chore(deps): update apps/paperless-ngx

[renovate]

This PR contains the following updates:

Package	Update	Change
apache/tika	minor	3.2.3.0-full → 3.3.0.0-full
ghcr.io/paperless-ngx/paperless-ngx	patch	2.20.11 → 2.20.15
gotenberg/gotenberg	minor	8.27.0-cloudrun → 8.31.0-cloudrun

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

paperless-ngx/paperless-ngx (ghcr.io/paperless-ngx/paperless-ngx)

v2.20.15: Paperless-ngx v2.20.15

Compare Source

paperless-ngx 2.20.15

[!NOTE]
This release addresses a security issue (GHSA-8c6x-pfjq-9gr7) and is recommended for all users. Our sincere thank you to the community members who reported this.

Bug Fixes

• Fix: use only allauth login/logout endpoints @​shamoon (#​12639)
• Fix: correctly scope mail account enumeration @​shamoon (#​12636)
• Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type @​ggouzi (#​12597)
• Fix: reject invalid requests to API notes endpoint @​ggouzi (#​12582)

All App Changes

4 changes

• Fix: use only allauth login/logout endpoints @​shamoon (#​12639)
• Fix: correctly scope mail account enumeration @​shamoon (#​12636)
• Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type (#​12597)
• Fix: reject invalid requests to API notes endpoint (#​12582)

v2.20.14: Paperless-ngx v2.20.14

Compare Source

paperless-ngx 2.20.14

Bug Fixes

• Fix: do not submit permissions for non-owners @​shamoon (#​12571)
• Fix: prevent duplicate parent tag IDs @​shamoon (#​12522)
• Fix: dont defer tag change application in workflows @​shamoon (#​12478)
• Fix: limit share link viewset actions @​shamoon (#​12461)
• Fix: add fallback ordering for documents by id after created @​shamoon (#​12440)
• Fixhancement: default mail-created correspondent matching to exact @​shamoon (#​12414)
• Fix: validate date CF value in serializer @​shamoon (#​12410)

All App Changes

7 changes

• Fix: do not submit permissions for non-owners @​shamoon (#​12571)
• Fix: prevent duplicate parent tag IDs @​shamoon (#​12522)
• Fix: dont defer tag change application in workflows @​shamoon (#​12478)
• Fix: limit share link viewset actions @​shamoon (#​12461)
• Fix: add fallback ordering for documents by id after created @​shamoon (#​12440)
• Fixhancement: default mail-created correspondent matching to exact @​shamoon (#​12414)
• Fix: validate date CF value in serializer @​shamoon (#​12410)

v2.20.13: Paperless-ngx v2.20.13

Compare Source

paperless-ngx 2.20.13

Bug Fixes

• Fix: suggest corrections only if visible results
• Fix: require view permission for more-like search
• Fix: validate document link targets
• Fix: enforce permissions when attaching accounts to mail rules

v2.20.12: Paperless-ngx v2.20.12

Compare Source

paperless-ngx 2.20.12

[!NOTE]
This release addresses a security issue (GHSA-96jx-fj7m-qh6x) and is recommended for all users. Our sincere thank you to the community members who reported this.

Bug Fixes

• Fix: Scope the workflow saves to prevent clobbering filename/archive_filename @​stumpylog (#​12390)
• Fix: don't try to usermod/groupmod when non-root + update docs (#12365) @​stumpylog (#​12391)
• Fix: avoid moving files if already moved @​shamoon (#​12389)
• Fix: remove pagination from document notes api spec @​shamoon (#​12388)
• Fix: fix file button hover color in dark mode @​shamoon (#​12367)
• Fixhancement: only offer basic auth for appropriate requests @​shamoon (#​12362)

All App Changes

5 changes

• Fix: Scope the workflow saves to prevent clobbering filename/archive_filename @​stumpylog (#​12390)
• Fix: avoid moving files if already moved @​shamoon (#​12389)
• Fix: remove pagination from document notes api spec @​shamoon (#​12388)
• Fix: fix file button hover color in dark mode @​shamoon (#​12367)
• Fixhancement: only offer basic auth for appropriate requests @​shamoon (#​12362)

gotenberg/gotenberg (gotenberg/gotenberg)

