Backup quits with

@girish said:

@sansguidon might be best to wait for the next release which should be out shortly. This bug is only in rsync and not in tgz.

With the manual patch it did work . I'm not sure to understand your advice anyway, for me the backups are a very critical part of if not the most important of Cloudron, so they should not be skipped, and my understanding is that with rsync blocked my backups are local and no copy exists outside of my server, if I'm not mistaken? This seems risky enough and a sufficient motivation to take immediate action, or please correct me if I misunderstood.

Thanks! I've tried applying the patch with git apply but it failed so I've adapted the file manually

root@<redacted>:/home/yellowtent/box# git apply 6e0dc24ecae47ba3175ce1574a86c6724fbc98aa.diff
error: patch failed: src/syncer.js:10
error: src/syncer.js: patch does not apply

I'm facing a similar issue, with a new file downloaded today and renamed afterwards, the backup is for syncthing.

Mar 17 17:00:09 box:syncer Current line: {"path":"data/folders/AndroidDownloads/Librera/Dhirendra Sinha
Mar 17 17:00:09 box:backupupload upload completed. error: SyntaxError: Unterminated string in JSON at position 62 (line 1 column 63) at 
...
Mar 17 17:00:10 box:backuptask fullBackup: app syncthing.<REDACTED_DOMAIN> backup finished. Took 251.408 seconds

More context:

root@0427ab50-22da-43dd-871e-3ab54bfed577:/app/data/folders/AndroidDownloads/Librera# stat Dhirendra\ Sinha
\,\ Tejas\ Chopra\ -\ System\ Design\ Guide\ for\ Software\ Professionals_\ Build\ scalable\ solutions\ –\ from\ fundamental\ concepts\ \(2024\,\ Packt\ Publishing\ Pvt\ Ltd\)\ -\ libgen.li.epub 
  File: Dhirendra Sinha
, Tejas Chopra - System Design Guide for Software Professionals_ Build scalable solutions – from fundamental concepts (2024, Packt Publishing Pvt Ltd) - libgen.li.epub
  Size: 16217520        Blocks: 31688      IO Block: 4096   regular file
Device: 8,32    Inode: 3043429     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/cloudron)   Gid: ( 1000/cloudron)
Access: 2026-03-17 12:34:16.112227988 +0000
Modify: 2026-03-17 12:28:32.210986818 +0000
Change: 2026-03-17 12:28:44.894161942 +0000
 Birth: 2026-03-17 12:28:44.751161060 +0000

how to address this?

Thanks! @girish If this problem cannot be solved with a non deterministic solution (LLM) then maybe AI/LLM is not a fit (assuming it is used here?)

Hi, I bump this thread as once again there is an issue with the generated changelog/release notes for Calibre Web.

The link to full changelog is invalid : https://github.com/janeczku/calibre-web/releases/tag/9.5.0

cc @girish

@archos the workaround is enough for me! Thanks

Hi,
I see the fix has been merged and the latest update (1.13.2) was applied on my instance yet I cannot open my drive files maybe a workaround is needed to export our files and re-import them, I'm not sure what to do but it's frustrating to not access my files for a few weeks now.
I'm sorry to ask again for support, but it's very annoying.
Thanks in advance!

@james said:

@SansGuidon said:

ALLOW_IANA_RESTRICTED_ADDRESSES=true

You need to put an export in front of that.
It needs to be:

export ALLOW_IANA_RESTRICTED_ADDRESSES=true

My bad!
This solves indeed the problem. @james @robi I'm sorry for the time wasted. Many thanks for highlighting this pebkac, and I should probably rest more !

changedetection watch fails with:

Fetch blocked: 'https://my.domain.tld/' resolves to a private/reserved IP address

However the domain resolves to public IPs:

A <redacted public ipv4>
AAAA <redacted public ipv6>

Inside the container:

dig my.domain.tld -> <redacted public ipv4>
getent hosts -> <redacted public ipv6>

Both IPv4 and IPv6 connectivity work (curl -4 and curl -6 succeed).

So DNS and networking are fine. The issue appears to be the SSRF protection in changedetection misclassifying the resolved IPv6 address as private/reserved.

Setting:

ALLOW_IANA_RESTRICTED_ADDRESSES=true

should bypass the block and the fetch works but if I set that in env.sh, nothing changes because the changedetection python command that is run does not read those env

Looks like a false positive triggered when the resolver prefers the IPv6 address.

@james I've sent you in PM an example problematic url

Hey
I notice some watches in my changedetection instance are errored with a message about an environment variable to set somewhere

After I set this variable in env.sh, the variable is available in the container but is not passed to the context of the python3 runtime / changedetection.py, if someone can confirm my assumption?
https://git.cloudron.io/packages/changedetection-app/-/blob/master/start.sh?ref_type=heads so the error persists in changedetection

If I'm not mistaken then, it could be enough to adapt the package's Dockerfile around https://git.cloudron.io/packages/changedetection-app/-/blob/master/start.sh?ref_type=heads#L25 so the env variables sourced from env.sh are taken into account by the python runtime?

