[4.10.2]
Update etherpad-lite to 3.3.2
Full Changelog
Force @opentelemetry/core 2.8.0 (GHSA-8988-4f7v-96qf / CVE-2026-54285, #7975). The transitive dep (pulled in via @elastic/elasticsearch @elastic/transport) had a W3CBaggagePropagator.extract() that did not enforce W3C size limits on inbound baggage headers, allowing unbounded memory allocation. Pinned via a pnpm-workspace.yaml override; satisfies the existing 2.x range with no parent bump.
Resolve open Dependabot security alerts (#7967). Refreshes stale override floors and adds new ones via pnpm-workspace overrides: form-data 4.0.6, ws 8.21.0, esbuild 0.28.1, basic-ftp 5.3.1 (capped <6.0.0 to avoid a surprise major on the plugin-install path), tar 7.5.16, js-yaml 4.2.0, qs 6.15.2, ip-address 10.1.1, and @babel/core 7.29.6.
Reject read-only deletion via token-less paths (part of #7959 / #7960). Under allowPadDeletionByAllUsers a read-only viewer was granted canDeletePad=true, and the server's flagOk/creatorOk branches never checked session.readonly so a read-only link holder could delete a pad without a token. Read-only sessions are now excluded from both the client var and the server's token-less authorization paths; a valid recovery token stays sufficient regardless of session mode.
Pad deletion suppress the recovery token for durable identities and relabel the action (#7926 / #7930). Building on the allowPadDeletionByAllUsers suppression, a creator's deletion token is now also withheld when they have a durable identity authenticated (req.session.user with a username) and the deployment pins that identity to a stable authorID via a getAuthorId hook since only then does the creator survive a cookie clear or a different device, making the token redundant.
Offline/air-gapped installs env-var overrides for the update check, plugin catalog, and updater (#7917, addresses #7911). Firewalled deployments could not disable Etherpad's outbound calls without editing settings.json inside the image.
Pad keep the token-less Delete button reachable without pad-wide settings (#7959 / #7960). The token-less #delete-pad button was nested inside the enablePadWideSettings-gated section, so disabling pad-wide settings removed the only no-token deletion path.
History mode restore the saved-revision markers (#7946 / #7948). When #7659 moved the timeslider into the pad as an embedded iframe, the user-facing control became the outer #history-slider-input, but the saved-revision stars were still drawn into the now-hidden iframe #ui-slider-bar, so "Save Revision" appeared to do nothing in in-pad history mode (a 3.3.x regression).
Import dialog correct the outdated "no converter" help message (#7988 / #7989). The notice claimed only plain text and HTML could be imported and linked to the legacy AbiWord wiki, prompting LibreOffice installs for formats that already work natively.
PadManager reject unreachable . and .. pad ids (#7962). isValidPadId accepted ids consisting only of URL dot-segments, but per the WHATWG URL standard a browser normalises /p/. to /p/ and /p/.. to /, so such a pad could be created in the database yet never opened or exported.
CLI fix the database migration/import scripts against the ueberdb2 promise API (#7982 / #7983). migrateDB.ts opened source and target databases, copied all keys, then resolved without closing either so under ueberdb2 6.1.x the keep-alive timer kept the process hanging after "Done syncing dbs", and buffered target writes were only guaranteed flushed on close().
