Update Paperless-ngx #308

renovate-bot · 2026-04-07T02:03:33+02:00

renovate-bot commented

2026-04-07 02:03:33 +02:00

This PR contains the following updates:

Package	Update	Change
docker.io/gotenberg/gotenberg	minor	`8.29.1` → `8.31.0`
ghcr.io/paperless-ngx/paperless-ngx	patch	`2.20.13` → `2.20.14`

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

gotenberg/gotenberg (docker.io/gotenberg/gotenberg)

`v8.31.0`: 8.31.0

Compare Source

Breaking Changes & Security Fixes ⚠️

Stopped publishing thecodingmachine/gotenberg images. Pull from gotenberg/gotenberg instead.
SSRF hardening (breaking). Resolves outbound URLs (Chromium asset fetches, webhook delivery, download-from) and rejects non-public addresses: loopback, RFC1918, link-local, unspecified, multicast, IPv6 unique-local, IPv4-mapped IPv6. Pins the dial to the validated IP to prevent DNS rebinding.
Defaulted webhook deny list (breaking). --webhook-deny-list now defaults to a regex blocking loopback, RFC1918, link-local, and IPv6 unique-local ranges. Override the flag to call internal hosts.
Sanitized ExifTool metadata (breaking for System: tags). Strips control characters and line breaks from /forms/pdfengines/metadata/write payloads. Drops System:-prefixed tags. Blocks argument smuggling and filesystem pseudo-tag abuse.

New Features

Embed files metadata. Adds embedsMetadata to every route accepting embeds (Chromium HTML/URL/Markdown, LibreOffice convert, PDF Engines merge/split/embed). Pass a JSON object keyed by filename with per-file fields (mimeType, relationship, etc.) - thanks @Jean-Beru!

Bug Fixes

Pinned Chromium to v146 on ppc64le to work around an upstream regression.

Deprecated Flags

Old	New
`--webhook-error-allow-list`	`--webhook-allow-list`
`--webhook-error-deny-list`	`--webhook-deny-list`

Old flags still work.

Chore

Updated Go dependencies.

`v8.30.1`: 8.30.1

Compare Source

Another release, another bug fixes 🫥

Bug Fixes

chromium only variants now start correctly - thanks @agross!
Re-added cURL for orchestrators health check - thanks @budivoogt, @gertjanstulp and @jfisbein!

`v8.30.0`: 8.30.0

Compare Source

New Features

Docker Image Variants

Chromium-Only Image (gotenberg/gotenberg:8.30.0-chromium): Drops LibreOffice, python3, and hyphenation packages. ~30% smaller than the full image.
LibreOffice-Only Image (gotenberg/gotenberg:8.30.0-libreoffice): Drops Chromium and its dependencies. ~38% smaller than the full image.

Pick the variant that matches your workload. The full image (gotenberg/gotenberg:8.30.0) still ships everything.

Leaner Docker Image

The full image is ~13% smaller than 8.29.0. The font stack was simplified from 30+ packages down to 8, covering Latin, Greek, Cyrillic, CJK, and most world scripts through Noto, plus color emoji.

Package	Coverage
`fonts-noto-core`	Arabic, Bengali, Devanagari, Ethiopic, Georgian, Gujarati, Gurmukhi, Hebrew, Kannada, Khmer, Lao, Malayalam, Myanmar, Sinhala, Tamil, Telugu, Thai, and more
`fonts-noto-cjk`	Chinese, Japanese, Korean
`fonts-noto-color-emoji`	Color emoji
`fonts-dejavu`	Latin, Greek, Cyrillic
`fonts-crosextra-carlito`	Metric-compatible with Calibri
`fonts-crosextra-caladea`	Metric-compatible with Cambria
`fonts-liberation`	Metric-compatible with Arial, Times New Roman, Courier New
`fonts-liberation2`	Updated Liberation metrics

Microsoft Core Fonts (ttf-mscorefonts-installer) are not shipped due to licensing constraints. The image includes metric-compatible replacements instead: Carlito for Calibri, Caladea for Cambria, and Liberation for Arial, Times New Roman, and Courier New. These preserve document layout in most cases.

