / #7707, issue #7538).
• Editor / UI.
  • Settings popup is now scrollable on short viewports so the lower controls stay reachable on small laptops (#7703, issue #7696).
  • Admin design pass cleans up the rework introduced in 2.7.3 (#7716).
  • theme-color meta now follows the client-side dark-mode switch instead of locking to the boot-time value (#7690, issue #7606).
  • menu_right stays visible on readonly pads by default; operators that prefer the slimmer chrome can still opt in via showMenuRight (#7783).
  • Social meta: new settings.socialMeta.description override (#7691) plus a fix for numeric / boolean override values that were silently being dropped during coercion (#7692).
• Admin / API surface.
  • The published OpenAPI spec is cleaned up for downstream codegens — duplicate operationIds removed, response schemas filled in, nullable ⟶ oneOf null migrated for OpenAPI 3.1 (#7714). The companion apps above consume this directly.
  • Admin endpoints (/admin/* JSON APIs) are now documented in the OpenAPI spec (#7693 / #7705) and called from a typesafe TanStack Query client in the admin SPA (#7638 / #7695).
  • "Requires newer Etherpad" message in the plugin browser when an ep.json declares an engines.etherpad higher than the running version, instead of failing with a generic install error (#7763 / #7771).
• Security hardening.
  • Reject USER_CHANGES inserts that arrive without an author attribute, closing a server-side trust gap where unattributed changes could be applied to a pad (#7773).
  • Integrator-issued sessionID cookies can now be marked HttpOnly via the new option, matching the 2.7.3 author-token hardening (#7045 / #7755).
• Observability — Prometheus counters. Three new counters surface scaling-relevant events (pad_load_total, socket_connect_total, changeset_apply_total) so operators can drive horizontal-scaling decisions off the existing /metrics endpoint without a custom exporter (#7756 / #7762).
• Accessibility (continuation of the 2.7.2 / 2.7.3 pass).
  • Skip-to-content link plus hiding line-number gutters from screen readers (#7255 / #7758).
  • Named role="toolbar" regions and linemetricsdiv hidden from assistive tech (#7255 / #7777).
  • Localized aria-label on form controls (<select>, <input>, <textarea>) and on export-as links (#7697 / #7713).
  • Removed role="textbox" / aria-multiline from innerdocbody where they no longer matched the editor's real semantics (#7778 / #7782).

• Docker — pnpm at runtime. Bypass pnpm at container start so the entrypoint no longer triggers a spurious deps-status reinstall on every restart (#7718 / #7727). The Corepack cache is now shared so the unprivileged etherpad user can resolve pnpm (#7689).
• Debian — plugin_packages stays in-tree. The .deb now keeps plugin_packages/ under the install root so plugins installed at runtime can still resolve ep_etherpad-lite (#7750).
• Admin — restore search and sort. SearchField and the column-sort helpers used by the authors page were lost during the admin rework; they're restored (#7746).
• Admin — German strings hardcoded in error paths. A handful of leftover German strings from the rework are replaced with i18n keys (#7735 / #7736).
• Settings — username: false / malformed color: false regression. Legacy settings.json files that used false to disable a feature no longer surface as 'false' username or 'malformed color: false' errors (#7688, issue #7686).

• Database driver — ueberdb2 5 → 6. Major-version bump to ueberdb2@^6.0.3 (#7734). Drivers are pinned through the lockfile; the schema-level changes are documented in the ueberdb2 6.0 release notes.
• CI / tests.
  • Windows + Node 24 backend-test flake fixed; native crashes are now captured for diagnosis (#7748).
  • updater-integration rmdir-retry to clear the long-standing Windows EBUSY flake (#7728).
  • lowerCasePadIds spec closes its socket.io clients on teardown (#7722).
  • Admin tests realigned to the typesafe API client + plugin row count fixes (#7712).
  • Rate-limit test waits for Etherpad readiness before running, instead of racing the boot sequence (#7726).
• README link fixes and tidy-up (#7723 / #7724 / #7725).
• Several dependency-group bumps across the dev and runtime trees: undici 7.25 → 8.3, semver 7.7.4 → 7.8, tsx 4.21 → 4.22, mssql 12.5.2 → 12.5.3, js-cookie 3.0.5 → 3.0.6, @tanstack/react-query 5.100.9 → 5.100.10, actions/dependency-review-action 4 → 5, plus the usual Dependabot dev-group rollups.

