Paperless-ngx vs HelloID

Two release lines run in parallel. The v2.20.x stable branch is in aggressive security-patch mode — five GHSA-tagged security releases in roughly two months (v2.20.7, 2.20.8, 2.20.9, 2.20.12, 2.20.15) plus a stream of permission-scope and workflow bug fixes. Meanwhile, v3.0.0-beta.rc1 just dropped with the largest feature surface in the project's history: Paperless AI, Remote OCR via Azure AI, sharelink bundles, document file versions, a document parser plugin framework, and a swap of the Whoosh search backend for Tantivy. The v3 cut also lands eleven explicit breaking changes — old API versions removed, encryption support dropped, Python 3.10 support cut, OCR control decoupled from archive-file control.

The arc is a generational rewrite landing on top of a hardened v2 foundation. The team is using v2.20.x to absorb security disclosures (often credited to community researchers) while v3 takes on the architectural debt — fresh migrations from scratch, removed legacy paths, a search engine swap, and a plugin framework that opens the parser surface to extensions. The simultaneous Paperless AI and Azure AI Remote OCR features signal a deliberate move into AI-augmented document processing rather than a passive integration.

Expect more v2.20.x security and bugfix releases through the v3 beta period, then a coordinated migration push when v3 stabilizes — Tantivy reindexing and the API-version removals will both gate that upgrade. Watch the next v3 beta for what Paperless AI actually exposes (suggestion-only vs auto-classification) and whether the plugin framework gets a public extension point doc.