LoginSign Up
← Back to all sparks
P

Paperless-ngx

COLLAB
Velocity5.0

Document management system that transforms physical documents into a searchable archive.

docs.paperless-ngx.com

Paperless-ngx is rebuilding for v3 with AI, a plugin framework, and a Tantivy search rewrite.

document managementai-augmented ocrsearch backend rewriteplugin frameworksecurity patchingv3 generational rewrite
Current state
Two release lines run in parallel. The v2.20.x stable branch is in aggressive security-patch mode — five GHSA-tagged security releases in roughly two months (v2.20.7, 2.20.8, 2.20.9, 2.20.12, 2.20.15) plus a stream of permission-scope and workflow bug fixes. Meanwhile, v3.0.0-beta.rc1 just dropped with the largest feature surface in the project's history: Paperless AI, Remote OCR via Azure AI, sharelink bundles, document file versions, a document parser plugin framework, and a swap of the Whoosh search backend for Tantivy. The v3 cut also lands eleven explicit breaking changes — old API versions removed, encryption support dropped, Python 3.10 support cut, OCR control decoupled from archive-file control.
Where it's heading
The arc is a generational rewrite landing on top of a hardened v2 foundation. The team is using v2.20.x to absorb security disclosures (often credited to community researchers) while v3 takes on the architectural debt — fresh migrations from scratch, removed legacy paths, a search engine swap, and a plugin framework that opens the parser surface to extensions. The simultaneous Paperless AI and Azure AI Remote OCR features signal a deliberate move into AI-augmented document processing rather than a passive integration.
Prediction
Expect more v2.20.x security and bugfix releases through the v3 beta period, then a coordinated migration push when v3 stabilizes — Tantivy reindexing and the API-version removals will both gate that upgrade. Watch the next v3 beta for what Paperless AI actually exposes (suggestion-only vs auto-classification) and whether the plugin framework gets a public extension point doc.

Recent moves

  1. 14d ago

    v3.0.0-beta.rc1: Paperless AI, Tantivy search, plugin framework, eleven breaking changes

    ⚡ SPARK

    v3.0.0-beta.rc1 is the broadest cut Paperless-ngx has ever shipped: Paperless AI, Remote OCR via Azure AI, document file versions, sharelink bundles, a document parser plugin framework, and a wholesale swap of Whoosh for Tantivy. The eleven breaking changes — including dropping API v1, dropping Python 3.10, removing encryption, dropping pyzbar, and a from-scratch re-creation of all migrations — set up an upgrade path that operators will need to plan around.

    View source ↗
  2. 24d ago

    v2.20.15: GHSA-8c6x-pfjq-9gr7 security patch and allauth login scoping

    v2.20.15 closes GHSA-8c6x-pfjq-9gr7, scopes mail-account enumeration correctly, and tightens the allauth login/logout endpoints. Fits the v2.20.x security-cadence pattern; community researchers credited.

    View source ↗
  3. 1mo ago

    v2.20.14: permission-scope and workflow bug sweep

    v2.20.14 ships seven targeted fixes covering permission submission for non-owners, share-link viewset action limits, deferred tag-change workflow application, duplicate parent tag IDs, and date custom-field validation. A typical maintenance-line cut focused on hardening permission edges.

    View source ↗
  4. 2mo ago

    v2.20.13: permission enforcement on more-like search and mail rules

    v2.20.13 requires view permission for more-like search results, validates document link targets, and enforces permissions when attaching accounts to mail rules. Same pattern of closing authorization gaps the v3 work will inherit.

    View source ↗
  5. 2mo ago

    v2.20.12: GHSA-96jx-fj7m-qh6x patch and workflow filename scoping

    v2.20.12 patches GHSA-96jx-fj7m-qh6x and scopes workflow saves so they don't clobber filename or archive_filename fields. Companion fixes cover non-root usermod handling and basic-auth offered only on appropriate requests.

    View source ↗
  6. 2mo ago

    v2.20.11: GHSA-59xh-5vwx-4c4q patch and stale workflow filename fix

    v2.20.11 closes GHSA-59xh-5vwx-4c4q and fixes a stale-DB-filename condition during workflow actions, plus dropdown UX cleanups. Third security release in three weeks on the v2.20.x line.

    View source ↗