A strong run: twelve fleet upgrades came back !testme GREEN and merge-ready — led by matrix-synapse, which carries the week's only security batch (the nginx 1.31.1 CVE cluster), and by plausible, finally green after weeks of ClickHouse-driven RED on a clean postgres 13→16 migration. Only ghost is red, and not from its own code: a timing-sensitive MySQL 8.0→8.4 data-directory race that surfaced under heavy server load (it passed the same path a week earlier). Five recipes are up-to-date. Merge matrix-synapse first.
| Recipe | Change | TESTS | CVEs | CI | PR | STATUS | Notes |
|---|
| matrix-synapse | 7.1.1+v1.149.1 → 7.3.0+v1.154.0 | GREEN | 7 | build 527 ✓ | #2 | … | nginx 1.29.6 → 1.31.1 brings the memory-safety + HTTP/3-spoofing CVE batch — the week's top merge. Also synapse v1.154.0, MAS 1.18 (device_code_grant now defaults false), pg17→18 (back up first). Bridges deferred. |
| ghost | 1.3.0+6.42.0-alpine → 1.4.0+6.44.1-alpine | FAILED | none | RED 519 · upgrade | #4 | … | Not a recipe regression: MySQL 8.0→8.4 data-dir upgrade race paused the Swarm update under load (run 1, June 5, passed the same path). Fix option: update_config.monitor: 300s on app, or re-run on a quiet server. |
| plausible | 3.0.1+v2.0.0 → 3.1.0+v2.0.0 | GREEN | none | build 530 ✓ | #3 | … | Recovered after weeks RED. Conservative postgres 13→16 via pgautoupgrade (app stays v2.0.0); resilient ClickHouse entrypoint + backup labels. First green run end-to-end. |
| discourse | 0.8.0+3.3.1 → 0.10.0+3.5.0 | GREEN | none | build 521 ✓ | #2 | … | discourse 3.5.0, postgres 13→16, redis 7.4→8.8, bitnami→bitnamilegacy. Earlier attempts died on Swarm 'New' hiccups; green once the daemon was restarted. Reconcile with legacy-image fix PR #1. |
| immich | 1.6.0+v2.7.5 → 1.8.0+v2.7.5 | GREEN | none | build 522 ✓ | #2 | … | postgres pgvectors 0.2.0→0.3.0 (app v2.7.5 unchanged) + update_config.failure_action: continue to ride out the transient app/db restart race. Green on attempt 4. Branch still named upgrade-1.7.0. |
| uptime-kuma | 2.2.1 → 2.4.0 (already upstream) | GREEN | none | build 531 ✓ | #3 | … | The 2.4.0 upgrade (with its authenticated-RCE fix) already landed in upstream main; this PR adds only MARIADB_AUTO_UPGRADE=1 to the mariadb overlay. CI exercises the SQLite path only — the overlay change is uncovered. |
| mailu | 3.1.0+2024.06.52 → 3.2.0+2024.06.52 | GREEN | none | build 526 ✓ | #4 | … | redis 8.0.6 → 8.8.0 only; all mailu images stay at 2024.06.52 (latest). Cache-only Redis, no migration. Reconcile with backupbot-labels PR #3. |
| lasuite-drive | 0.9.0+v0.18.0 → 0.10.0+v0.19.0 | GREEN | none | build 524 ✓ | #2 | … | drive v0.19.0 (auto DB migration drops deprecated numchild columns; WOPI VersionId→Etag) + redis 8.8.0. nginx already at 1.31.1. Smoke-test Collabora/OnlyOffice editing after. |
| lasuite-meet | 0.4.0+v1.19.0 → 0.4.1+v1.19.0 | GREEN | none | build 525 ✓ | #6 | … | Infra-only: livekit v1.12→v1.13.1 + redis 8.8.0. v1.13.1 drops TURN-auth-without-TTL support — only matters for custom TURN configs (standard deploys unaffected). Stale PR #5 closed. |
| lasuite-docs | 0.3.4+v5.1.0 → 0.3.5+v5.2.1 | GREEN | none | build 523 ✓ | #5 | … | impress v5.2.1; auto-migration 0027 (runs without superuser now) + two optional new config vars. No breaking changes. Clean GREEN. |
