Co-op Cloud Recipe CI · Weekly Edition
The Recipe Report
Week of June 2, 2026report.ci.commoninternet.net2026-06-02 23:19 UTC
The recipe fleet is in good health this week. Of 18 recipes considered, eleven upgrades are !testme GREEN and ready for your merge, two are blocked on genuine failures, and just one waits on a stale-test refresh. Ghost was already cleared by the operator since the run, and discourse flipped green overnight at build 179 — so the open-failure count is lower than the morning summary suggested.
Security leads the page, and it is nginx-heavy. The 1.29 → 1.31 jump closes a batch of memory-safety and request-smuggling CVEs (heap overflow in the rewrite module, proxy_set_body data injection, an ssl_ocsp use-after-free, HTTP/3 address spoofing) and rides into two recipes — custom-html and cryptpad — both already green. Merge those two first. Right behind them: mailu rolls up a Roundcube webmail CVE, uptime-kuma patches an authenticated RCE, and the redis 8.8 bump (lasuite-meet, lasuite-docs) carries several redis CVEs. All green, all low-risk.
The two failures share a single theme worth your attention: Postgres/ClickHouse backup-and-restore plumbing. mattermost-lts can't go green because of a pre-existing restore bug (its 10.11.19 ESR ships medium-severity security fixes that are now hostage to it), and plausible's pg13→16 + ClickHouse 24 migration trips on a deploy-time issue. Both have companion ci/* fix PRs that predate this run — reconcile each upgrade with its sibling rather than chasing the version bump alone.
The trend to watch is Postgres majors. pgautoupgrade 17→18 and the various pg13→16 jumps are this week's recurring friction: n8n needs a mandatory volume-path move (it's green, but do not merge-and-forget), matrix-synapse's data-preservation test went stale against pg18's new data-dir layout, and the same family of restore tests is what blocks mattermost. A pass over the CI's pg18 data-preservation tests would pay for itself.
Security Bulletin
🔒 Critical CVE upgrades — merge first
nginx 1.31 — memory-safety + request-smuggling CVE batch (high) · custom-html, cryptpad
Bumping the nginx sidecar from 1.29 to 1.31.1 closes a cluster of CVEs fixed in 1.31.0/1.31.1: heap buffer overflows in the rewrite module, data injection via proxy_set_body, an HTTP/3 address-spoofing flaw, and a use-after-free in the DNS/ssl_ocsp path. Two recipes ship the sidecar — custom-html (also alpine/git → v2.52.0) and cryptpad — and both are !testme GREEN. These are the highest-value merges of the week; do them first.
mailu — Roundcube webmail CVE-2026-49217 (high) · internet-facing
mailu 2024.06.37 → 2024.06.52 rolls up the Roundcube security fix CVE-2026-49217 along with certdumper v2.11.2 and a redis 8.8 bump. Webmail is exposed on a mail host, so this one is worth prioritising. No config changes; !testme GREEN.
uptime-kuma — authenticated RCE fix (high) · plus MariaDB 12.3 major bump
uptime-kuma 2.2.1 → 2.4.0 patches a remote-code-execution flaw in an upstream dependency (exploitable by authenticated users). It is bundled with a MariaDB 11.8 → 12.3 major-version bump, so take a database backup before deploying if you run the mariadb overlay. !testme GREEN.
redis 8.8 — CVE-2026-23479, CVE-2026-25243 (moderate) · lasuite-meet, lasuite-docs
The redis 8.6.3 → 8.8.0 bump carries several redis security patches, including CVE-2026-23479 and CVE-2026-25243. It ships in lasuite-meet (alongside the meet v1.16→v1.17 app upgrade) and lasuite-docs. Redis is used purely as cache/session/pub-sub here, so the upgrade is drop-in. Both green.
static-web-server — Basic-Auth timing attack CVE-2026-27480 (low/moderate) · custom-html-tiny
static-web-server 2.38 → 2.42 picks up CVE-2026-27480, a timing attack in Basic Auth fixed in v2.41.0. Note v2.41 also flips --ignore-hidden-files and --disable-symlinks on by default; this recipe serves an explicit -d path and is unaffected. !testme GREEN.
