2.7.3

Breaking changes

• Minimum required Node.js version is now 22.13. Node.js 20 is reaching end-of-life (see https://nodejs.org/en/about/previous-releases) and pnpm 11 hard-rejects Node releases older than 22.13. The CI matrix targets Node 22, 24, and 25. Upgrading should be straightforward — install a current Node.js release before updating Etherpad.
• The official Docker image no longer ships curl, npm, or npx. These were dropped to remove transitive CVEs (curl/libcurl SMB advisories, npm's bundled picomatch 4.0.3 and brace-expansion 2.0.2). The container's healthcheck now uses wget (busybox built-in, always present), and Etherpad provisions pnpm via corepack for all runtime package operations. If you exec into the container and rely on curl or npm for ad-hoc tasks, install them on demand with apk add curl or use the busybox wget / pnpm already present.

Notable enhancements

• GDPR / privacy controls. A multi-PR series adds the building blocks operators need to satisfy data-subject requests:
  • Pad deletion controls (admin-driven and self-service).
  • IP / privacy audit pass across the codebase.
  • Author-token cookies are now HttpOnly, removing them from JavaScript reach.
  • Configurable privacy banner shown on first visit.
  • Author erasure: an authenticated path for purging an individual author's identity and contributions.
• Self-update subsystem (Tier 1: notify).
  • Periodic check against the GitHub Releases API for the configured repo (default ether/etherpad). Configurable via the new updates.* settings block, default tier "notify". Set updates.tier to "off" to disable entirely.
  • The admin UI shows a banner and a dedicated "Etherpad updates" page with the current version, latest version, install method, and changelog.
  • Pad users see a discreet footer badge only when the running version is severely outdated (one or more major versions behind) or flagged as vulnerable in a recent release manifest. The public endpoint that drives this never leaks the version string itself.
  • New top-level adminEmail setting. When set, the updater emails the admin on first detection of severe / vulnerable status, with escalating cadence (weekly while vulnerable, monthly while severely outdated). PR 1 ships the dedupe + cadence logic; real SMTP wiring lands in a follow-up PR.
  • Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
  • See doc/admin/updates.md for full configuration.
• Pad compaction. New compactPad HTTP API plus bin/compactPad and bin/compactAllPads CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). --keep N retains the last N revisions; --dry-run previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
• New packaging targets.
  • Etherpad is now published as a Snap package.
  • Debian (.deb) packages are built via nfpm with a systemd unit, and a signed apt repository is published to etherpad.org/apt.
• Editor enhancements.
  • IDE-style line operations: keyboard shortcuts to duplicate or delete the current line.
  • New showMenuRight URL parameter to hide the right-side toolbar — useful for embeds that need slimmer chrome.
  • Click a user in the userlist to open chat with @<name> prefilled, making mentions discoverable.
  • New padOptions.fadeInactiveAuthorColors setting plus a toolbar UI to fade the background colors of authors who have left the pad.
• Color contrast. Author colors now pick the WCAG-higher-contrast text color for readability.
• Social / mobile metadata. Pad, timeslider, and home views now emit Open Graph and Twitter Card tags (closes #7599) and a theme-color meta that matches the toolbar on mobile.
• Plugin admin UX. The /admin plugin browser surfaces each plugin's ep.json disables declarations, so operators can see what a plugin will turn off before installing.

Notable fixes

• Socket.io: don't kick authenticated duplicate-author sessions. A regression where two tabs from the same authenticated author could evict each other has been fixed (#7656 / #7678).
• Anchor scrolling. Anchor-link navigation now waits for layout to settle, so jumping to a deep link no longer overshoots.
• Plugin updater. bin/updatePlugins.sh actually updates installed plugins again (closes #6670).
• Settings: stable per-release version string. randomVersionString is now derived from the release identity rather than regenerated on each boot, so caches behave correctly across restarts of the same version.

Internal / contributor-facing

• The HTTP client in the backend has been migrated from axios to the built-in fetch API, dropping a dependency now that Node 22 ships a stable fetch.
• admin/ and ui/ workspaces moved from rolldown-vite to upstream Vite 8.
• Build and CI moved to pnpm 11 (packageManager: "[email protected]"); the Dockerfile, snap, and all GitHub workflows are aligned. pnpm overrides have been migrated from package.json to pnpm-workspace.yaml to match pnpm 11's expectations.
• All client modules have been converted to ESM.
• The CI matrix tests Node 22, 24, and 25; on PRs the matrix is reduced to a single Node version to keep feedback fast.
• Frontend Playwright tests now run against the /ether plugin set, with feature-tag based skips so plugin-incompatible specs are excluded automatically.
• Build hardening: signed apt repo publishing, frozen lockfile installs across CI, Node setup pinned in every workflow, and a Docker-image CVE sweep that bumps npm, pnpm, and uuid.

Localisation

• Multiple updates from translatewiki.net.

Notable enhancements and fixes

• Accessibility pass: corrected dialog semantics, improved focus management, added missing icon labels, and set the html lang attribute correctly.
• Chat: clicking the chat icon works again, disabled toggles render properly, and the username layout no longer overflows.
• /export/etherpad now honors the :rev URL segment, so revision-specific exports return the requested revision instead of the latest.
• Undo / redo now scrolls the viewport to follow the caret, so reverted edits stay in view.
• Page Down / Page Up now scrolls by viewport height instead of a fixed line count, matching standard editor behavior on tall and short windows alike.
• Editbar: caret is restored to the pad after changing a toolbar select, so typing continues in the document instead of falling through to the toolbar.
• Admin: i18n is restored on /admin so the admin UI is translated again.