| n8n | 3.3.0+2.23.2 → 3.5.0+2.26.3 | GREEN | none | build 528 ✓ | #5 | … | n8n 2.26.3; auto DB migrations (timestamptz conversion may be slow on large instances). Behavior change: credentials now restricted to declared supported nodes — review complex workflows post-merge. |
| mattermost-lts | 2.1.11+10.11.19 → 2.1.12+10.11.19 | GREEN | none | build 529 ✓ | #2 | … | No image bump — 10.11.19 is the current ESR (10.12 expired Dec 2025). Recipe-only: gzip backups + a real restore hook (was a no-op). Reconcile with older restore-fix PR #1. |
| custom-html-tiny | 1.1.0+2.42.0 → 1.2.0+2.43.0 | GREEN | none | build 510 ✓ | #7 | … | static-web-server 2.42 → 2.43 patch bump. No config changes. Clean GREEN. |
| keycloak | 26.6.2 → 26.6.3 (merged upstream) | UPTODATE | none | | | | The 26.6.3 security patch (last week's 16-fix identity-provider batch) merged directly into coopcloud upstream (PR #34); the mirror is synced. No PR to action — the CVEs have landed. |
| cryptpad | — | UPTODATE | none | | | | Up-to-date. A version-parse warning on the app image (non-semver tag) means the survey computes no upgrade — worth a glance, but nothing pending. |
| custom-html | — | UPTODATE | none | | | | Up-to-date (the nginx 1.31.1 CVE batch already landed upstream in a prior week). |
| bluesky-pds | — | UPTODATE | none | build 435 ✓ | #2 | … | Filed up-to-date by the run, yet an open GREEN upgrade PR #2 (0.3.0+v0.4.219, build 435) lingers from an earlier session. Reconcile or close — the two states disagree. |
| mumble | — | UPTODATE | none | | | | Up-to-date. |
7.1.1+v1.149.1 → 7.3.0+v1.154.0. nginx 1.29.6 → 1.31.1 (the memory-safety + HTTP/3-spoofing CVE batch — see the bulletin), synapse v1.149.1 → v1.154.0, MAS 1.14 → 1.18, and pgautoupgrade 17 → 18 (PGDATA pinned so it upgrades in place rather than re-initialising). Two gotchas: MAS 1.18 flips oauth.device_code_grant_enabled to false by default — set it true if you rely on device-code grants; and Synapse 1.150 cut the postgres statement timeout to 10 minutes. Take a DB backup before deploying. The signal/telegram bridge CalVer jumps and their pg13→17 dump/restore were deliberately deferred to a later PR.
3.0.1+v2.0.0 → 3.1.0+v2.0.0. A conservative postgres 13 → 16 in-place upgrade via pgautoupgrade (the app stays at v2.0.0). This is the run that finally turned
plausible green after weeks of ClickHouse crash-loop REDs: the recipe now ships a resilient ClickHouse entrypoint (versioned cache, retries, binary verification), a stack-prefixed CLICKHOUSE_DATABASE_URL, backupbot-v2 backup labels, and app restart_policy: any (for the BEAM exit-0 supervisor escalation). pgautoupgrade handled 13→16.14 automatically on first start; migrations applied clean. After a restore, restart the app so Ecto drops its stale type-OID cache.
1.3.0+6.42.0-alpine → 1.4.0+6.44.1-alpine, plus a conservative MySQL 8.0 → 8.4 LTS in-place bump (no schema changes). Ghost 6.44.1 is a minor-series release with no breaking changes. The PR is RED only because of a timing-sensitive race: during the rolling update Swarm restarts app and db simultaneously, MySQL 8.4 runs its data-dir upgrade for ~10–60s, and Ghost crashes trying to connect before it's ready — under heavy load this trips Swarm's default 5s update monitor and pauses the deploy. Run 1 (June 5) passed the same path on a quiet server. Merge as-is if comfortable, or add update_config.monitor: 300s to the app service first.