Installing Additional Fonts

Build a custom Dockerfile to add fonts. Common scenarios:

Microsoft Core Fonts (you accept the Microsoft EULA):

FROM gotenberg/gotenberg:8

USER root

RUN echo "deb http://deb.debian.org/debian trixie contrib non-free" \
      > /etc/apt/sources.list.d/contrib.list \
    && echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" \
      | debconf-set-selections \
    && apt-get update -qq \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends \
         ca-certificates \
         wget \
         ttf-mscorefonts-installer \
    && rm -rf /var/lib/apt/lists/*

USER gotenberg

Specialized script fonts for richer glyph sets, better hinting, or traditional typefaces beyond the basic Noto coverage:

Script	Package
Arabic (Naskh)	`fonts-hosny-amiri`
Bengali	`fonts-beng`
Devanagari (Hindi)	`fonts-sarai`
Ethiopic	`fonts-sil-abyssinica`
Gujarati	`fonts-samyak-gujr`
Gurmukhi (Punjabi)	`fonts-lohit-guru`
Hebrew	`culmus`
Kannada	`fonts-lohit-knda`
Malayalam	`fonts-samyak-mlym`
Myanmar	`fonts-sil-padauk`
Sinhala	`fonts-lklug-sinhala`
Tamil	`fonts-samyak-taml`
Telugu	`fonts-telu`
Thai	`fonts-thai-tlwg`

FROM gotenberg/gotenberg:8

USER root

RUN apt-get update -qq \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends \
        fonts-hosny-amiri \
        fonts-thai-tlwg \
    && rm -rf /var/lib/apt/lists/*

USER gotenberg

Webhook

Gotenberg-Webhook-Error-Url Now Optional: When Gotenberg-Webhook-Events-Url is set, Gotenberg-Webhook-Error-Url is no longer required. Error handling flows through the events URL instead. Gotenberg-Webhook-Error-Url is deprecated but continues to work.

Bug Fixes

ExifTool Tag Filtering: Case-insensitive comparison and expanded blocklist for ExifTool metadata filtering. Excludes additional system tags while preserving safe derived tags.
Regex Timeout: Added timeout to regex evaluation to prevent ReDoS on malformed patterns.

Chore

Updated Go dependencies.

paperless-ngx/paperless-ngx (ghcr.io/paperless-ngx/paperless-ngx)

`v2.20.14`: Paperless-ngx v2.20.14

Compare Source

paperless-ngx 2.20.14

Bug Fixes

Fix: do not submit permissions for non-owners @shamoon (#12571)
Fix: prevent duplicate parent tag IDs @shamoon (#12522)
Fix: dont defer tag change application in workflows @shamoon (#12478)
Fix: limit share link viewset actions @shamoon (#12461)
Fix: add fallback ordering for documents by id after created @shamoon (#12440)
Fixhancement: default mail-created correspondent matching to exact @shamoon (#12414)
Fix: validate date CF value in serializer @shamoon (#12410)

All App Changes

7 changes

Fix: do not submit permissions for non-owners @shamoon (#12571)
Fix: prevent duplicate parent tag IDs @shamoon (#12522)
Fix: dont defer tag change application in workflows @shamoon (#12478)
Fix: limit share link viewset actions @shamoon (#12461)
Fix: add fallback ordering for documents by id after created @shamoon (#12440)
Fixhancement: default mail-created correspondent matching to exact @shamoon (#12414)
Fix: validate date CF value in serializer @shamoon (#12410)

