Skip to content


Choose a tag to compare
@JohnMcLear JohnMcLear released this 15 Feb 09:49
· 851 commits to master since this release

Security patches

  • EJS has been updated to 3.1.6 to mitigate an Arbitrary Code Injection

Compatibility changes

  • Node.js 10.17.0 or newer is now required.

  • The bin/ and tests/ directories were moved under src/. Symlinks were
    added at the old locations to hopefully avoid breaking user scripts and other

  • Dependencies are now installed with the --no-optional flag to speed
    installation. Optional dependencies such as sqlite3 must now be manually
    installed (e.g., (cd src && npm i sqlite3)).

  • Socket.IO messages are now limited to 10K bytes to make denial of service
    attacks more difficult. This may cause issues when pasting large amounts of
    text or with plugins that send large messages (e.g., ep_image_upload). You
    can change the limit via settings.json; see socketIo.maxHttpBufferSize.

  • The top-level package.json file, added in v1.8.7, has been removed due to
    problematic npm behavior. Whenever you install a plugin you will see the
    following benign warnings that can be safely ignored:

    npm WARN saveError ENOENT: no such file or directory, open '.../package.json'
    npm WARN enoent ENOENT: no such file or directory, open '.../package.json'
    npm WARN develop No description
    npm WARN develop No repository field.
    npm WARN develop No README data
    npm WARN develop No license field.

Notable enhancements

  • You can now generate a link to a specific line number in a pad. Appending
    #L10 to a pad URL will cause your browser to scroll down to line 10.
  • Database performance is significantly improved.
  • Admin UI now has test coverage in CI. (The tests are not enabled by default;
    see settings.json.)
  • New stats/metrics: activePads, httpStartTime, lastDisconnected,
  • Improved import UX.
  • Browser caching improvements.
  • Users can now pick absolute white (#fff) as their color.
  • The settings.json template used for Docker images has new variables for
    controlling rate limiting.
  • Admin UI now has test coverage in CI. (The tests are not enabled by default
    because the admin password is required; see settings.json.)
  • For plugin authors:
    • New callAllSerial() function that invokes hook functions like callAll()
      except it supports asynchronous hook functions.
    • callFirst() and aCallFirst() now support the same wide range of hook
      function behaviors that callAll(), aCallAll(), and callAllSerial()
      support. Also, they now warn when a hook function misbehaves.
    • The following server-side hooks now support asynchronous hook functions:
      expressConfigure, expressCreateServer, padCopy, padRemove
    • Backend tests for plugins can now use the
      module to start the server and simplify API access.
    • The checkPlugins.js script now automatically adds GitHub CI test coverage
      badges for backend tests and npm publish.

Notable fixes

  • Enter key now stays in focus when inserted at bottom of viewport.
  • Numbering for ordered list items now properly increments when exported to
  • Suppressed benign connection errors
  • Interface no longer loses color variants on disconnect/reconnect event.
  • General code quality is further significantly improved.
  • Restarting Etherpad via /admin actions is more robust.
  • Improved reliability of server shutdown and restart.
  • No longer error if no buttons are visible.
  • For plugin authors:
    • Fixed collectContentLineText return value handling.