Refs / examples usage

• https://github.com/dgtlmoon/changedetection.io/commit/bf3f8eae45b2be7bb54e10cf74f8bf8456456b42
• https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b

Thanks for reading and review/feedback! I hope this is not a case of a https://xyproblem.info/

Any workaround for this? Shall I try to rollback the app version and if yes how ? I'm happy to just use an old version of the app if that can work, so I can at least re-open my files that I couldn't edit for 2 weeks now :-'(

EDIT, some tests/findings

$ curl -I https://<redacted>/common/onlyoffice/api.js
HTTP/2 404
server: nginx
date: Wed, 04 Mar 2026 23:10:17 GMT
content-type: text/html
content-length: 938
etag: "698ca1f6-3aa"

$ curl -I https://<redacted>/web-apps/apps/api/documents/api.js
HTTP/2 200
server: nginx
date: Wed, 04 Mar 2026 23:10:19 GMT
content-type: application/javascript
content-length: 17408
last-modified: Wed, 11 Feb 2026 15:36:22 GMT
etag: "698ca1f6-4400"
access-control-allow-origin: https://sandbox.<redacted>
access-control-allow-credentials: true
permissions-policy: interest-cohort=()
cross-origin-resource-policy: cross-origin
cross-origin-embedder-policy: require-corp
content-security-policy: default-src 'none'; child-src <redacted>
accept-ranges: bytes
strict-transport-security: max-age=63072000
x-xss-protection: 1; mode=block
x-download-options: noopen
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: same-origin

hypothesis:

• the package changed the OnlyOffice API path,
• but existing pads/config still reference the old /common/onlyoffice/api.js path.
• GET /web-apps/apps/api/documents/api.js → 200 (JS)
• GET /common/onlyoffice/api.js → 404
• existing files still try /common/onlyoffice/api.js and fail with DocEditor undefined.

I'm not sure what must be done here, a compatibility rule in nginx to forward old request to new endpoints? a migration script/step in the next app update for old files?

Thanks for the suggestion! I can't copy a file, the context menu only appears with both a combination of clicking and hitting some trigger key, and then I cannot hit Copy as context menu disappears as soon as I release the mouse button. Annoying UX.

I've obtained more console log after removing the local data storage on my usual session:

sframe-boot.js?ver=1.11:46 Testing if CSP correctly blocks an 'eval' call
22:57:55.338 LessLoader.js?ver=2026.2.0-1772483278073:208 Compiling [/customize/src/less2/include/loading.less] took 92ms
22:57:55.507 LessLoader.js?ver=2026.2.0-1772483278073:208 Compiling [/common/onlyoffice/app-oo.less] took 180ms
22:57:55.666 jquery.min.js?ver=2026.2.0-1772483278073:2  Failed to load resource: the server responded with a status of 404 ()
send @ jquery.min.js?ver=2026.2.0-1772483278073:2
22:57:56.057 inner.js?ver=2026.2.0-1772483278073:2206 updated config Object
createOOConfig @ inner.js?ver=2026.2.0-1772483278073:2206
22:57:56.058 inner.js?ver=2026.2.0-1772483278073:2544 Uncaught TypeError: Cannot read properties of undefined (reading 'DocEditor')

@james said:

Hello @sansguidon
Thanks for the report.
I will have to look into it again.

Please share what browser, what browser version and what operating system is used.
Also, if any extensions are installed please also list them or confirm that the issue persists in a fresh browser session with no extensions.

I've tried from MacOs, Android, Vivaldi, Brave, LibreWolf. Same issue.
Would it help to share my logs or data??

@james said:

Hello @archos and @sansguidon
Please ensure this is not a caching issue of your browser.

Thanks for the advice, so after checking in two other browsers I confirm the issue persists independently from caching

@joseph said:

A new package is out that should fix the problem.

Thanks everyone ! Did anyone successfully try the update for opening files on its drive? I've only tried on mobile but I hit the same error message in the frontend about a script failing to load.

@james said in Cannot access documents since last update - CryptPad is failing to load OnlyOffice:

Hello @sansguidon

@SansGuidon said in Cannot access documents since last update - CryptPad is failing to load OnlyOffice:

Since last update

What update are you referring to?
A Cloudron update or an app update?

Thanks for the answer! In fact here I'm not 100% sure of the when. It has been a few days maybe more than a week I'm not sure as I don't use the app daily and the notifications history for updates in cloudron is not keeping lot of info since v9. But I have read on their GitHub that they made a release few weeks ago. So either it's that either a cloudron update? Difficult to tell. Maybe I could try to rollback to a previous package version?

Hi
Since last update I face "Script Error: See browser console for details" when trying to open CryptPad documents

it seems to have to do with CSP or nginx config and some redirection.

Browser shows:

• window.DocsAPI is undefined
• CSP blocking extensions.js
• MIME type mismatch (text/html, nosniff)

Debugging shows that:

curl -I "https://<my redacted domain>/extensions.js?ver=2026.2.0-1771044916890"
returns

HTTP/2 301
Location: http://<my redacted domain>/extensions.js/?ver=...
Content-Type: text/html

HTTPS is being redirected to HTTP
A trailing slash is added to extensions.js/
Response is HTML instead of JS ?

Is this a known issue with the CryptPad package or Cloudron’s nginx config handling static assets?
Let me know if you need full browser console logs in case this cannot be reproduced.

Thanks!

Hi
Currently I have tens of external links in "my apps". Whenever I need to operate repetitive changes on those external links configured in Cloudron, if I'm not mistaken, it's not easy to find them as the filters by state does not include a way to focus on those apps easily.
Is it possible to add such filter? It could be in the "all states" filter?

For now my workaround is to CTRL+F for External Link in the page, and reiterate each time. Another workaround is to associate labels to such apps and filter by label, but I find this extra uninteresting work and could be avoided if the filter was built-in.

Any other suggestion?

Thanks in advance!

With Mistral subscription I have almost infinite calls to Mistral API at not extra cost just by enabling the experiment mode in their subscription because no way I want to pay per token usage.