Co-op Cloud Recipe CI · Weekly Edition
The Recipe Report
Week of June 19, 2026report.ci.commoninternet.net2026-06-19 04:02 UTC
A clean, busy run: of 18 recipes considered, ten upgrades are !testme GREEN and merge-ready, none failed outright, and only discourse is red — and that red is a stale test gate, not a real regression. This week's security theme is the nginx 1.31.2 memory-safety CVE batch riding in on three recipes (matrix-synapse, lasuite-drive, lasuite-meet), alongside hedgedoc's four-advisory patch, gitea's multi-CVE 1.26.2, and redis fixes in internet-facing mailu — address those, plus mattermost-lts's major 10.x → 11.7 ESR jump, first. The table below is ordered by what to merge first: CVE-bearing PRs by count, then the stale one, then routine bumps.
The full wire — every recipe, in priority order
| Recipe | Change | TESTS | CVEs | CI | PR | STATUS | Notes |
|---|
| hedgedoc | 1.10.8 → 1.11.0 (+ pgautoupgrade 16→17) | GREEN | 4 | build 931 ✓ | #2 | … | Security patch: 4 advisories (HTML injection, YAML-frontmatter DoS, Gist-export CSRF, CF-Connecting-IP rate-limit bypass). Bundled pgautoupgrade 16→17 (auto-migrates). No breaking changes. |
| matrix-synapse | v1.154.0 → v1.155.0 (+ MAS 1.19.0, nginx 1.31.2) | GREEN | 3 | build 936 ✓ | #4 | … | nginx 1.31.2 closes 3 memory-safety CVEs; MAS 1.19.0 adds X-Frame-Options: DENY hardening. Synapse bugfixes only. mautrix bridge CalVer bumps deferred to a later PR. |
| lasuite-drive | nginx 1.31.1 → 1.31.2 | GREEN | 3 | build 933 ✓ | #4 | … | nginx 1.31.2 security patch: CVE-2026-42530 (HTTP/3 UAF), CVE-2026-42055 (HTTP/2 heap overflow), CVE-2026-48142 (charset overread). Pure patch, no config changes. Reconcile with stale regall-sweep PR #3. |
| lasuite-meet | v1.19.0 → v1.21.0 (+ nginx 1.31.2) | GREEN | 3 | build 934 ✓ | #7 | … | Same nginx 1.31.2 CVE batch, plus meet v1.20/v1.21 features (no migrations). Ready to merge. |
| gitea | 1.24.2-rootless → 1.26.2-rootless (+ pg 15.13→15.18) | GREEN | 2 | build 932 ✓ | #3 | … | 1.26.2 carries multiple CVE fixes (count unspecified upstream); strongly-recommended on an internet-facing git host. Two minor versions + app.ini writability fix. PUBLIC_URL_DETECTION now 'auto' — verify behind Traefik. Superseded PR #2 already closed. |
| mailu | redis 8.0.6 → 8.8.0 (+ certs-dumper v2.11.4) | GREEN | 2 | build 935 ✓ | #4 | … | redis 8.8.0 fixes CVE-2025-32023 (HyperLogLog OOB write) + CVE-2025-48367 + an unblock-client UAF. Internet-facing mail host — prioritise. Mailu app images already current. Reconcile with backupbot-v2 PR #3. |
| drone | 2.26.0 → 2.28.2 | GREEN | 1 | build 930 ✓ | #2 | … | v2.27.2 ships a docker/distribution CVE fix; v2.28.1 fixes stages stuck pending. Drop-in for Gitea-based setups, no config changes. |
| n8n | 2.23.2 → 2.27.2 | GREEN | 1 | build 938 ✓ | #6 | … | 2.27.0 includes CVE fixes plus S3 execution storage and Data Redaction GA; 30+ auto-migrations ran clean. Close superseded upgrade PR #5 (older 2.26.3). |
| discourse | redis 7.4-alpine → 8.8-alpine | STALE | none | RED 929 · upgrade-gate | #6 | … | redis bump is correct (RDB from 7.4.9 loaded cleanly). RED by design: the upgrade-gate tests assert the official-image switch (PR #5), which this redis-only PR doesn't perform. Three open PRs to reconcile — see Addendum. |
| mattermost-lts | 10.11.20 → 11.7.5 (ESR major jump) | GREEN | none | build 939 ✓ | #2 | … | Major ESR 10.11 → 11.7 (current ESR, EOL 2027-05). 11.7.5 specifically (avoids the 11.7.0–.2 schemeid migration bug). Folds in the restore-was-a-no-op fix. pg stays at 15. Release with -x. PR title is misleading — see Addendum. |