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker.io/gotenberg/gotenberg](https://github.com/gotenberg/gotenberg) | minor | `8.29.1` → `8.31.0` | | [ghcr.io/paperless-ngx/paperless-ngx](https://github.com/paperless-ngx/paperless-ngx) | patch | `2.20.13` → `2.20.14` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the warning logs for more information. --- ### Release Notes <details> <summary>gotenberg/gotenberg (docker.io/gotenberg/gotenberg)</summary> ### [`v8.31.0`](https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0): 8.31.0 [Compare Source](https://github.com/gotenberg/gotenberg/compare/v8.30.1...v8.31.0) #### Breaking Changes & Security Fixes ⚠️ - **Stopped publishing `thecodingmachine/gotenberg` images.** Pull from `gotenberg/gotenberg` instead. - **SSRF hardening (breaking).** Resolves outbound URLs (Chromium asset fetches, webhook delivery, download-from) and rejects non-public addresses: loopback, RFC1918, link-local, unspecified, multicast, IPv6 unique-local, IPv4-mapped IPv6. Pins the dial to the validated IP to prevent DNS rebinding. - **Defaulted webhook deny list (breaking).** `--webhook-deny-list` now defaults to a regex blocking loopback, RFC1918, link-local, and IPv6 unique-local ranges. Override the flag to call internal hosts. - **Sanitized ExifTool metadata (breaking for `System:` tags).** Strips control characters and line breaks from `/forms/pdfengines/metadata/write` payloads. Drops `System:`-prefixed tags. Blocks argument smuggling and filesystem pseudo-tag abuse. #### New Features - **Embed files metadata.** Adds `embedsMetadata` to every route accepting `embeds` (Chromium HTML/URL/Markdown, LibreOffice convert, PDF Engines merge/split/embed). Pass a JSON object keyed by filename with per-file fields (`mimeType`, `relationship`, etc.) - thanks [@Jean-Beru](https://github.com/Jean-Beru)! #### Bug Fixes - **Pinned Chromium to v146 on ppc64le** to work around an upstream regression. #### Deprecated Flags | Old | New | | ---------------------------- | ---------------------- | | `--webhook-error-allow-list` | `--webhook-allow-list` | | `--webhook-error-deny-list` | `--webhook-deny-list` | Old flags still work. #### Chore - Updated Go dependencies. ### [`v8.30.1`](https://github.com/gotenberg/gotenberg/releases/tag/v8.30.1): 8.30.1 [Compare Source](https://github.com/gotenberg/gotenberg/compare/v8.30.0...v8.30.1) Another release, another bug fixes 🫥 #### Bug Fixes - `chromium` only variants now start correctly - thanks [@agross](https://github.com/agross)! - Re-added cURL for orchestrators health check - thanks [@budivoogt](https://github.com/budivoogt), [@gertjanstulp](https://github.com/gertjanstulp) and [@jfisbein](https://github.com/jfisbein)! ### [`v8.30.0`](https://github.com/gotenberg/gotenberg/releases/tag/v8.30.0): 8.30.0 [Compare Source](https://github.com/gotenberg/gotenberg/compare/v8.29.1...v8.30.0) #### New Features ##### Docker Image Variants - **Chromium-Only Image** (`gotenberg/gotenberg:8.30.0-chromium`): Drops LibreOffice, python3, and hyphenation packages. \~30% smaller than the full image. - **LibreOffice-Only Image** (`gotenberg/gotenberg:8.30.0-libreoffice`): Drops Chromium and its dependencies. \~38% smaller than the full image. Pick the variant that matches your workload. The full image (`gotenberg/gotenberg:8.30.0`) still ships everything. ##### Leaner Docker Image The full image is \~13% smaller than 8.29.0. The font stack was simplified from 30+ packages down to 8, covering Latin, Greek, Cyrillic, CJK, and most world scripts through Noto, plus color emoji. | Package | Coverage | | :------------------------ | :----------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fonts-noto-core` | Arabic, Bengali, Devanagari, Ethiopic, Georgian, Gujarati, Gurmukhi, Hebrew, Kannada, Khmer, Lao, Malayalam, Myanmar, Sinhala, Tamil, Telugu, Thai, and more | | `fonts-noto-cjk` | Chinese, Japanese, Korean | | `fonts-noto-color-emoji` | Color emoji | | `fonts-dejavu` | Latin, Greek, Cyrillic | | `fonts-crosextra-carlito` | Metric-compatible with Calibri | | `fonts-crosextra-caladea` | Metric-compatible with Cambria | | `fonts-liberation` | Metric-compatible with Arial, Times New Roman, Courier New | | `fonts-liberation2` | Updated Liberation metrics | Microsoft Core Fonts (`ttf-mscorefonts-installer`) are not shipped due to licensing constraints. The image includes metric-compatible replacements instead: Carlito for Calibri, Caladea for Cambria, and Liberation for Arial, Times New Roman, and Courier New. These preserve document layout in most cases. ##### Installing Additional Fonts Build a custom Dockerfile to add fonts. Common scenarios: **Microsoft Core Fonts** (you accept the [Microsoft