v8.31.0: 8.31.0

Compare Source

Breaking Changes & Security Fixes ⚠️

• Stopped publishing thecodingmachine/gotenberg images. Pull from gotenberg/gotenberg instead.
• SSRF hardening (breaking). Resolves outbound URLs (Chromium asset fetches, webhook delivery, download-from) and rejects non-public addresses: loopback, RFC1918, link-local, unspecified, multicast, IPv6 unique-local, IPv4-mapped IPv6. Pins the dial to the validated IP to prevent DNS rebinding.
• Defaulted webhook deny list (breaking). --webhook-deny-list now defaults to a regex blocking loopback, RFC1918, link-local, and IPv6 unique-local ranges. Override the flag to call internal hosts.
• Sanitized ExifTool metadata (breaking for System: tags). Strips control characters and line breaks from /forms/pdfengines/metadata/write payloads. Drops System:-prefixed tags. Blocks argument smuggling and filesystem pseudo-tag abuse.

New Features

• Embed files metadata. Adds embedsMetadata to every route accepting embeds (Chromium HTML/URL/Markdown, LibreOffice convert, PDF Engines merge/split/embed). Pass a JSON object keyed by filename with per-file fields (mimeType, relationship, etc.) - thanks @​Jean-Beru!

Bug Fixes

• Pinned Chromium to v146 on ppc64le to work around an upstream regression.

Deprecated Flags

Old	New
--webhook-error-allow-list	--webhook-allow-list
--webhook-error-deny-list	--webhook-deny-list

Old flags still work.

Chore

• Updated Go dependencies.

v8.30.1: 8.30.1

Compare Source

Another release, another bug fixes 🫥

Bug Fixes

• chromium only variants now start correctly - thanks @​agross!
• Re-added cURL for orchestrators health check - thanks @​budivoogt, @​gertjanstulp and @​jfisbein!

v8.30.0: 8.30.0

Compare Source

New Features

Docker Image Variants

• Chromium-Only Image (gotenberg/gotenberg:8.30.0-chromium): Drops LibreOffice, python3, and hyphenation packages. ~30% smaller than the full image.
• LibreOffice-Only Image (gotenberg/gotenberg:8.30.0-libreoffice): Drops Chromium and its dependencies. ~38% smaller than the full image.

Pick the variant that matches your workload. The full image (gotenberg/gotenberg:8.30.0) still ships everything.

Leaner Docker Image

The full image is ~13% smaller than 8.29.0. The font stack was simplified from 30+ packages down to 8, covering Latin, Greek, Cyrillic, CJK, and most world scripts through Noto, plus color emoji.

Package	Coverage
fonts-noto-core	Arabic, Bengali, Devanagari, Ethiopic, Georgian, Gujarati, Gurmukhi, Hebrew, Kannada, Khmer, Lao, Malayalam, Myanmar, Sinhala, Tamil, Telugu, Thai, and more
fonts-noto-cjk	Chinese, Japanese, Korean
fonts-noto-color-emoji	Color emoji
fonts-dejavu	Latin, Greek, Cyrillic
fonts-crosextra-carlito	Metric-compatible with Calibri
fonts-crosextra-caladea	Metric-compatible with Cambria
fonts-liberation	Metric-compatible with Arial, Times New Roman, Courier New
fonts-liberation2	Updated Liberation metrics

Microsoft Core Fonts (ttf-mscorefonts-installer) are not shipped due to licensing constraints. The image includes metric-compatible replacements instead: Carlito for Calibri, Caladea for Cambria, and Liberation for Arial, Times New Roman, and Courier New. These preserve document layout in most cases.

Installing Additional Fonts

Build a custom Dockerfile to add fonts. Common scenarios:

Microsoft Core Fonts (you accept the Microsoft EULA):

FROM gotenberg/gotenberg:8

USER root

RUN echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" | debconf-set-selections \
    && apt-get update -qq \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends ttf-mscorefonts-installer \
    && rm -rf /var/lib/apt/lists/*

USER gotenberg

Specialized script fonts for richer glyph sets, better hinting, or traditional typefaces beyond the basic Noto coverage:

Script	Package
Arabic (Naskh)	fonts-hosny-amiri
Bengali	fonts-beng
Devanagari (Hindi)	fonts-sarai
Ethiopic	fonts-sil-abyssinica
Gujarati	fonts-samyak-gujr
Gurmukhi (Punjabi)	fonts-lohit-guru
Hebrew	culmus
Kannada	fonts-lohit-knda
Malayalam	fonts-samyak-mlym
Myanmar	fonts-sil-padauk
Sinhala	fonts-lklug-sinhala
Tamil	fonts-samyak-taml
Telugu	fonts-telu
Thai	fonts-thai-tlwg

FROM gotenberg/gotenberg:8

USER root

RUN apt-get update -qq \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends \
        fonts-hosny-amiri \
        fonts-thai-tlwg \
    && rm -rf /var/lib/apt/lists/*

USER gotenberg

Webhook

• Gotenberg-Webhook-Error-Url Now Optional: When Gotenberg-Webhook-Events-Url is set, Gotenberg-Webhook-Error-Url is no longer required. Error handling flows through the events URL instead. Gotenberg-Webhook-Error-Url is deprecated but continues to work.