⚑ Needs attention
Eleven green PRs await your merge
The merge-ready set: cryptpad, custom-html, custom-html-tiny, discourse, keycloak, lasuite-docs, lasuite-meet, mailu, n8n, and uptime-kuma — plus ghost, which the operator already resolved. discourse #2 is the late arrival: it is now !testme GREEN at build 179, clearing the stale-test RED (the allow_uncategorized_topics default flip) that the morning run had flagged. Full per-recipe detail in the wire below.
mattermost-lts — RED on restore; a security patch is held hostage
The 10.11.19 ESR bump is correct and carries medium-severity security fixes, but !testme is RED at build 161 on test_restore_returns_state — a pre-existing backup/restore bug (the ci_marker row does not survive backup→restore), not something this upgrade introduced. Three restore strategies were tried without success. A companion fix PR (#1, ci/pg-restore) is open; reconcile the pair. The security patch cannot land until restore is fixed.
plausible — RED on deploy after the pg13→16 + ClickHouse 24 jump
plausible 4.0.0+v2.1.5 (image moved Docker Hub → GHCR, postgres 13→16, ClickHouse 23.4→24.3) is RED at build 168. The ClickHouse IPv6-bind crash was fixed with an ipv4-only config, but the deploy still fails: Postgres appears to stay at 13 and the app gets NXDOMAIN for the events DB — most likely abra re-fetching the upstream compose over the PR head. A companion PR (#1, ci/clickhouse-backup-resilient) is also open and RED. Note: the v3.x-only CVE-2026-8467 does not affect this v2.1.5 target.
matrix-synapse — green except for one stale test; run --with-tests
synapse v1.149.1 → v1.153.0 (with mas 1.17, nginx 1.31.1, pgautoupgrade 17→18) is RED at build 158 only on test_upgrade_preserves_data — the ci_marker table is lost across the pg17→18 in-place upgrade. Everything else passes (reconverge, serving, backup, restore, /_matrix/client/versions 200), so the diagnosis is a stale CI test, not a broken upgrade. Refresh it with /recipe-upgrade matrix-synapse --with-tests.
n8n — GREEN, but a mandatory migration rides with it
n8n 2.20.6 → 2.23.2 is !testme GREEN at build 162, but the pgautoupgrade 17→18 bump requires the volume mount path to move from /var/lib/postgresql/data to /var/lib/postgresql, and an in-place pg_upgrade --link runs on first start. Back up the database first, and apply the path change on existing deployments — green here does not mean no-op for operators.
ghost — already resolved since the run
Ghost now has no open PR. The operator merged the backup-fix PR (#1, which landed Ghost at 6.42.0-alpine and added a proper mysql restore hook) and closed the 6.43.1 PR (#3). Net effect: the data-loss-on-restore bug is fixed, but Ghost sits one patch behind the 6.43.1 the upgrader had proposed — a future run can re-offer that bump.
Routine
Clean dependency bumps
keycloak 10.7.1 → 10.8.0 (MariaDB 12.2 → 12.3, app unchanged) and lasuite-docs 0.3.3 → 0.3.4 (redis 8.8) are routine, no-operator-action bumps — both green. lasuite-meet also carries its meet v1.17.0 app upgrade with no required config changes.
Skipped — already current
bluesky-pds, mumble, and lasuite-drive are up-to-date (drive's collabora/minio/onlyoffice tags are unparseable to abra, but its core images are at latest).
immich — blocked by an abra tooling limit
immich was skipped: abra cannot parse its tag-plus-digest image references (e.g. ghcr.io/immich-app/postgres:14-vectorchord…@sha256:…), so the survey can't compute an upgrade. An explanatory comment was left on its open PR #1. This is a tooling gap, not a recipe fault.