| bluesky-pds | 0.4.219 → 0.4.5001 | GREEN | none | build 753 ✓ | #3 | … | New CalVer-style tag; image moved Node 20→24 and runs TypeScript directly, so entrypoint.sh was switched index.js→index.ts (without it the container crash-loops). No data migration. A separate routing-fix PR #4 has no testme verdict — see Addendum. |
| custom-html | → 1.14.0+1.31.1 | UPTODATE | none | build 737 ✓ | #5 | … | Not in this week's run. A carried-over upgrade PR #5 sits GREEN from an earlier build (737). |
| custom-html-tiny | — | UPTODATE | none | build 752 ✓ | #8 | … | Not in this week's run. Lingering 'regall sweep' artifact PR #8 (GREEN) can be triaged/closed. |
| cryptpad | — | UPTODATE | none | | | | Up-to-date; no upgrade computed. |
| keycloak | — | UPTODATE | none | | | | Up-to-date (last week's 26.6.3 security batch already landed). |
| lasuite-docs | — | UPTODATE | none | | | | Up-to-date; images current (catalogue server returned a transient 500). |
| plausible | — | UPTODATE | none | | | | Up-to-date this run. Last cycle's pg13→14 / ClickHouse red has cleared from the open-PR set. |
| mumble | — | UPTODATE | none | build 732 ✓ | #1 | … | Up-to-date. Leftover 'cfold sweep probe' PR #1 (GREEN) can be closed. |
| uptime-kuma | — | UPTODATE | none | | | | Tagged `external` — used/tested here but maintained elsewhere; not part of the weekly survey. No open PR. |
| ghost | — | SKIPPED | none | build 744 ✓ | #6 | … | ghost 6.45.0-alpine already latest. MySQL 9.x (up to 9.7 offered) deliberately not taken — Ghost officially supports MySQL 8 only. Lingering 'regall sweep' PR #6 (GREEN). |
| immich | — | SKIPPED | none | build 745 ✓ | #3 | … | Still silently dropped from the survey — abra can't parse immich's tag-plus-digest image pins, so no upgrade is computed. Lingering 'regall sweep' PR #3 (GREEN). See Addendum. |
Addendum
- discourse carries three open PRs to reconcile: #6 (redis 7.4→8.8, RED on the upgrade-gate), #5 (switch to the official discourse/discourse image, GREEN), and #1 (the bitnami→bitnamilegacy re-pin). PR #6's RED is by design — the gate tests (test_head_runs_official_image_not_bitnamilegacy, test_sidekiq_service_dropped_by_head) were written to enforce PR #5's image migration and fail any PR that doesn't perform it. Recommended path: land PR #5 (official image) first, then rebase the redis bump on top — or relax the gate so independent dependency bumps aren't blocked.
- discourse's image is a dead end: bitnamilegacy/discourse is frozen at 3.5.0, and the 9.x tags `abra recipe upgrade` reports are Helm-chart OCI artifacts (mediaType application/vnd.cncf.helm.config.v1+json), not runnable container images. The survey/upgrade tooling could filter those Helm mediaTypes so they stop surfacing as phantom 'available upgrades'.
- mattermost-lts has two open PRs with identical titles — 'fix(backup): reimport the postgres dump on restore (restore was a no-op)' — but PR #2 is actually the headline 10.x → 11.7.5 ESR major upgrade (the restore fix is just folded in). The PR #2 title is misleading; rename it to reflect the ESR jump, and close PR #1 (the standalone restore fix, now superseded).
- n8n has two open upgrade PRs: #6 (2.27.2, this week, GREEN) supersedes the older #5 (2.26.3). Close #5.
- bluesky-pds carries a second PR #4 (a shared-proxy caddy routing fix renaming the main service app→pds) that has no !testme verdict recorded. Worth running CI on it and deciding how it relates to the GREEN upgrade PR #3.