EULA](https://corefonts.sourceforge.net/eula.htm)): ```docker FROM gotenberg/gotenberg:8 USER root RUN echo "deb http://deb.debian.org/debian trixie contrib non-free" \ > /etc/apt/sources.list.d/contrib.list \ && echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" \ | debconf-set-selections \ && apt-get update -qq \ && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends \ ca-certificates \ wget \ ttf-mscorefonts-installer \ && rm -rf /var/lib/apt/lists/* USER gotenberg ``` **Specialized script fonts** for richer glyph sets, better hinting, or traditional typefaces beyond the basic Noto coverage: | Script | Package | | :----------------- | :--------------------- | | Arabic (Naskh) | `fonts-hosny-amiri` | | Bengali | `fonts-beng` | | Devanagari (Hindi) | `fonts-sarai` | | Ethiopic | `fonts-sil-abyssinica` | | Gujarati | `fonts-samyak-gujr` | | Gurmukhi (Punjabi) | `fonts-lohit-guru` | | Hebrew | `culmus` | | Kannada | `fonts-lohit-knda` | | Malayalam | `fonts-samyak-mlym` | | Myanmar | `fonts-sil-padauk` | | Sinhala | `fonts-lklug-sinhala` | | Tamil | `fonts-samyak-taml` | | Telugu | `fonts-telu` | | Thai | `fonts-thai-tlwg` | ```docker FROM gotenberg/gotenberg:8 USER root RUN apt-get update -qq \ && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends \ fonts-hosny-amiri \ fonts-thai-tlwg \ && rm -rf /var/lib/apt/lists/* USER gotenberg ``` ##### Webhook - **`Gotenberg-Webhook-Error-Url` Now Optional**: When `Gotenberg-Webhook-Events-Url` is set, `Gotenberg-Webhook-Error-Url` is no longer required. Error handling flows through the events URL instead. `Gotenberg-Webhook-Error-Url` is deprecated but continues to work. #### Bug Fixes - **ExifTool Tag Filtering**: Case-insensitive comparison and expanded blocklist for ExifTool metadata filtering. Excludes additional system tags while preserving safe derived tags. - **Regex Timeout**: Added timeout to regex evaluation to prevent ReDoS on malformed patterns. #### Chore - Updated Go dependencies. </details> <details> <summary>paperless-ngx/paperless-ngx (ghcr.io/paperless-ngx/paperless-ngx)</summary> ### [`v2.20.14`](https://github.com/paperless-ngx/paperless-ngx/releases/tag/v2.20.14): Paperless-ngx v2.20.14 [Compare Source](https://github.com/paperless-ngx/paperless-ngx/compare/v2.20.13...v2.20.14) #### paperless-ngx 2.20.14 ##### Bug Fixes - Fix: do not submit permissions for non-owners [@shamoon](https://github.com/shamoon) ([#12571](https://github.com/paperless-ngx/paperless-ngx/pull/12571)) - Fix: prevent duplicate parent tag IDs [@shamoon](https://github.com/shamoon) ([#12522](https://github.com/paperless-ngx/paperless-ngx/pull/12522)) - Fix: dont defer tag change application in workflows [@shamoon](https://github.com/shamoon) ([#12478](https://github.com/paperless-ngx/paperless-ngx/pull/12478)) - Fix: limit share link viewset actions [@shamoon](https://github.com/shamoon) ([#12461](https://github.com/paperless-ngx/paperless-ngx/pull/12461)) - Fix: add fallback ordering for documents by id after created [@shamoon](https://github.com/shamoon) ([#12440](https://github.com/paperless-ngx/paperless-ngx/pull/12440)) - Fixhancement: default mail-created correspondent matching to exact [@shamoon](https://github.com/shamoon) ([#12414](https://github.com/paperless-ngx/paperless-ngx/pull/12414)) - Fix: validate date CF value in serializer [@shamoon](https://github.com/shamoon) ([#12410](https://github.com/paperless-ngx/paperless-ngx/pull/12410)) ##### All App Changes <details> <summary>7 changes</summary> - Fix: do not submit permissions for non-owners [@shamoon](https://github.com/shamoon) ([#12571](https://github.com/paperless-ngx/paperless-ngx/pull/12571)) - Fix: prevent duplicate parent tag IDs [@shamoon](https://github.com/shamoon) ([#12522](https://github.com/paperless-ngx/paperless-ngx/pull/12522)) - Fix: dont defer tag change application in workflows [@shamoon](https://github.com/shamoon) ([#12478](https://github.com/paperless-ngx/paperless-ngx/pull/12478)) - Fix: limit share link viewset actions [@shamoon](https://github.com/shamoon) ([#12461](https://github.com/paperless-ngx/paperless-ngx/pull/12461)) - Fix: add fallback ordering for documents by id after created [@shamoon](https://github.com/shamoon) ([#12440](https://github.com/paperless-ngx/paperless-ngx/pull/12440)) - Fixhancement: default mail-created correspondent matching to exact [@shamoon](https://github.com/shamoon) ([#12414](https://github.com/paperless-ngx/paperless-ngx/pull/12414)) - Fix: validate date CF value in serializer [@shamoon](https://github.com/shamoon) ([#12410](https://github.com/paperless-ngx/paperless-ngx/pull/12410)) </details> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit 2026-04-07 02:03:33 +02:00