Bug Fixes

• ExifTool Tag Filtering: Case-insensitive comparison and expanded blocklist for ExifTool metadata filtering. Excludes additional system tags while preserving safe derived tags.
• Regex Timeout: Added timeout to regex evaluation to prevent ReDoS on malformed patterns.

Chore

• Updated Go dependencies.

v8.29.1: 8.29.1

Compare Source

Bug Fix (Chromium)

Assets were no longer being correctly loaded in HTML files. This is now fixed. Thanks @​ARawles-GFSC for the heads up!

v8.29.0: 8.29.0

Compare Source

Security Fixes ⚠️

• ExifTool Arbitrary File Write: The /forms/pdfengines/metadata/write endpoint allowed users to pass FileName and Directory pseudo-tags in the metadata JSON, enabling file rename/move to arbitrary paths. User-supplied metadata is now filtered through a blocklist before being passed to ExifTool.
• Chromium file:// Sub-Resource Restriction: When converting HTML/Markdown via file://, sub-resources are now restricted to the request's working directory, preventing cross-request file access in /tmp.

New Features

OpenTelemetry

• Full OpenTelemetry Support: Distributed tracing, metrics export, and structured logging: all configurable via standard OTEL environment variables (OTEL_TRACES_EXPORTER, OTEL_METRICS_EXPORTER, OTEL_LOGS_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT, etc.). Every HTTP request gets a span. External tool calls (Chromium, LibreOffice, QPDF, pdfcpu, pdftk, ExifTool, webhook delivery, download-from) create child spans. Trace context is propagated to outbound HTTP calls via W3C headers.
• Structured Logging Migration: Migrated from custom logging module to slog-based structured logging with OTEL log bridge. Supports auto/JSON/text formats with optional GCP-compatible field names.
• Binary Path as Peer Service: server.address span attribute uses the actual binary path (e.g., /usr/bin/qpdf) instead of the software name.
• Telemetry Control for System Routes: New flags to disable telemetry for noisy system routes, all defaulting to disabled: --api-disable-root-route-telemetry, --api-disable-debug-route-telemetry, --api-disable-version-route-telemetry, --prometheus-disable-route-telemetry. The existing --api-disable-health-check-route-telemetry default changed from false to true.

Chromium

• Idle Shutdown: New --chromium-idle-shutdown-timeout flag (default: 0s, disabled) to automatically stop Chromium after a configurable idle period, reclaiming memory on low-traffic servers. The process re-launches lazily on the next request.
• Network Almost Idle Event: New skipNetworkAlmostIdleEvent form field (default: true). When set to false, Gotenberg waits for a "network almost idle" event (at most 2 open connections for 500ms) before conversion. This provides a middle ground between the existing skipNetworkIdleEvent (strict, 0 connections) and no wait at all — useful for pages with long-polling or analytics connections that never fully close.

LibreOffice

• PDF Viewer Preferences (#​1316): 15 new form fields for controlling PDF viewer behavior: initialView, initialPage, magnification, zoom, pageLayout, firstPageOnLeft, resizeWindowToInitialPage, centerWindow, openInFullScreenMode, displayPDFDocumentTitle, hideViewerMenubar, hideViewerToolbar, hideViewerWindowControls, useTransitionEffects, openBookmarkLevels.
• Idle Shutdown: New --libreoffice-idle-shutdown-timeout flag (default: 0s, disabled), same behavior as Chromium.

Webhook

• Event Callbacks (#​1473): New optional Gotenberg-Webhook-Events-Url header. When set, structured JSON events (webhook.success, webhook.error) are POSTed after each webhook operation, with correlationId and timestamp. Additive: existing Gotenberg-Webhook-Url and Gotenberg-Webhook-Error-Url continue to work unchanged.

Security & Networking

• Multiple URL Patterns: All allow/deny list flags (--chromium-allow-list, --chromium-deny-list, --webhook-allow-list, --webhook-deny-list, --webhook-error-allow-list, --webhook-error-deny-list, --api-download-from-allow-list, --api-download-from-deny-list) now accept multiple regex patterns via string slices. Existing single-value configurations continue to work.