- Lingering non-upgrade artifact/probe PRs continue to accumulate across the fleet and could be triaged/closed: custom-html-tiny #8, ghost #6 and immich #3 (all 'regall sweep'), mumble #1 ('cfold sweep probe'), and hedgedoc #1 (a generic-suite probe; hedgedoc is not part of the 18-recipe survey count).
- immich is again excluded from the survey because abra can't parse its tag-plus-digest image pins — a recurring tooling gap that silently removes a data-bearing recipe from the weekly upgrade sweep.
Security Bulletin
🔒 Critical CVE upgrades
The nginx 1.31.1 → 1.31.2 bump (released 2026-06-17) closes three memory-corruption CVEs reachable through normal proxying: CVE-2026-42530, a use-after-free in HTTP/3 QUIC session processing; CVE-2026-42055, a heap buffer overflow on HTTP/2 / gRPC proxying with large_client_header_buffers and ignore_invalid_headers off; and CVE-2026-48142, a heap buffer overread in UTF-8 charset_map decoding. nginx fronts these recipes as the public reverse proxy, so this is the highest-value batch of the week — it ships GREEN in
matrix-synapse (build 936),
lasuite-drive (933), and
lasuite-meet (934).
gitea 1.26.2 — multiple CVE fixes on an internet-facing git host (high) ·
gitea gitea 1.24.2 → 1.26.2-rootless spans two minor versions and lands on 1.26.2, which upstream flags as carrying multiple CVE security fixes (a strongly-recommended upgrade; the exact count is not enumerated upstream). A self-hosted git host is internet-facing and high-value, so prioritise this merge. Bundled with a safe postgres 15.13→15.18 patch and an app.ini writability fix; note PUBLIC_URL_DETECTION now defaults to 'auto' — verify the Traefik front end after upgrade. !testme GREEN at build 932.
mailu — redis CVE-2025-32023 + CVE-2025-48367 on an internet-facing mail host (high) ·
mailu mailu's redis 8.0.6 → 8.8.0 bump fixes CVE-2025-32023 (a HyperLogLog out-of-bounds write), CVE-2025-48367 (a connection-handling error), and a use-after-free in the unblock-client flow. redis here backs an internet-facing mail/webmail stack, so it's worth prioritising. Bundled with a traefik-certs-dumper v2.11.4 maintenance patch; no config changes. !testme GREEN at build 935.
hedgedoc 1.10.8 → 1.11.0 is a security patch release closing four advisories: GHSA-6c2w-8w96-3pcv (HTML injection via email localpart), GHSA-qj78-mjch-wwrv (DoS via YAML frontmatter parsing), GHSA-8v9p-5j95-826j (CSRF via GitHub Gist export), and GHSA-2f9f-w8xq-276v (rate-limit bypass via the CF-Connecting-IP header). No breaking changes or schema migrations. Bundled with a pgautoupgrade 16→17 bump (auto-migrates on deploy). !testme GREEN at build 931.
drone 2.28.2 — docker/distribution CVE fix (moderate) ·
drone drone 2.26.0 → 2.28.2 picks up the docker/distribution v2.8.2-beta.1 CVE fix in v2.27.2, plus a fix for stages stuck permanently in pending state (v2.28.1). Drop-in for Gitea-based setups — no schema migrations or config changes. !testme GREEN at build 930.
What changed
1.10.8 → 1.11.0, a security patch fixing four advisories (HTML injection via email localpart, YAML-frontmatter DoS, Gist-export CSRF, CF-Connecting-IP rate-limit bypass). New optional CMD_RATE_LIMIT_USING_CLOUDFLARE env var (only if behind Cloudflare); no breaking changes or schema migrations. Bundled with pgautoupgrade 16-alpine → 17-alpine, which auto-runs pg_upgrade on container start (18 deferred, one major at a time). cc-ci tests run on sqlite, so the pg bump is unverified by CI but low-risk.
synapse v1.154.0 → v1.155.0 (bugfixes only — sliding-sync fix, to-device EDU size limits), MAS 1.18.0 → 1.19.0 (per-provider registration tokens + X-Frame-Options: DENY hardening, no DB migrations), and nginx 1.31.1 → 1.31.2 (the memory-safety CVE batch). The mautrix/signal and mautrix/telegram bridges hit a CalVer scheme change and a pg13→17 dump/restore, so they were deliberately deferred to a separate PR.