• Multiple updates from translatewiki.net.

• Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
• The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

• GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
  • Pad deletion controls (admin-driven and self-service).
  • IP / privacy audit pass across the codebase.
  • Author-token cookies are now HttpOnly, removing them from JavaScript reach.
  • Configurable privacy banner shown on first visit.
  • Author erasure: an authenticated path for purging an individual author's identity and contributions.
• Self-update subsystem (Tier 1: notify).
  • Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
  • The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
  • Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
  • New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
  • Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
  • See doc/admin/updates.md for full configuration.
• Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
• New packaging targets.
  • Etherpad is now published as a Snap package.
  • Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
• Editor enhancements.
  • IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
  • New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
  • Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
  • New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
• Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
• Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
• Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

• Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
• Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
• Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
• Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

• The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
• admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
• Build and CI moved to pnpm 11 (packageManager: "pnpm@11.0.6"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
• All client modules have been converted to ESM.
• The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
• Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
• Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

• Multiple updates from translatewiki.net.

• Accessibility pass: corrected dialog semantics, improved focus management, added missing icon labels, and set the html lang attribute correctly.
• Chat: clicking the chat icon works again, disabled toggles render properly, and the username layout no longer overflows.
• /export/etherpad now honors the :rev URL segment, so revision-specific exports return the requested revision instead of the latest.
• Undo / redo now scrolls the viewport to follow the caret, so reverted edits stay in view.
• Page Down / Page Up now scrolls by viewport height instead of a fixed line count, matching standard editor behavior on tall and short windows alike.
• Editbar: caret is restored to the pad after changing a toolbar select, so typing continues in the document instead of falling through to the toolbar.
• Admin: i18n is restored on /admin so the admin UI is translated again.

[34mINFO[0m Using node as runtime [34mINFO[0m node version to use: v25.2.1 [34mINFO[0m node version v25.2.1 already exists in cache [34mINFO[0m Package Manager detected: pnpm [34mINFO[0m pnpm version * is already installed in /home/runner/.local/share/gnpm/_gnpm/pnpm-10.22.0 [34mINFO[0m Get all paths to link to: /home/runner/.local/share/gnpm/_gnpm/pnpm [34mINFO[0m Package manager pnpm installed at [/home/runner/.local/share/gnpm/_gnpm/pnpm] [34mINFO[0m Running command with package manager: pnpm

bin@2.7.1 generateChangelog /home/runner/work/etherpad/etherpad/bin node --import tsx generateReleaseNotes.ts refs/tags/v2.7.1

• fixed stop harcoding lang=en, letting the client auto detect locale
• Stop mutating the shared plugin registry during sanitization
• Preserve non-breaking space

• Abiword has been replaced with LibreOffice for document import/export. If you were using Abiword for DOCX/ODT/PDF conversion, update your settings.json to point soffice at your LibreOffice binary. DOCX export is now supported out of the box.

• Added line numbers to the timeslider so you can follow along with specific lines while replaying a pad's history.
• Added a playback speed setting to the timeslider — you can now scrub through history faster (or slower) than real time.
• Creator-owned pad settings defaults: the user who creates a pad now seeds its default settings, giving pad creators more control over initial configuration.
• Cookie names are now configurable via a prefix setting. Useful when running multiple Etherpads on the same domain and you need to keep their session cookies from colliding.
• Added a new aceRegisterLineAttributes hook so plugins can preserve custom line attributes across Enter / line-split operations. Documentation for the hook is included.
• Added a one-line installer script for getting Etherpad running quickly on a fresh machine.
• Docker images are now published to GitHub Container Registry (GHCR) in addition to Docker Hub.
• npm publishing of core and plugins has been migrated to OIDC trusted publishing for stronger supply-chain security.

