chore(deps): update gotenberg/gotenberg docker tag to v8.32.0 #6394

renovate-bot · 2026-04-30T15:06:48Z

renovate-bot commented

2026-04-30 15:06:48 +00:00

This PR contains the following updates:

Package	Update	Change
gotenberg/gotenberg	minor	`8.31.0` → `8.32.0`

Release Notes

gotenberg/gotenberg (gotenberg/gotenberg)

`v8.32.0`: 8.32.0

Compare Source

Breaking Changes & Security Fixes ⚠️

Reverted SSRF defaults (breaking vs 8.31.0). 8.31.0 blocked private-IP destinations by default, which broke deployments running Gotenberg inside a private network. 8.32.0 restores the 8.30.x permissive defaults. Operators with internet-facing APIs opt into the strict posture via the new flags below.
Rejected file:// at /forms/chromium/convert/url. Submitting url=file:///tmp/... used to let an unauthenticated caller enumerate the request working directory and read other in-flight uploads as rendered PDFs. The route now returns HTTP 400 for any file:// URL.
Required uploaded file for image / pdf stamp and watermark sources. Twelve callsites accepted stampSource=pdf or watermarkSource=pdf with an expression pointing at any path the Gotenberg process could open, even when no file was uploaded. Handlers now return HTTP 400 unless the caller uploaded a matching file.
Scoped file:// sub-resources to the request working directory. Crafted HTML could reference another request's file:///tmp/<reqdir>/.... The CDP request handler now restricts file:// sub-resources to the current request's directory. /convert/url and /screenshot/url reject every file:// sub-resource outright.
Hardened Chromium against DNS rebinding. A short-TTL DNS authority could return a public IP at validation and a private IP at connect. A loopback HTTP / CONNECT proxy now sits between Chromium and the network, resolves DNS once, and pins the dial to the resolved IP. Skipped when --chromium-proxy-server or --chromium-host-resolver-rules is set.
Filtered LibreOffice outbound fetches through a proxy. Uploaded OOXML, RTF, and ODF files can embed external URLs that LibreOffice's libcurl resolves below every Go-side SSRF filter. LibreOffice now routes every outbound fetch through an in-process forward proxy on the same gotenberg.DecideOutbound path Chromium and webhook delivery use. See the four new flags below.
Recovered webhook async panics. High-concurrency webhooks could panic the async goroutine and crash the whole process. The goroutine now snapshots the request context and recovers any future panic through the existing error path.

New Features

LibreOffice outbound URL filtering. Four flags mirror the Chromium and webhook layout: --libreoffice-allow-list, --libreoffice-deny-list, --libreoffice-deny-private-ips, --libreoffice-deny-public-ips. All default permissive.
IP-class filtering on four modules. chromium, webhook, api-download-from, and libreoffice each accept matching deny-private-ips and deny-public-ips flags. All default to false.

Flag	What it does
`--chromium-deny-private-ips`	Reject Chromium navigations and sub-resources resolving to a non-public IP.
`--chromium-deny-public-ips`	Reject Chromium navigations and sub-resources resolving to a public IP.
`--webhook-deny-private-ips`	Reject webhook URLs (success, error, events) resolving to a non-public IP.
`--webhook-deny-public-ips`	Reject webhook URLs resolving to a public IP.
`--api-download-from-deny-private-ips`	Reject `downloadFrom` URLs resolving to a non-public IP.
`--api-download-from-deny-public-ips`	Reject `downloadFrom` URLs resolving to a public IP.
`--libreoffice-deny-private-ips`	Reject LibreOffice outbound fetches resolving to a non-public IP.
`--libreoffice-deny-public-ips`	Reject LibreOffice outbound fetches resolving to a public IP.

A URL matching --*-allow-list skips the IP-class check. A URL matching --*-deny-list is always rejected. Setting both deny-private-ips=true and deny-public-ips=true rejects every URL unless the allow-list matches.

Bug Fixes

Charts print as blank rectangles (#1531, #1532, #1534, #1535): chromedp v0.15.0 suspended the BeginFrame-driven callback dispatch loop under emulatedMediaType=print. requestAnimationFrame, ResizeObserver, IntersectionObserver, CSS transitionend, and CSS animationend all stopped firing. Pinning chromedp back to v0.14.2 restores native dispatch.
LibreOffice cached an unrecoverable first-start error (#1538): A short --libreoffice-start-timeout timed out the first request, then every subsequent request returned the same cached error until the container restarted. The lazy-start path now retries on failure.

