wanderer/renovate: roll back meilisearch v1.45.2 -> v1.11.3 + gate future bumps

Renovate PR #32 (merged 2026-06-06 09:30) bumped getmeili/meilisearch from v1.11.3 to v1.45.2 under the default-allow + 3-day stability rule. Meilisearch's on-disk index format is NOT forward-compatible across that range; wanderer-meilisearch went into CrashLoopBackOff with: Error: Your database version (1.11.3) is incompatible with your current engine version (1.45.2). The PVC still holds the v1.11.x index, so the safest immediate recovery is reverting the image tag. Wanderer's search starts working again the moment the pod comes up on v1.11.3. To prevent recurrence, add a packageRule that holds ALL meilisearch updates behind the dashboard's "Pending Approval" checkbox via `dependencyDashboardApproval: true`. PRs won't be opened until the user explicitly approves them on the dashboard, so the version bump can be planned around the documented dump/restore migration path (https://www.meilisearch.com/docs/learn/update_and_migration/updating). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request 'Update codercom/code-server Docker tag to v4.123.0' (#52 ) from renovate/codercom-code-server-4.x into main
2026-06-06 10:45:23 +02:00 · 2026-06-06 08:36:58 +00:00 · 2026-06-06 08:33:51 +00:00 · 2026-06-06 08:33:44 +00:00 · 2026-06-06 08:33:42 +00:00 · 2026-06-06 08:33:26 +00:00
38 changed files with 229 additions and 70 deletions
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: actualbudget
-          image: actualbudget/actual-server:26.2.0
+          image: actualbudget/actual-server:26.6.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -6,7 +6,7 @@
 #        -slim suffix was retired after v37.440.x, so we pin the plain tag)
 #
 # PILOT SCOPE (intentionally narrow):
-#   Runs weekly (Sun 04:00 Europe/Budapest) as a CronJob and opens
+#   Runs weekly (Sat 02:00 Europe/Budapest) as a CronJob and opens
 #   dependency-update PRs against admin/homelab-manifests on Gitea.
 #   Only the `kubernetes` and `helm-values` managers are enabled, and a
 #   default-deny packageRule limits updates to exactly four pilot images:
@@ -44,12 +44,26 @@ data:
      "requireConfig": "optional",
      "dependencyDashboard": true,
      "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 8,
+      "prHourlyLimit": 16,
-      "prConcurrentLimit": 8,
+      "prConcurrentLimit": 16,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
      "kubernetes": {
        "managerFilePatterns": ["/.+\\.ya?ml$/"]
      },
      "customManagers": [
        {
          "description": "termix: docker image tag is `release-X.Y.Z` but the upstream GitHub release tag_name is `release-X.Y.Z-tag` (different from the release name). regex versioning parses currentValue (no -tag); extractVersion strips the -tag suffix from candidate tag_names so they normalize to the same shape Renovate writes back to the manifest.",
          "customType": "regex",
          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
          "matchStrings": [
            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
          ],
          "datasourceTemplate": "github-releases",
          "packageNameTemplate": "Termix-SSH/Termix",
          "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
          "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
        }
      ],
      "packageRules": [
        {
          "description": "All apps: 3-day stability gate before any PR opens",
@@ -90,17 +104,21 @@ data:
          ],
          "automerge": false
        },
        {
          "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
          "matchPackageNames": ["ghcr.io/lukegus/termix"],
          "datasource": "github-releases",
          "packageName": "Termix-SSH/Termix",
          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
        },
        {
          "description": "wanderer: db + web update together in one PR",
          "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
          "groupName": "wanderer"
        },
        {
          "description": "meilisearch: every version bump can require an index format migration via dump/restore (see https://www.meilisearch.com/docs/learn/update_and_migration/updating). PR #32 (v1.11.3 -> v1.45.2) on 2026-06-06 broke wanderer with `Your database version (1.11.3) is incompatible with your current engine version (1.45.2)`. Hold ALL meilisearch updates behind dashboard approval so the migration is planned before the PR even opens.",
          "matchPackageNames": ["getmeili/meilisearch"],
          "dependencyDashboardApproval": true
        },
        {
          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
          "matchManagers": ["kubernetes"],
          "matchPackageNames": ["ghcr.io/lukegus/termix"],
          "enabled": false
        }
      ],
      "labels": ["renovate"]
@@ -116,7 +134,9 @@ metadata:
    app.kubernetes.io/name: renovate
    app.kubernetes.io/version: "43.197.0"
 spec:
-  schedule: "0 4 * * 0"