INFO Using node as runtime
INFO node version to use: v25.2.1
INFO node version v25.2.1 already exists in cache
INFO Package Manager detected: pnpm
INFO pnpm version * is already installed in /home/runner/.local/share/gnpm/_gnpm/pnpm-10.22.0
INFO Get all paths to link to: /home/runner/.local/share/gnpm/_gnpm/pnpm
INFO Package manager pnpm installed at [/home/runner/.local/share/gnpm/_gnpm/pnpm]
INFO Running command with package manager: pnpm

[email protected] generateChangelog /home/runner/work/etherpad/etherpad/bin
node --import tsx generateReleaseNotes.ts refs/tags/v2.7.1

2.7.1

Notable enhancements and fixes

• fixed stop harcoding lang=en, letting the client auto detect locale
• Stop mutating the shared plugin registry during sanitization
• Preserve non-breaking space

INFO Using node as runtime
INFO node version to use: v25.2.1
INFO node version v25.2.1 already exists in cache
INFO Package Manager detected: pnpm
INFO pnpm version * is already installed in /home/runner/.local/share/gnpm/_gnpm/pnpm-10.22.0
INFO Get all paths to link to: /home/runner/.local/share/gnpm/_gnpm/pnpm
INFO Package manager pnpm installed at [/home/runner/.local/share/gnpm/_gnpm/pnpm]
INFO Running command with package manager: pnpm

[email protected] generateChangelog /home/runner/work/etherpad/etherpad/bin
node --import tsx generateReleaseNotes.ts refs/tags/v2.7.0

2.7.0

Breaking changes

• Abiword has been replaced with LibreOffice for document import/export. If you were using Abiword for DOCX/ODT/PDF conversion, update your settings.json to point soffice at your LibreOffice binary. DOCX export is now supported out of the box.

Notable enhancements

• Added line numbers to the timeslider so you can follow along with specific lines while replaying a pad's history.
• Added a playback speed setting to the timeslider — you can now scrub through history faster (or slower) than real time.
• Creator-owned pad settings defaults: the user who creates a pad now seeds its default settings, giving pad creators more control over initial configuration.
• Cookie names are now configurable via a prefix setting. Useful when running multiple Etherpads on the same domain and you need to keep their session cookies from colliding.
• Added a new aceRegisterLineAttributes hook so plugins can preserve custom line attributes across Enter / line-split operations. Documentation for the hook is included.
• Added a one-line installer script for getting Etherpad running quickly on a fresh machine.
• Docker images are now published to GitHub Container Registry (GHCR) in addition to Docker Hub.
• npm publishing of core and plugins has been migrated to OIDC trusted publishing for stronger supply-chain security.

Notable fixes

• Database drivers are now bundled with Etherpad again, so fresh installs no longer fail to connect to Postgres, MySQL, and friends out of the box. A regression test has been added to prevent this from breaking again.
• Pending changesets are now flushed immediately after a reconnect instead of being silently dropped, and users are warned when a pending edit is not accepted by the server.
• Head revision and atext are now captured atomically, preventing the occasional "mismatched apply" errors on busy pads.
• Clearing authorship colors can now be undone without forcing a client disconnect.
• Added periodic cleanup of expired/stale sessions from the database, and fixed a race condition in the session cleanup timeout.
• Error messages returned to clients are now sanitized by default with deduplication, so internal details no longer leak through error responses.
• Raised the maximum socket.io message size to 10 MB so large pastes no longer get rejected.
• Dev mode entrypoint paths now respect the x-proxy-path header, fixing reverse-proxy setups in development.
• Numerous list-related fixes: numbered list wrapped lines now indent correctly, ordered list numbering is preserved across bullet interruptions during export, consecutive numbering survives indented sub-bullets, switching from unordered to ordered resets numbering, and line attributes are preserved across drag-and-drop.
• Bold (and other) formatting is now retained after copy-paste.
• Dead-key / compose-key input no longer eats the preceding space.
• POST API requests with a JSON body no longer time out.
• appendText now correctly attributes the new text to the specified author.
• createDiffHTML no longer fails with Not a changeset: undefined.
• Added padId to the padUpdate / padCreate hook context.
• Fixed numConnectedUsers to include the joining user in its count.
• Accessibility improvements: keyboard trap fix, better screen reader support, and aria-live announcements.
• RTL URL parameter rtl=false now correctly disables RTL mode.
• Language dropdown is now sorted alphabetically by native name.
• PageDown now advances the caret by a full page of lines.
• ESM/CJS interop issues in the Settings module that had been breaking plugin compatibility have been resolved, with setters added to the CJS compatibility layer and regression tests in place.
• Several Docker build fixes: git submodule handling, hardlink package-import-method for ZFS, and production-only workspace config.

Other

• Many occurrences of "etherpad-lite" have been renamed to "etherpad" across the codebase and documentation.
• Pinned 33 transitive dependencies to patched versions to clear out Dependabot security alerts.
• Restricted GITHUB_TOKEN permissions in the update-plugins workflow.