Update docker.io/gotenberg/gotenberg Docker tag to v8.30.1 bc939d2571

renovate-bot force-pushed renovate/paperless-ngx from bc939d2571 to ffacc319bc

2026-04-15 02:03:05 +02:00

Compare

renovate-bot changed title from ~~Update docker.io/gotenberg/gotenberg Docker tag to v8.30.1~~ to Update Paperless-ngx

2026-04-15 02:03:08 +02:00

renovate-bot force-pushed renovate/paperless-ngx from ffacc319bc to 4c33a777ee

2026-04-18 02:03:00 +02:00

Compare

Checking for merge conflicts…

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/paperless-ngx:renovate/paperless-ngx

git checkout renovate/paperless-ngx

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: peter/homelab-docker-config#308

Update Paperless-ngx #308

Release Notes

v8.31.0: 8.31.0

Breaking Changes & Security Fixes ⚠️

New Features

Bug Fixes

Deprecated Flags

Chore

v8.30.1: 8.30.1

Bug Fixes

v8.30.0: 8.30.0

New Features

Docker Image Variants

Leaner Docker Image

Installing Additional Fonts

Webhook

Bug Fixes

Chore

v2.20.14: Paperless-ngx v2.20.14

paperless-ngx 2.20.14

Bug Fixes

All App Changes

Configuration

Checkout

`v8.31.0`: 8.31.0

`v8.30.1`: 8.30.1

`v8.30.0`: 8.30.0

`v2.20.14`: Paperless-ngx v2.20.14