Chore

Updated pdfcpu to v0.12.0.
Switched metadata read/write to direct exiftool invocation. Removes the GPL-3.0 go-exiftool dependency.
Bumped Go to 1.26.2.
Updated Go dependencies.

Thanks

Thanks to @Jalliuz (#1527) for reporting the 8.31.0 sub-resource regression. @notscottsmith (#1531), @spoltix (#1532), @rdelott-work (#1534), and @sillyas2010 (#1535) narrowed down the chromedp print-mode regression. @sillyas2010 also published the reproducer that pinned the bisect. @JeremyReist2 (#1536) flagged the go-exiftool GPL-3.0 license. @doronbehar (#1537) requested the pdfcpu upgrade. @mlafon (#1538) reported the LibreOffice supervisor cached-error bug.

Configuration

📅 Schedule: (in timezone America/Chicago)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gotenberg/gotenberg](https://github.com/gotenberg/gotenberg) | minor | `8.31.0` → `8.32.0` | --- ### Release Notes <details> <summary>gotenberg/gotenberg (gotenberg/gotenberg)</summary> ### [`v8.32.0`](https://github.com/gotenberg/gotenberg/releases/tag/v8.32.0): 8.32.0 [Compare Source](https://github.com/gotenberg/gotenberg/compare/v8.31.0...v8.32.0) #### Breaking Changes & Security Fixes ⚠️ - **Reverted SSRF defaults (breaking vs 8.31.0).** 8.31.0 blocked private-IP destinations by default, which broke deployments running Gotenberg inside a private network. 8.32.0 restores the 8.30.x permissive defaults. Operators with internet-facing APIs opt into the strict posture via the new flags below. - **Rejected `file://` at `/forms/chromium/convert/url`.** Submitting `url=file:///tmp/...` used to let an unauthenticated caller enumerate the request working directory and read other in-flight uploads as rendered PDFs. The route now returns HTTP 400 for any `file://` URL. - **Required uploaded file for `image` / `pdf` stamp and watermark sources.** Twelve callsites accepted `stampSource=pdf` or `watermarkSource=pdf` with an expression pointing at any path the Gotenberg process could open, even when no file was uploaded. Handlers now return HTTP 400 unless the caller uploaded a matching file. - **Scoped `file://` sub-resources to the request working directory.** Crafted HTML could reference another request's `file:///tmp/<reqdir>/...`. The CDP request handler now restricts `file://` sub-resources to the current request's directory. `/convert/url` and `/screenshot/url` reject every `file://` sub-resource outright. - **Hardened Chromium against DNS rebinding.** A short-TTL DNS authority could return a public IP at validation and a private IP at connect. A loopback HTTP / CONNECT proxy now sits between Chromium and the network, resolves DNS once, and pins the dial to the resolved IP. Skipped when `--chromium-proxy-server` or `--chromium-host-resolver-rules` is set. - **Filtered LibreOffice outbound fetches through a proxy.** Uploaded OOXML, RTF, and ODF files can embed external URLs that LibreOffice's libcurl resolves below every Go-side SSRF filter. LibreOffice now routes every outbound fetch through an in-process forward proxy on the same `gotenberg.DecideOutbound` path Chromium and webhook delivery use. See the four new flags below. - **Recovered webhook async panics.** High-concurrency webhooks could panic the async goroutine and crash the whole process. The goroutine now snapshots the request context and recovers any future panic through the existing error path. #### New Features - **LibreOffice outbound URL filtering.** Four flags mirror the Chromium and webhook layout: `--libreoffice-allow-list`, `--libreoffice-deny-list`, `--libreoffice-deny-private-ips`, `--libreoffice-deny-public-ips`. All default permissive. - **IP-class filtering on four modules.** `chromium`, `webhook`, `api-download-from`, and `libreoffice` each accept matching `deny-private-ips` and `deny-public-ips` flags. All default to `false`. | Flag | What it does | | -------------------------------------- | --------------------------------------------------------------------------- | | `--chromium-deny-private-ips` | Reject Chromium navigations and sub-resources resolving to a non-public IP. | | `--chromium-deny-public-ips` | Reject Chromium navigations and sub-resources resolving to a public IP. | | `--webhook-deny-private-ips` | Reject webhook URLs (success, error, events) resolving to a non-public IP. | | `--webhook-deny-public-ips` | Reject webhook URLs resolving to a public IP. | | `--api-download-from-deny-private-ips` | Reject `downloadFrom` URLs resolving to a non-public IP. | | `--api-download-from-deny-public-ips` | Reject `downloadFrom` URLs resolving to a public IP. | | `--libreoffice-deny-private-ips` | Reject LibreOffice outbound fetches resolving to a non-public IP. | | `--libreoffice-deny-public-ips` | Reject LibreOffice outbound fetches resolving to a public IP. | A URL matching `--*-allow-list` skips the IP-class check. A URL matching `--*-deny-list` is always rejected. Setting both `deny-private-ips=true` and `deny-public-ips=true` rejects every URL unless the allow-list matches. #### Bug Fixes - **Charts print as blank rectangles** ([#1531](https://github.com/gotenberg/gotenberg/issues/1531), [#1532](https://github.com/gotenberg/gotenberg/issues/1532), [#1534](https://github.com/gotenberg/gotenberg/issues/1534), [#1535](https://github.com/gotenberg/gotenberg/issues/1535)): `chromedp v0.15.0` suspended the BeginFrame-driven callback dispatch loop under `emulatedMediaType=print`. `requestAnimationFrame`, `ResizeObserver`, `IntersectionObserver`, CSS `transitionend`, and CSS `animationend` all stopped firing. Pinning `chromedp` back to `v0.14.2` restores native dispatch. - **LibreOffice cached an unrecoverable first-start error** ([#1538](https://github.com/gotenberg/gotenberg/issues/1538)): A short `--libreoffice-start-timeout` timed out the first request, then every subsequent request returned the same cached error until the container restarted. The lazy-start path now retries on failure. #### Chore - Updated `pdfcpu` to `v0.12.0`. - Switched metadata read/write to direct `exiftool` invocation. Removes the GPL-3.0 `go-exiftool` dependency. - Bumped Go to `1.26.2`. - Updated Go dependencies. #### Thanks Thanks to [@Jalliuz](https://github.com/Jalliuz) ([#1527](https://github.com/gotenberg/gotenberg/issues/1527)) for reporting the 8.31.0 sub-resource regression. [@notscottsmith](https://github.com/notscottsmith) ([#1531](https://github.com/gotenberg/gotenberg/issues/1531)), [@spoltix](https://github.com/spoltix) ([#1532](https://github.com/gotenberg/gotenberg/issues/1532)), [@rdelott-work](https://github.com/rdelott-work) ([#1534](https://github.com/gotenberg/gotenberg/issues/1534)), and [@sillyas2010](https://github.com/sillyas2010) ([#1535](https://github.com/gotenberg/gotenberg/issues/1535)) narrowed down the chromedp print-mode regression. [@sillyas2010](https://github.com/sillyas2010) also published [the reproducer](https://github.com/sillyas2010/gotenberg-8.29-test-example) that pinned the bisect. [@JeremyReist2](https://github.com/JeremyReist2) ([#1536](https://github.com/gotenberg/gotenberg/issues/1536)) flagged the `go-exiftool` GPL-3.0 license. [@doronbehar](https://github.com/doronbehar) ([#1537](https://github.com/gotenberg/gotenberg/issues/1537)) requested the pdfcpu upgrade. [@mlafon](https://github.com/mlafon) ([#1538](https://github.com/gotenberg/gotenberg/issues/1538)) reported the LibreOffice supervisor cached-error bug. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate-bot added the docker label 2026-04-30 15:06:48 +00:00