0.8.0+3.3.1 → 0.10.0+3.5.0.
discourse 3.5.0, postgres 13 → 16, redis 7.4 → 8.8, and bitnami → bitnamilegacy after Docker Hub emptied bitnami/
discourse. The postgres jump is a manual dump/restore per the recipe README. Earlier !testme attempts were killed by Docker Swarm 'New'-state hiccups (an infra problem, fixed by a daemon restart); this run was GREEN on the first attempt afterward. Reconcile with the standalone bitnamilegacy fix PR #1.
1.6.0+v2.7.5 → 1.8.0+v2.7.5. App stays at v2.7.5; the change is the database image (postgres pgvectors 0.2.0 → 0.3.0) plus two robustness fixes: a real app healthcheck (immich-healthcheck, start_period 120s) and update_config.failure_action: continue. The last one matters — when the app (label change) and database (image change) update at once, the app crashes transiently on a TypeORM connection failure; without 'continue', Swarm pauses the whole update. With it, Docker's restart policy retries the app until the DB is ready (~15–20s). Green on attempt 4 (earlier reds were IPAM exhaustion and the paused-update race). The branch is still named upgrade-1.7.0+v2.7.5.
The real 2.2.1 → 2.4.0 upgrade (including its authenticated-RCE fix and the MariaDB 11.8 → 12.3 bump) already landed in coopcloud upstream main and the mirror — version label 3.1.0+2.4.0. This PR adds only MARIADB_AUTO_UPGRADE=1 to the mariadb overlay, a safety net for operators with existing MariaDB 11.x data bumping to 12.3. Note the cc-ci suite tests the SQLite path only, so the green verdict does not exercise the line this PR actually changes — review the overlay edit by eye.
0.9.0+v0.18.0 → 0.10.0+v0.19.0. drive v0.19.0 ships an automatic DB migration that drops deprecated numchild columns from the item table (entrypoint runs manage.py migrate), and switches WOPI's VersionId to Etag — transparent in normal use, but worth a Collabora/OnlyOffice editing smoke test. redis bumped 8.6.4 → 8.8.0 (drop-in); nginx already at 1.31.1. Monitor the migration in backend logs on data-heavy instances.
0.3.4+v5.1.0 → 0.3.5+v5.2.1. impress v5.2.1: v5.2.0 added presentation mode, a comments/TOC side panel, subdocuments and global search (no breaking changes; migration 0027 now runs without superuser), and v5.2.1 is bug-fixes only. Two new optional env vars (DOCUMENT_ALL_ENDPOINT_ENABLED, OIDC_OP_USER_ENDPOINT_FORMAT) are backward-compatible. AUTO_MIGRATIONS handles the DB. Clean GREEN.
3.3.0+2.23.2 → 3.5.0+2.26.3 (extends the never-merged 2.25.3 PR with 2.26.3). pg stays at 18; no compose/env changes. DB migrations auto-run on startup (the 2.25.1 timestamptz conversion can be slow on large instances — back up first). One behavior change to flag for users: 2.25.1 restricts credentials to declared supported nodes, so workflows using credentials on unofficial nodes may break; API key scopes were also split. Not a CI concern, but review complex workflows after merging.
2.1.11+10.11.19 → 2.1.12+10.11.19. No image bump — 10.11.19 is the current ESR (10.12 is an innovation release that expired December 2025; the next ESR, 11.7, is a major jump for later). This is a recipe-only patch: backups are now gzip-compressed (backup.sql, not postgres-backup.sql) and a real restore hook was added (it terminates connections, drops/recreates the DB and restores with ON_ERROR_STOP=1 — restore was previously a no-op). Old backup files are left in place. Reconcile with the older restore-fix PR #1.