+  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
  # if a Renovate-merged update breaks something.
  schedule: "0 2 * * 6"
  timeZone: "Europe/Budapest"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
@@ -143,7 +163,7 @@ spec:
          restartPolicy: OnFailure
          containers:
            - name: renovate
-              image: renovate/renovate:43.197.0
+              image: renovate/renovate:43.209.3
              imagePullPolicy: IfNotPresent
              envFrom:
                - secretRef:
@@ -90,7 +90,7 @@ spec:
      dnsPolicy: ClusterFirstWithHostNet
      containers:
        - name: tailscale
-          image: tailscale/tailscale:v1.94.1
+          image: tailscale/tailscale:v1.98.4
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -56,7 +56,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.2-alpine
+          image: redis:7.4-alpine
          ports:
            - containerPort: 6379
              name: redis
@@ -96,7 +96,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: init-config
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -54,7 +54,7 @@ spec:
    spec:
      containers:
        - name: audiobookshelf
-          image: advplyr/audiobookshelf:2.35.0
+          image: advplyr/audiobookshelf:2.35.1
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -168,7 +168,7 @@ spec:
      initContainers:
        # Wait for PostgreSQL
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -181,7 +181,7 @@ spec:
              echo "PostgreSQL is ready!"
        # Wait for Redis
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -175,7 +175,7 @@ spec:
    spec:
      containers:
        - name: bookstack
-          image: linuxserver/bookstack:25.12.3
+          image: linuxserver/bookstack:26.05.20260601
          imagePullPolicy: IfNotPresent
          env:
            # LinuxServer.io specific
@@ -50,7 +50,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: code-server
-          image: codercom/code-server:4.121.0
+          image: codercom/code-server:4.123.0
          args:
            - --bind-addr=0.0.0.0:8080
            - --auth=none
@@ -169,7 +169,7 @@ spec:
          type: RuntimeDefault
      containers:
      - name: reloader
-        image: ghcr.io/stakater/reloader:v1.4.12
+        image: ghcr.io/stakater/reloader:v1.4.17
        imagePullPolicy: IfNotPresent
        env:
        - name: GOMAXPROCS
@@ -48,7 +48,7 @@ spec:
        fsGroup: 999
      containers:
        - name: healthchecks
-          image: healthchecks/healthchecks:v4.0
+          image: healthchecks/healthchecks:v4.2
          ports:
            - containerPort: 8000
          env:
@@ -32,7 +32,7 @@ spec:
    spec:
      initContainers:
        - name: init-directories
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -44,7 +44,7 @@ spec:
              mountPath: /data
      containers:
        - name: gitea
-          image: gitea/gitea:1.25.4
+          image: gitea/gitea:1.26.2
          imagePullPolicy: IfNotPresent
          env:
            - name: USER_UID
@@ -1384,7 +1384,7 @@ spec:
        # Calendar iCal URLs (JSON object: {"name": "url", ...})
        - name: CALENDAR_ICAL_URLS
          value: '{"Órák": "https://calendar.google.com/calendar/ical/b2884faf3db792ac082a6206057552c79080716efd5f966e169a41fc500e1c1c%40group.calendar.google.com/private-0998d8053909ba4449c2f0a6409ce3de/basic.ics", "Családi": "https://calendar.google.com/calendar/ical/nitq3l0if4gn54k438obat5ia0%40group.calendar.google.com/private-59afcf70fee1a798ec369b86d9883b46/basic.ics"}'
-        image: python:3.12-bookworm
+        image: python:3.14-bookworm
        imagePullPolicy: IfNotPresent
        name: glance-helper
        ports:
@@ -2746,7 +2746,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
@@ -2787,7 +2787,7 @@ spec:
              mountPath: /app/assets
      containers:
        - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -1372,7 +1372,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
@@ -1413,7 +1413,7 @@ spec:
              mountPath: /app/assets
      containers:
        - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -258,7 +258,7 @@ spec:
      automountServiceAccountToken: true
      containers:
        - name: headlamp
-          image: ghcr.io/headlamp-k8s/headlamp:v0.40.0
+          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
          imagePullPolicy: IfNotPresent
          args:
            - "-in-cluster"
@@ -42,5 +42,5 @@ rbac:
 # Image configuration
 image:
  repository: registry.k8s.io/external-dns/external-dns
-  tag: v0.19.0
+  tag: v0.21.0
  pullPolicy: IfNotPresent
@@ -123,7 +123,7 @@ initContainer:
    registry: index.docker.io
    repository: alpine
    # -- If unset use latest
-    tag: "3.22"
+    tag: "3.23"
    sha: ""
    pullPolicy: IfNotPresent
@@ -181,7 +181,7 @@ rclone:
    registry: index.docker.io
    repository: rclone/rclone
    # -- If unset use latest
-    tag: 1.70.3
+    tag: 1.74.3
    sha: ""
    pullPolicy: IfNotPresent
@@ -372,7 +372,7 @@ spec:
      enableServiceLinks: true
      containers:
        - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.10.1
+          image: ghcr.io/gethomepage/homepage:v1.13.1
          imagePullPolicy: IfNotPresent
          env:
            # Required for external access
@@ -535,7 +535,7 @@ spec:
      enableServiceLinks: true
      containers:
        - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.10.1
+          image: ghcr.io/gethomepage/homepage:v1.13.1
          imagePullPolicy: IfNotPresent
          env:
            # Required for external access
@@ -241,7 +241,7 @@ spec:
              value: immich-valkey
            - name: TRANSFORMERS_CACHE
              value: /cache
-          image: ghcr.io/immich-app/immich-machine-learning:v2.5.5
+          image: ghcr.io/immich-app/immich-machine-learning:v2.7.5
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
@@ -416,7 +416,7 @@ spec:
              value: http://immich-machine-learning:3003
            - name: REDIS_HOSTNAME
              value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
+          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
@@ -282,7 +282,7 @@ spec:
    spec:
      initContainers:
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -294,7 +294,7 @@ spec:
              done
              echo "PostgreSQL is ready!"