Bug Fixes

• Chromium singlePage Margin Accounting (#​1046): The singlePage option now correctly accounts for top/bottom margins when calculating page height, fixing content overflow on tall pages.
• Long Filename Support (#​1500): Files with long names (166+ chars, especially with multi-byte UTF-8) no longer cause "File name too long" errors. Files are now stored on disk with UUID-based names while preserving original filenames for HTTP responses, archive entries, and JSON keys.

Deprecated Flags

Old	New
--log-format	--log-std-format
--log-enable-gcp-fields	--log-std-enable-gcp-fields
--api-trace-header	--api-correlation-id-header
--api-disable-health-check-logging	--api-disable-health-check-route-telemetry
--prometheus-disable-route-logging	--prometheus-disable-route-telemetry

All deprecated flags continue to work.

Chore

• Replaced go.uber.org/multierr with stdlib errors.Join.
• Added integration tests for Chromium screenshot routes (HTML, URL, Markdown).
• Added long filename integration tests across all PDF engine and conversion routes.
• Integration test retry mechanism: failed scenarios are automatically retried up to 3 times.
• Bumped actions/checkout to v6 in all GitHub Actions.

Thanks

Thanks to @​dkrizic (#​814) and @​jbdelhommeau (#​1489) for requesting OpenTelemetry/tracing support, @​eht16 (#​1316), @​nh2 (#​1023), @​Frozen666 (#​1046), @​vofflan (#​1500), @​danxmoran (#​1394), and @​janaka (#​1473) for their issue reports and feature requests!

---

This release represents a significant amount of work: OpenTelemetry integration, security fixes, new features, and hundreds of integration tests. If Gotenberg is useful to you or your team, please consider sponsoring the project. Your support helps keep development going.

v8.28.0: 8.28.0

Compare Source

New Features

PDF Engines

• Watermark: Added POST /forms/pdfengines/watermark route. Applies a watermark (behind page content) to one or more PDF files. Supports text, image, or pdf sources. Also available as optional form fields on Chromium, LibreOffice, merge, and split routes. Configurable via --pdfengines-watermark-engines (default: pdfcpu,pdftk).
• Stamp: Added POST /forms/pdfengines/stamp route. Applies a stamp (on top of page content) to one or more PDF files. Same source types and integration points as watermark. Configurable via --pdfengines-stamp-engines (default: pdfcpu,pdftk).
• Rotate: Added POST /forms/pdfengines/rotate route. Rotates pages by 90°, 180°, or 270° with optional page selection. Also available as optional form fields (rotateAngle, rotatePages) on all composite routes. Configurable via --pdfengines-rotate-engines (default: pdfcpu, pdftk).
• Bookmarks (Read): Added POST /forms/pdfengines/bookmarks/read route. Returns the hierarchical bookmark outline from one or more PDF files as JSON. Configurable via --pdfengines-read-bookmarks-engines (default: pdfcpu).
• Bookmarks (Write): Added POST /forms/pdfengines/bookmarks/write route. Accepts either a flat list (applied to all files) or a filename-keyed map. Configurable via --pdfengines-write-bookmarks-engines (default: pdfcpu, pdftk).
• Merge Bookmark Management: The merge route now supports a bookmarks form field for custom bookmarks with automatic page-offset shifting, and an autoIndexBookmarks option to extract and reindex existing bookmarks from input files.
• PDF/A & PDF/UA Compliance: Reordered the processing pipeline so that PDF/A and PDF/UA conversion runs after watermark, stamp, and flatten operations. Also reject incompatible combinations (e.g., PDF/A + encryption, PDF/A-1/2 + embeds) with a 400 Bad Request.

LibreOffice

• Native Watermarks: Added support for LibreOffice's built-in watermark rendering during PDF export via new form fields: nativeWatermarkText, nativeWatermarkColor, nativeWatermarkFontHeight, nativeWatermarkRotateAngle, nativeWatermarkFontName, and nativeTiledWatermarkText.

API

• Download From: Extended the downloadFrom JSON schema with a field property ("watermark", "stamp", "embedded", or "") to route downloaded files to the appropriate form field bucket. The existing embedded boolean is preserved for backward compatibility.

Chore

• Updated Chromium to 146.0.7680.153-1.
• Updated Go dependencies.

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • Every minute (* */1 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.