Co-op Cloud Recipe CI · Weekly Edition
The Recipe Report
Week of June 5, 2026report.ci.commoninternet.net2026-06-09 13:19 UTC
A clean run: of 18 recipes, thirteen upgrades are !testme GREEN and merge-ready, custom-html landed directly upstream, three are up-to-date, and only plausible is red. The table below is ordered by what to address first — CVE-bearing PRs at the top (keycloak, the nginx batch, mailu, uptime-kuma), then the one failure, then routine bumps.
The full wire — every recipe, in priority order
| Recipe | Change | TESTS | CVEs | CI | PR | STATUS | Notes |
|---|
| keycloak | 10.7.1+26.6.2 → 10.8.0+26.6.3 | GREEN | 16 | build 187 ✓ | #3 | … | Identity provider — 16 security fixes (OIDC/SAML/WebAuthn/LDAP) + MariaDB 12.2→12.3. Close superseded PR #2 (26.6.2). |
| lasuite-drive | 0.8.0+v0.18.0 → 0.9.0+v0.18.0 | GREEN | 7 | build 189 ✓ | #1 | … | nginx 1.30 → 1.31.1 (memory-safety + HTTP/3-spoofing CVE batch) + redis 8.6.4. Ready to merge. |
| matrix-synapse | 7.1.1+v1.149.1 → 7.3.0+v1.154.0 | GREEN | 7 | build 192 ✓ | #1 | … | synapse v1.154.0 + nginx 1.31.1 (same CVE batch) + MAS 1.18 (device_code_grant now defaults false — set true if used) + pg17→18. Bridges deferred. |
| mailu | 3.0.1+2024.06.37 → 3.0.1+2024.06.52 | GREEN | 1 | build 191 ✓ | #1 | … | Internet-facing Roundcube webmail CVE-2026-49217 + certdumper v2.11.2 + redis 8.0.6 (corrected from an unintended 8.8 jump). |
| uptime-kuma | 3.0.0+2.2.1 → 4.0.0+2.4.0 | GREEN | 1 | build 165 ✓ | #2 | … | Authenticated RCE fix (LiquidJS) + MariaDB 11.8 → 12.3 (back up the mariadb overlay first). |
| lasuite-meet | 0.3.0+v1.16.0 → 0.4.0+v1.19.0 | GREEN | 1 | build 190 ✓ | #3 | … | meet v1.19.0 (CVE-2026-45409 idna) + redis 8.6.4. Stale PR #4 closed. Ready to merge. |
| custom-html-tiny | 1.0.1+2.38.0 → 1.1.0+2.42.0 | GREEN | 1 | build 164 ✓ | #6 | … | static-web-server 2.42 (Basic-Auth timing CVE-2026-27480) + alpine/git v2.52.0. Ready to merge. |
| plausible | 3.0.1+v2.0.0 → 4.0.0+v2.0.0 | FAILED | none | RED 200 · install | #2 | … | pg 13→14 only (app stays v2.0.0, despite the v2.1.5 branch name). ClickHouse crash-loops every ~6s; v3 entrypoint may not redeploy. See companion PR #1 (also RED). |
| immich | — | SKIPPED | none | RED 121 · backup PR | #1 | … | abra can't parse tag+digest image pins, so no upgrade computed. Pre-existing backup-fix PR #1 sits RED at build 121. |
| cryptpad | 0.5.5+v2026.2.0 → 0.6.0+v2026.5.1 | GREEN | none | build 181 ✓ | #5 | … | 2026.5.1 office-corruption + security fixes; nginx already 1.31. SSO users: move SSO plugin to v0.5.0+. (Summary mis-filed it as skipped.) |
| discourse | 0.7.0+3.3.1 → 0.9.0+3.5.0 | GREEN | none | build 184 ✓ | #2 | … | discourse 3.5.0, redis 7.4→8.0, pg13→pgvector pg17 (manual dump/restore), bitnami→bitnamilegacy. Reconcile with fix PR #1. (183 flaked, 184 green.) |
| ghost | 1.3.0+6.42.0-alpine → 1.4.0+6.44.0-alpine | GREEN | none | build 185 ✓ | #4 | … | ghost 6.44.0 (no breaking changes) + MySQL 8.0 → 8.4 LTS, in-place. Ready to merge. |
| lasuite-docs | 0.3.4+v5.1.0 → 0.3.4+v5.2.0 | GREEN | none | build 188 ✓ | #5 | … | impress v5.2.0; auto-migration 0027; two optional new config vars. Clean. |
| mattermost-lts | 2.1.10+10.11.18 → 2.1.11+10.11.19 | GREEN | none | build 196 ✓ | #2 | … | 10.11.19 LTS patch; pg kept at 15 (16 broke PGDATA). Backup/restore reworked to inline labels (fixes a Swarm config-race). Reconcile with fix PR #1. |
| n8n | 3.3.0+2.23.2 → 3.4.0+2.25.3 | GREEN | none | build 197 ✓ | #5 | … | n8n 2.25.3 ($jmespath unsafe-token hardening); pg unchanged at 18; no required migrations. Clean. |
| custom-html | 1.11.0+1.29.0 → 1.13.0+1.31.1 | UPTODATE | none | build 182 ✓ · merged upstream | | | nginx 1.31.1 CVE batch + alpine/git v2.52.0 — merged directly into coopcloud upstream; mirror synced, PR #1 closed. No PR to action (CVEs already landed). |
| bluesky-pds | — | UPTODATE | none | | #1 | … | Up-to-date. Stray recipe-create-pr smoke-test PR #1 lingers — can be closed. |
| mumble | — | UPTODATE | none | | | | Up-to-date. |
Addendum
- cryptpad is filed under “skipped / up-to-date” in the upgrade-all summary, yet it carries a green upgrade PR (#5, build 181). The run's counts double-count it (13+1+1+4 = 19 vs 18 considered) — worth fixing the survey's classification so a recipe with an open upgrade PR is never also counted as skipped.