Infrastructure footnote
Eight recipes initially failed the survey with an abra go-git auth error (credentials must be embedded in the git origin URL, not via .netrc); all were recovered before the run completed. No fleet impact.
The full wire — every recipe
| Recipe | Change | Status | CI | PR | Notes |
|---|
| cryptpad | 0.5.4+v2026.2.0 → 0.5.5+v2026.2.0 | GREEN | build 154 ✓ | #4 | nginx 1.29 → 1.31 (CVE batch). Ready to merge. |
| custom-html | 1.11.0+1.29.0 → 1.13.0+1.31.1 | GREEN | build 163 ✓ | #1 | nginx 1.31.1 CVEs + alpine/git v2.52.0. Ready to merge. |
| custom-html-tiny | 1.0.1+2.38.0 → 1.1.0+2.42.0 | GREEN | build 164 ✓ | #6 | static-web-server 2.42 (Basic-Auth timing CVE). |
| discourse | 0.7.0+3.3.1 → 0.8.0+3.5.0 | GREEN | build 179 ✓ | #2 | Now green — stale test cleared. pg13→16, backup fix, bitnami→bitnamilegacy (archived mirror). |
| ghost | 1.2.0+6.21.2-alpine → 1.3.0+6.42.0-alpine | UPTODATE | merged | #1 | Resolved by operator: #1 merged (backup fix, 6.42.0); 6.43.1 PR #3 closed. |
| keycloak | 10.7.1+26.6.2 → 10.8.0+26.6.2 | GREEN | build 155 ✓ | #2 | MariaDB 12.2 → 12.3. Clean. |
| lasuite-docs | 0.3.3+v5.1.0 → 0.3.4+v5.1.0 | GREEN | build 169 ✓ | #4 | redis 8.6.3 → 8.8.0 (CVEs). Clean. |
| lasuite-meet | 0.3.0+v1.16.0 → 0.3.0+v1.17.0 | GREEN | build 156 ✓ | #3 | meet v1.17.0 + redis 8.8 (CVEs). Swagger routes now /api-prefixed. |
| mailu | 3.0.1+2024.06.37 → 3.0.1+2024.06.52 | GREEN | build 157 ✓ | #1 | Roundcube CVE-2026-49217 + certdumper v2.11.2 + redis 8.8. |
| matrix-synapse | 7.1.1+v1.149.1 → 7.2.0+v1.153.0 | STALE | RED 158 · upgrade-test | #1 | Stale test_upgrade_preserves_data (pg17→18 ci_marker loss). Run --with-tests. |
| mattermost-lts | 2.1.10+10.11.18 → 2.2.0+10.11.19 | FAILED | RED 161 · restore | #2 | Pre-existing restore bug; see companion #1. ESR carries a medium-severity security patch. |
| n8n | 3.2.0+2.20.6 → 3.3.0+2.23.2 | GREEN | build 162 ✓ | #4 | ⚠ pg17→18: volume path /var/lib/postgresql/data → /var/lib/postgresql; back up first. |
| plausible | 3.0.1+v2.0.0 → 4.0.0+v2.1.5 | FAILED | RED 168 · deploy | #2 | GHCR move + pg13→16 + ClickHouse 24. ClickHouse fixed; deploy still fails (pg re-fetch). See #1. |
| uptime-kuma | 3.0.0+2.2.1 → 4.0.0+2.4.0 | GREEN | build 165 ✓ | #2 | Authenticated RCE fix + MariaDB 11.8 → 12.3 (back up first). |
| bluesky-pds | — | UPTODATE | | | Up-to-date. |
| mumble | — | UPTODATE | | | Up-to-date. |
| lasuite-drive | — | UPTODATE | | | Up-to-date (some tags unparseable; core images at latest). |
| immich | — | SKIPPED | | #1 | abra cannot parse tag+digest image pins; explanatory comment left on PR. |