renovate-bot added 1 commit 2026-05-01 02:29:31 +00:00

chore(deps): update gotenberg/gotenberg docker tag to v8.32.0

lint-test-helm / lint-helm (pull_request) Successful in 39s

Details

lint-test-helm / validate-kubeconform (pull_request) Successful in 38s

Details

render-manifests / render-manifests (pull_request) Successful in 5m44s

Details

60fe1918b9

renovate-bot force-pushed renovate/unified-gotenberg from 636a3e6ce2 to 60fe1918b9

2026-05-01 02:29:31 +00:00

Compare

alexlebens merged commit 247b3040fa into main

2026-05-01 03:01:56 +00:00

alexlebens referenced this issue from a commit

2026-05-01 03:01:58 +00:00

Merge pull request 'chore(deps): update gotenberg/gotenberg docker tag to v8.32.0' (#6394) from renovate/unified-gotenberg into main

alexlebens deleted branch renovate/unified-gotenberg

2026-05-01 03:02:04 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6394

chore(deps): update gotenberg/gotenberg docker tag to v8.32.0 #6394

Release Notes

v8.32.0: 8.32.0

Breaking Changes & Security Fixes ⚠️

New Features

Bug Fixes

Chore

Thanks

Configuration

`v8.32.0`: 8.32.0