A focused nginx 1.31.1 → 1.31.2 security patch (CVE-2026-42530 HTTP/3 UAF, CVE-2026-42055 HTTP/2 heap overflow, CVE-2026-48142 charset overread). The drive app stays at v0.19.0; no config changes, no migrations. A stale 'regall sweep' PR #3 is also open — reconcile.
meet v1.19.0 → v1.21.0 (v1.20 Microsoft add-in beta + noise-reduction fix; v1.21 advanced voice optimization, SSO silent-login URL control) plus the same nginx 1.31.2 CVE batch. No breaking changes, no migrations; livekit/redis/pg unchanged.
1.24.2-rootless → 1.26.2-rootless (two minor versions) plus postgres 15.13 → 15.18 (patch only) and an app.ini writability fix. 1.26.2 carries multiple CVE fixes (upstream-flagged, count unspecified). Watch two behaviour changes: 1.26 removed the GET API registration-token endpoint, and PUBLIC_URL_DETECTION now defaults to 'auto' — verify the public URL resolves correctly behind Traefik. The superseded ci/app-ini-writable PR #2 was closed in favour of #3.
redis 8.0.6-alpine → 8.8.0-alpine (CVE-2025-32023 HyperLogLog OOB write, CVE-2025-48367, unblock-client UAF) and traefik-certs-dumper v2.11.2 → v2.11.4 (lego ACME refresh + a GHCR image fix). The Mailu application images (2024.06.52) are already current. No config changes; all 8 services converged on the chaos deploy. A separate backupbot-v2 labels PR #3 is also open.
2.26.0 → 2.28.2. v2.27.2 fixes a docker/distribution CVE; v2.28.0 brings a large go-scm update; v2.28.1 fixes stages stuck permanently in pending; v2.28.2 fixes a Bitbucket permission regression (irrelevant to Gitea setups). Pure image bump, no config or schema changes.
2.23.2 → 2.27.2. 2.27.0 adds S3 execution storage, Data Redaction GA and CVE fixes; 2.27.1 adds optional rate-limit env vars; 2.27.2 brings compression-node and folder-import fixes. 30+ automatic DB migrations ran clean on the chaos deploy; pg unchanged at 18, no breaking changes. The older upgrade PR #5 (2.26.3) should be closed in favour of #6.
A major ESR jump 10.11.20 → 11.7.5. 10.11 ESR expires 2026-08-15, so this moves to the current 11.7 ESR (EOL 2027-05-15); 11.7.5 specifically avoids the schemeid migration bug in 11.7.0–11.7.2. Schema migrations are automatic and non-locking; none of the 11.x breaking changes apply to this deployment. postgres stays at 15-alpine (16 broke PGDATA). The PR also folds in a real fix: the recipe had no restore post-hook, so restores were silently no-ops — now it pg_dumps on backup and force-drops/recreates/reimports on restore. Release with `abra recipe release -x`. (Run 1 / build 937 went RED on the pre-existing restore defect; build 939 is GREEN with the fix.)
0.4.219 → 0.4.5001 (a new CalVer-style upstream tag). The image restructured to run TypeScript directly under Node 24 (was Node 20 on index.js), so the recipe's entrypoint.sh was switched index.js → index.ts and ENTRYPOINT_VERSION bumped v1 → v2 to apply the new swarm config — without this the container crash-loops MODULE_NOT_FOUND. No new env/secrets, no data migration (disk-blob-store architecture). Verified GREEN at build 753.
redis 7.4-alpine → 8.8-alpine. The bump is correct and verified by chaos deploy (an RDB written by 7.4.9 loaded cleanly, 258 keys, ready to accept connections); redis serves only as cache/queue here, RDB is backward-compatible. PR #6 is RED only because cc-ci's upgrade-gate tests require the official-image switch (PR #5) that this redis-only PR doesn't perform — a stale-in-context gate, not a regression. The
discourse image itself is frozen at bitnamilegacy 3.5.0; the real image path is PR #5 (
discourse/
discourse). Reconcile #6, #5 and the bitnamilegacy re-pin PR #1.