- Four recipes hold two open PRs each to reconcile: keycloak (#3 supersedes the older #2 — close #2), discourse (#2 upgrade + #1 bitnami→bitnamilegacy fix), mattermost-lts (#2 upgrade + #1 restore fix, now folded into #2), and plausible (#2 + #1, both RED). Decide which of each pair lands.
- plausible's PR branch is named v2.1.5 but the actual change is a conservative pg13→14 (the app stays at v2.0.0). The misleading branch name is worth correcting so reviewers aren't misled.
- plausible is RED: the clickhouse container restart-loops every ~6s at build 200. Either the CLICKHOUSE_ENTRYPOINT_VERSION=v3 config bump isn't being re-deployed under abra's --chaos deploy, or the 23.4.2.11-alpine image needs a version bump. Needs operator investigation — not a regression from the pg bump itself.
- immich was skipped because abra can't parse its tag-plus-digest image pins (e.g. …postgres:14-vectorchord@sha256:…). This is a tooling gap in abra, not a recipe regression — but it silently removes immich from the weekly survey, and its pre-existing backup-fix PR #1 (RED at build 121) guards real data and deserves a look.
- Backup-tier CI flakiness recurred this run: keycloak needed a re-run (186 backup flake → 187 green) and discourse did too (183 flake → 184 green). The recipe upgrades themselves are fine, but the backup tier is intermittently failing on first attempt — worth investigating to cut wasted re-runs.
- Two non-upgrade PRs linger and can be closed: bluesky-pds #1 (a recipe-create-pr skill smoke test) and hedgedoc #1 (a cc-ci generic-suite probe, green at build 113). hedgedoc is not part of the 18-recipe fleet.
Security Bulletin
🔒 Critical CVE upgrades
The nginx 1.29/1.30 → 1.31.1 bump closes a cluster of CVEs fixed in 1.31.0/1.31.1: heap buffer overflows in the rewrite/scgi/uwsgi modules (CVE-2026-42945/42946/9256), a charset-decode overread (CVE-2026-42934), proxy_set_body data injection on HTTP/2 backends (CVE-2026-42926), an HTTP/3 connection-migration address-spoofing flaw (CVE-2026-40460), and a use-after-free in the ssl_ocsp/DNS path (CVE-2026-40701). It ships GREEN this week in
lasuite-drive (1.30.0→1.31.1, also redis 8.6.4) and
matrix-synapse (1.29.6→1.31.1).
cryptpad and
custom-html already run 1.31.x. nginx serves here as a standard reverse proxy / static server, so the 1.31.0 HTTP/2 hop-by-hop header rejection does not affect well-behaved clients. Highest-value merges of the week.
keycloak 26.6.3 — sixteen security fixes on the identity provider (high) ·
keycloak keycloak 26.6.2 → 26.6.3 is a security patch release carrying sixteen fixes — including CVE issues across OIDC token handling, SAML processing, WebAuthn validation, and LDAP federation — plus a Quarkus 3.33.2 bump. As an identity provider fronting other services,
keycloak is a high-priority merge. Bundled with a routine MariaDB 12.2 → 12.3 bump; no config changes required. !testme GREEN at build 187 (build 186 was a backup-tier flake). Note an older superseded upgrade PR (#2, 26.6.2) is still open — close it in favour of #3.
mailu — Roundcube webmail CVE-2026-49217 (high) · internet-facing
mailu 2024.06.37 → 2024.06.52 rolls up the Roundcube security fix CVE-2026-49217 along with certdumper v2.11.2 and a redis 8.0.6 patch (corrected back from an unintended 8.8 jump). Webmail is exposed on a mail host, so this one is worth prioritising. No config changes; !testme GREEN at build 191.
uptime-kuma — authenticated RCE fix (high) · plus MariaDB 12.3 major bump
uptime-kuma 2.2.1 → 2.4.0 patches a remote-code-execution flaw in the upstream LiquidJS dependency (exploitable by authenticated users; 2.2.1 had only a partial fix). It is bundled with a MariaDB 11.8 → 12.3 major-version bump on the mariadb overlay, so take a database backup before deploying that overlay. !testme GREEN at build 165 (head unchanged since 2026-06-02).
lasuite-meet v1.16.0 → v1.19.0 picks up CVE-2026-45409 (idna ≥3.15, baked into the image) in v1.19.0, alongside a deprecated-LiveKit-room-options API replacement and a redis 8.6.4 patch. No breaking changes; AUTO_MIGRATIONS handles the DB. !testme GREEN at build 190.