• Database drivers are now bundled with Etherpad again, so fresh installs no longer fail to connect to Postgres, MySQL, and friends out of the box. A regression test has been added to prevent this from breaking again.
• Pending changesets are now flushed immediately after a reconnect instead of being silently dropped, and users are warned when a pending edit is not accepted by the server.
• Head revision and atext are now captured atomically, preventing the occasional "mismatched apply" errors on busy pads.
• Clearing authorship colors can now be undone without forcing a client disconnect.
• Added periodic cleanup of expired/stale sessions from the database, and fixed a race condition in the session cleanup timeout.
• Error messages returned to clients are now sanitized by default with deduplication, so internal details no longer leak through error responses.
• Raised the maximum socket.io message size to 10 MB so large pastes no longer get rejected.
• Dev mode entrypoint paths now respect the x-proxy-path header, fixing reverse-proxy setups in development.
• Numerous list-related fixes: numbered list wrapped lines now indent correctly, ordered list numbering is preserved across bullet interruptions during export, consecutive numbering survives indented sub-bullets, switching from unordered to ordered resets numbering, and line attributes are preserved across drag-and-drop.
• Bold (and other) formatting is now retained after copy-paste.
• Dead-key / compose-key input no longer eats the preceding space.
• POST API requests with a JSON body no longer time out.
• appendText now correctly attributes the new text to the specified author.
• createDiffHTML no longer fails with Not a changeset: undefined.
• Added padId to the padUpdate / padCreate hook context.
• Fixed numConnectedUsers to include the joining user in its count.
• Accessibility improvements: keyboard trap fix, better screen reader support, and aria-live announcements.
• RTL URL parameter rtl=false now correctly disables RTL mode.
• Language dropdown is now sorted alphabetically by native name.
• PageDown now advances the caret by a full page of lines.
• ESM/CJS interop issues in the Settings module that had been breaking plugin compatibility have been resolved, with setters added to the CJS compatibility layer and regression tests in place.
• Several Docker build fixes: git submodule handling, hardlink package-import-method for ZFS, and production-only workspace config.

• Many occurrences of "etherpad-lite" have been renamed to "etherpad" across the codebase and documentation.
• Pinned 33 transitive dependencies to patched versions to clear out Dependabot security alerts.
• Restricted GITHUB_TOKEN permissions in the update-plugins workflow.

For those wondering where the new updates are and why it was very quite throughout the last 1 1/2 years – I've been working on a new implementation of Etherpad from scratch in Go. It's called Etherpad-Go and you can find it here: https://github.com/ether/etherpad-go and a short FAQ about it here: https://github.com/ether/etherpad-go/wiki/FAQ . I'd love to hear your feedback about it either on Discord or issue tracker. There is a README.md that explains how to get started and try it out and also the FAQ can be quite fruitful. Latest release can be found here: https://github.com/ether/etherpad-go/releases/tag/v0.0.4

• Minor fixes and improvements to the session transfer feature introduced in 2.6.0
• Dependencies upgrades

• Added native option to transfer your Etherpad session between browsers. If you use multiple browsers or different PC for Etherpad they are different sessions. Meaning typing on one PC and then switching to another one in the same pad will result in different authorship colors. With this new feature you can now transfer your session to another browser or PC. To do so, open the home page and click on the wheel icon in the top right corner. After that click through the first dialog prompting you to copy a code to your clipboard. On your second browser open the same dialog and switch to "Receive Session" tab. There you can paste the code you copied before and click on "Receive Session". After that your session is transferred, and you can continue editing with the same authorship color as before. Just be aware that you can't have two active sessions at once in a pad.
• Updated to oidc provider v2.6.0 after resolving compatibility issues.

🎉 For all the people celebrating: Have a happy and awesome new year! 🎉 There is something big on the horizon for Etherpad in 2026. Stay tuned!

• Fixed an issue with the release script that caused the release to not be created correctly.