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -584,7 +584,7 @@ spec:
      initContainers:
        # 1. Wait for PostgreSQL to accept connections
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -597,7 +597,7 @@ spec:
              echo "PostgreSQL is ready!"
        # 2. Wait for Redis to accept connections
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -612,7 +612,7 @@ spec:
        #    Prevents the worker from picking up stale queued jobs
        #    before schema migrations have been applied.
        - name: wait-for-api
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -136,7 +136,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: filebrowser
-          image: gtstef/filebrowser:1.1.2-stable
+          image: gtstef/filebrowser:1.3.3-stable
          env:
            - name: TZ
              value: "Europe/Budapest"
@@ -348,7 +348,7 @@ spec:
    spec:
      containers:
        - name: prometheus
-          image: prom/prometheus:v3.9.1
+          image: prom/prometheus:v3.12.0
          args:
            - --config.file=/etc/prometheus/prometheus.yml
            - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
        runAsGroup: 472
      containers:
        - name: grafana
-          image: grafana/grafana:12.3.2
+          image: grafana/grafana:12.4.4
          ports:
            - containerPort: 3000
              name: http
@@ -395,7 +395,7 @@ spec:
    spec:
      containers:
        - name: nextcloud
-          image: docker.io/library/nextcloud:32.0.2-apache
+          image: docker.io/library/nextcloud:33.0.4-apache
          imagePullPolicy: IfNotPresent
          env:
            - name: SMTP_HOST
@@ -552,7 +552,7 @@ spec:
            failureThreshold: 3
      initContainers:
        - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
          resources: {}
          securityContext: {}
          env:
@@ -637,7 +637,7 @@ spec:
      hostIPC: false
      containers:
        - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
@@ -0,0 +1,135 @@
 # BentoPDF - Privacy-focused PDF toolkit (all processing client-side, files never leave the server)
 # https://www.bentopdf.com  -  image: ghcr.io/alam00000/bentopdf
 # Domain: pdf.dooplex.hu
 # Version: 2.8.5
 # Database: None | Storage: None (stateless)
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: bentopdf
  namespace: office-system
  labels:
    app.kubernetes.io/name: bentopdf
    app.kubernetes.io/instance: bentopdf
    app.kubernetes.io/version: "2.8.5"
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: bentopdf
      app.kubernetes.io/instance: bentopdf
  template:
    metadata:
      labels:
        app.kubernetes.io/name: bentopdf
        app.kubernetes.io/instance: bentopdf
        app.kubernetes.io/version: "2.8.5"
      annotations:
        match-regex.version-checker.io/bentopdf: '^v\d+\.\d+\.\d+$'
    spec:
      containers:
        - name: bentopdf
          image: ghcr.io/alam00000/bentopdf:v2.8.5
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
              value: "Europe/Budapest"
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
            initialDelaySeconds: 15
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 3
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 384Mi
      restartPolicy: Always
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: bentopdf
  namespace: office-system
  labels:
    app.kubernetes.io/name: bentopdf
    app.kubernetes.io/instance: bentopdf
 spec:
  type: ClusterIP
  ports:
    - name: http
      port: 8080
      targetPort: http
      protocol: TCP
  selector:
    app.kubernetes.io/name: bentopdf
    app.kubernetes.io/instance: bentopdf
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: bentopdf
  namespace: office-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: pdf.dooplex.hu,pdf.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      set $geo_allowed 0;
      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
      if ($geo_allowed = 0) {
        return 403 "Access restricted to Hungary";
      }
  labels:
    app.kubernetes.io/name: bentopdf
    app.kubernetes.io/instance: bentopdf
 spec:
  ingressClassName: nginx-internal
  tls:
    - hosts:
        - pdf.dooplex.hu
      secretName: bentopdf-tls
  rules:
    - host: pdf.dooplex.hu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: bentopdf
                port:
                  number: 8080
    - host: pdf.home
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: bentopdf
                port:
                  number: 8080
@@ -27,7 +27,7 @@ spec:
    spec:
      containers:
        - name: onlyoffice
-          image: onlyoffice/documentserver:9.0.2
+          image: onlyoffice/documentserver:9.4.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -89,7 +89,7 @@ spec:
      initContainers:
        # Configure proxy auth in database before starting
        - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - sh
            - -c
@@ -109,7 +109,7 @@ spec:
            runAsGroup: 1001
      containers:
        - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - filebrowser
            - --database=/config/filebrowser.db
@@ -31,7 +31,7 @@ spec:
    spec:
      containers:
        - name: outline
-          image: outlinewiki/outline:1.4.0
+          image: outlinewiki/outline:1.8.0
          imagePullPolicy: IfNotPresent
          env:
            - name: NODE_ENV
@@ -158,7 +158,7 @@ spec:
      enableServiceLinks: false
      containers:
        - name: paperless
-          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
          imagePullPolicy: IfNotPresent
          env:
            # Database - using shared PostgreSQL in database-system namespace
@@ -43,7 +43,7 @@ spec:
    spec:
      containers:
        - name: mysql
-          image: mysql:8.0
+          image: mysql:8.4
          env:
            - name: MYSQL_ROOT_PASSWORD
              valueFrom:
@@ -121,7 +121,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.2.1
+          image: redis:7.4.9
          ports:
            - containerPort: 6379
              name: redis
@@ -244,7 +244,7 @@ spec:
    spec:
      containers:
        - name: qbittorrent
-          image: linuxserver/qbittorrent:5.1.4
+          image: linuxserver/qbittorrent:5.2.1
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -30,7 +30,7 @@ spec:
    spec:
      initContainers:
        - name: create-superuser
-          image: vabene1111/recipes:2.5
+          image: vabene1111/recipes:2.6
          workingDir: /opt/recipes
          command:
            - /bin/sh
@@ -106,7 +106,7 @@ spec:
                  key: email
      containers:
        - name: tandoor
-          image: vabene1111/recipes:2.5
+          image: vabene1111/recipes:2.6
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -41,7 +41,11 @@ spec:
    spec:
      containers:
        - name: termix
-          image: ghcr.io/lukegus/termix:release-1.11.0
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
          # Renovate handles it via a customManagers regex defined in
          # admin-system/renovate.yaml (the kubernetes manager doesn't
          # process inline `# renovate:` comments).
          image: ghcr.io/lukegus/termix:release-1.11.2
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: uptimekuma
-          image: louislam/uptime-kuma:2.3.2
+          image: louislam/uptime-kuma:2.4.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -28,7 +28,7 @@ spec:
    spec:
      containers:
        - name: vaultwarden
-          image: vaultwarden/server:1.35.2
+          image: vaultwarden/server:1.36.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -122,7 +122,7 @@ spec:
    spec:
      containers:
        - name: pocketbase
-          image: flomp/wanderer-db:v0.19.1
+          image: flomp/wanderer-db:v0.19.2
          env:
            - name: ORIGIN
              value: "https://wanderer.dooplex.hu"
@@ -192,7 +192,7 @@ spec:
    spec:
      containers:
        - name: wanderer-web
-          image: flomp/wanderer-web:v0.19.1
+          image: flomp/wanderer-web:v0.19.2
          env:
            - name: NODE_TLS_REJECT_UNAUTHORIZED
              value: "0"
@@ -130,7 +130,7 @@ spec:
      initContainers:
        # Configure proxy auth in database before starting
        - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - sh
            - -c
@@ -151,7 +151,7 @@ spec:
            runAsGroup: 1000
      containers:
        - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - filebrowser
            - --database=/config/filebrowser.db
@@ -315,7 +315,7 @@ spec:
      initContainers:
        # Create public directory if it doesn't exist
        - name: init-public-dir
-          image: busybox:1.36
+          image: busybox:1.38
          command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
          volumeMounts:
            - name: data
@@ -324,7 +324,7 @@ spec:
            runAsUser: 0
      containers:
        - name: nginx
-          image: nginx:1.27-alpine
+          image: nginx:1.31-alpine
          ports:
            - containerPort: 8080
              name: http
@@ -153,7 +153,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c