What changed
10.7.1+26.6.2 → 10.8.0+26.6.3. A security patch release: sixteen fixes spanning OIDC token handling, SAML processing, WebAuthn validation and LDAP federation, plus a Quarkus 3.33.2 bump and a routine MariaDB 12.2 → 12.3. No config changes. An older superseded PR #2 (26.6.2) is still open — close it for #3.
0.8.0 → 0.9.0 (drive app already at v0.18.0). nginx 1.30 → 1.31.1 brings in the memory-safety + HTTP/3-spoofing CVE batch; redis patched to 8.6.4. Clean GREEN.
synapse v1.149.1 → v1.154.0, with MAS 1.14 → 1.18, nginx 1.31.1 (same CVE batch) and pgautoupgrade 17 → 18. One gotcha: MAS 1.18 changes device_code_grant_enabled to default false — set oauth.device_code_grant_enabled: true if you rely on device-code grants. The signal/telegram bridges and their pg13→17 dump/restore were deliberately deferred to a later PR.
2024.06.37 → 2024.06.52. Rolls up the Roundcube webmail fix CVE-2026-49217, certdumper v2.11.2, and a redis 8.0.6 patch (corrected back from an unintended 8.8 jump). Internet-facing — prioritise. No config changes.
2.2.1 → 2.4.0. Patches an authenticated RCE in the upstream LiquidJS dependency (2.2.1 had only a partial fix), bundled with a MariaDB 11.8 → 12.3 major bump — back up the mariadb overlay before deploying it.
v1.16.0 → v1.19.0. Picks up CVE-2026-45409 (idna ≥3.15), replaces a deprecated LiveKit room-options API, and patches redis to 8.6.4. AUTO_MIGRATIONS handles the DB; no breaking changes. Stale PR #4 was closed.
2.38.0 → 2.42.0. static-web-server 2.42 fixes the Basic-Auth timing leak CVE-2026-27480; alpine/git bumped to v2.52.0. Clean GREEN.
A conservative postgres 13.12 → 14.18 in-place upgrade (the app stays at v2.0.0, despite the v2.1.5 branch name). RED across three runs: the clickhouse container restart-loops every ~6s at build 200. Two pre-existing recipe bugs were fixed along the way (a missing stack-prefixed CLICKHOUSE_DATABASE_URL and a fragile ClickHouse entrypoint), but the v3 entrypoint bump may not redeploy under abra --chaos, or the image needs bumping. Companion fix PR #1 is also RED.
No upgrade was computed — abra can't parse
immich's tag-plus-digest image pins, so it was skipped from the survey. Separately, its pre-existing backup-fix PR #1 (back up the postgres database, previously unprotected) is RED at build 121 and guards real data.
0.5.5+v2026.2.0 → 0.6.0+v2026.5.1. 2026.5.1 ships office-corruption and security fixes; nginx is already 1.31. SSO users must move the SSO plugin to v0.5.0+. (The upgrade-all summary mis-filed this as skipped/up-to-date.)
0.7.0+3.3.1 → 0.9.0+3.5.0.
discourse 3.5.0, redis 7.4 → 8.0, postgres 13 → pgvector pg17 (manual dump/restore per the recipe README), and bitnami → bitnamilegacy after Docker Hub emptied bitnami/
discourse. Reconcile with fix PR #1. (183 flaked, 184 green.)
6.42.0 → 6.44.0 (no breaking changes) plus a conservative MySQL 8.0 → 8.4 LTS in-place bump with no schema changes. Ready to merge.
0.3.4+v5.1.0 → 0.3.4+v5.2.0. impress v5.2.0 with auto-migration 0027 and two optional new config vars. Clean GREEN.
10.11.18 → 10.11.19 LTS patch. postgres kept at 15 (16 broke PGDATA). Backup/restore reworked to inline labels, fixing a Swarm config-race. Reconcile with fix PR #1 (the restore-was-a-no-op fix, now folded into #2).
3.3.0+2.23.2 → 3.4.0+2.25.3. Spans
n8n 2.24/2.25 with a $jmespath unsafe-token hardening; postgres unchanged at 18; no required migrations. Clean.
1.11.0+1.29.0 → 1.13.0+1.31.1. nginx 1.31.1 CVE batch + alpine/git v2.52.0 — but this one was merged directly into coopcloud upstream, so the mirror was synced and PR #1 closed. No PR to action; the CVE fixes have already landed.