mend

Update ghcr.io/mend/renovate-ce Docker tag to v13.6.0

Michi Kofler-Häusler

13 Feb 2026 — 2 min read

This MR contains the following updates:

Package	Update	Change
ghcr.io/mend/renovate-ce	minor	`13.5.0-full` → `13.6.0-full`

Release Notes

mend/renovate-ce-ee (ghcr.io/mend/renovate-ce)

`v13.6.0`

Compare Source

[!IMPORTANT]
The next planned release (~2026-02-23) will be a major version bump, with breaking changes including Renovate v43 major version update
see Renovate v43 release notes for details

Notable changes

GHSA-8wc6-vgrq-x6cf: Child processes spawned by Renovate incorrectly have full access to environment variables

This release contains a security fix for Renovate, GHSA-8wc6-vgrq-x6cf, which affects all self-hosted deployments.

Environment variable filtering was inadvertently broken in 13.3.0, which means that since then, any environment variables (including secrets) were passed to all processes (npm install or postUpgradeTasks). See the security advisory for more details.

This specific security fix only affects users who are running:

mend/renovate-ce >= 13.3.0 < 13.6.0
mend/renovate-ee-server >= 13.3.0, < 13.6.0
- Server is technically unaffected, but should be upgraded alongside the workers
mend/renovate-ee-worker >= 13.3.0, < 13.6.0

If you are on an affected version, we recommend upgrading immediately.

It is possible that some users may find this to be a breaking change, if they were relying on the environment variables being present. This was never intentional, and can be resolved by globally configured allowedEnv and repo-level config of env.

Web UI

This release includes the first release of the web UI for Self-Hosted users.

Documentation can be found in more depth on the functionality, getting started, and considerations around authentication/authorization.

This is in Open Beta, and requires an Enterprise license key.

Application changes

Renovate CLI: Update from v42.92.1 to v42.99.0
- Docs
- Full changelog
feat: a new web-ui server (see docs)
fix(rbac): use relative paths when constructing request urls for github enterprise
chore(deps): update dependencies

Docs and Helm Charts

feat(helm): add renovate web-server to mend-renovate-ee chart by @Gabriel-Ladzaretti in #813
docs: add documentation about the web UI by @jamietanna in #820
chore(deps): update update mend renovate docker images to v13.6.0 by @renovate[bot] in #822

Full Changelog: https://github.com/mend/renovate-ce-ee/compare/13.5.0...13.6.0

Update docker.io/sonarqube Docker tag to v26.3.0.120487

Major upgrade to Docker container executed successfully by means of Watchtower infrastructure with dependency update facilitated by Mend's Renovate Bot. This MR contains the following updates: Package Update Change docker.io/sonarqube minor 26.2.0.119303-community → 26.3.0.120487-community

Update docker.io/matomo Docker tag to v5.8.0

No problems automatically updating the Docker image, migrating the application manually and run the container by Watchtower with dependency update facilitated by Mend's Renovate Bot. This MR contains the following updates: Package Update Change docker.io/matomo minor 5.7.1 → 5.8.0 Release Notes matomo-org/matomo

Update ghcr.io/paperless-ngx/paperless-ngx Docker tag to v2.20.10

No problems upgrading the Docker container with a Docker compose yaml file within Portainer and by means of Portainer DevOps resp. GitOps with dependency update facilitated by Mend's Renovate Bot. This MR contains the following updates: Package Update Change ghcr.io/paperless-ngx/paperless-ngx patch 2.20.9 → 2.

Update docker.io/hashicorp/vault Docker tag to v1.21.4

No problems upgrading the Hashicorp Vault Docker container with a Docker compose yaml file within Portainer and by means of Portainer DevOps resp. GitOps with dependency update facilitated by Mend's Renovate Bot. This MR contains the following updates: Package Update Change docker.io/hashicorp/vault patch 1.21.