Update koenkk/zigbee2mqtt Docker tag to v2.10.1

[renovate]

This PR contains the following updates:

Package	Update	Change
koenkk/zigbee2mqtt	minor	2.9.2 → 2.10.1

---

Release Notes

Koenkk/zigbee2mqtt (koenkk/zigbee2mqtt)

v2.10.1

Compare Source

Bug Fixes

• ignore: bump @​biomejs/biome from 2.4.13 to 2.4.14 in the minor-patch group across 1 directory (#​31881) (55f12ff)
• ignore: bump express-static-gzip from 3.0.0 to 3.0.1 in the minor-patch group (#​31924) (24e9027)
• ignore: update zigbee-herdsman-converters to 26.43.0 (#​31878) (19eb05a)
• ignore: update zigbee-herdsman-converters to 26.44.0 (#​31900) (845bdb7)
• ignore: update zigbee-herdsman-converters to 26.45.0 (#​31925) (8727abd)
• ignore: update zigbee-herdsman-converters to 26.46.0 (#​31937) (cc84566)
• Replace deprecated url.parse (#​31845) (9f7ea9b)

v2.10.0

Compare Source

Features

• Home Assistant: add group entities in discovery config (#​31663) (0419726)

Bug Fixes

• Clarify units of pause_on_backoff_gt (#​31668) (4a63e65)
• deps: bump googleapis/release-please-action from 4 to 5 (#​31805) (4e527bb)
• ignore: bump @​biomejs/biome from 2.4.10 to 2.4.11 in the minor-patch group (#​31699) (cdd7357)
• ignore: bump @​types/node from 24.12.0 to 24.12.2 in the minor-patch group across 1 directory (#​31628) (e6dd5c7)
• ignore: bump the minor-patch group with 2 updates (#​31758) (7ba232e)
• ignore: bump the minor-patch group with 3 updates (#​31806) (b3983b3)
• ignore: bump typescript from 5.9.3 to 6.0.2 (#​31560) (9e27181)
• ignore: update zigbee-herdsman to 10.0.6 (#​31636) (aef3242)
• ignore: update zigbee-herdsman to 10.0.7 (#​31673) (a0204ad)
• ignore: update zigbee-herdsman-converters to 26.28.0 (#​31574) (08e4e9e)
• ignore: update zigbee-herdsman-converters to 26.29.0 (#​31586) (23f9847)
• ignore: update zigbee-herdsman-converters to 26.30.0 (#​31608) (6b567c1)
• ignore: update zigbee-herdsman-converters to 26.31.0 (#​31637) (a50065c)
• ignore: update zigbee-herdsman-converters to 26.32.0 (#​31653) (4818cc4)
• ignore: update zigbee-herdsman-converters to 26.33.1 (#​31674) (0c9ec72)
• ignore: update zigbee-herdsman-converters to 26.34.0 (#​31702) (55d8d1f)
• ignore: update zigbee-herdsman-converters to 26.35.0 (#​31713) (0a7dfce)
• ignore: update zigbee-herdsman-converters to 26.36.0 (#​31737) (a54775d)
• ignore: update zigbee-herdsman-converters to 26.37.0 (#​31749) (78f440b)
• ignore: update zigbee-herdsman-converters to 26.38.0 (#​31768) (305b7bc)
• ignore: update zigbee-herdsman-converters to 26.38.1 (#​31777) (3bb3d56)
• ignore: update zigbee-herdsman-converters to 26.39.1 (#​31783) (e715078)
• ignore: update zigbee-herdsman-converters to 26.40.0 (#​31800) (429c5ae)
• ignore: update zigbee-herdsman-converters to 26.41.0 (#​31820) (c581623)
• ignore: update zigbee-herdsman-converters to 26.42.0 (#​31830) (df26459)
• Improve transmit power description (#​31735) (5974286)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

koenkk/zigbee2mqtt (docker) 2.9.2 -> 2.10.1

Risk: 🔴 Risk

The Deep Dive

Update Scope

This PR updates the Ansible-managed Zigbee2MQTT container image from koenkk/zigbee2mqtt:2.9.2@sha256:2a21bbf7a664a149024bbe1f776e3151f28ed9db15948270dcbffb89544a41f0 to koenkk/zigbee2mqtt:2.10.1@sha256:67c26dcf8346aced02fe1380a6afd1b57268bcef10faae3f6057c13d5d3dfa80 in the infra PR file diff. The changed default is consumed by the role's Docker Compose template and deployed to the zigbee2mqtt inventory host, so this changes the live app runtime, not just metadata. Bundled runtime dependencies also move from zigbee-herdsman 10.0.5 to 10.0.7, zigbee-herdsman-converters 26.27.0 to 26.46.0, zigbee2mqtt-windfront 2.11.1 to 2.11.2, express-static-gzip 3.0.0 to 3.0.1, and ajv 8.18.0 to 8.20.0; the Node engine range and zigbee2mqtt-frontend stay unchanged in the upstream package.json comparison.

Performance & Stability

• Open upstream issue 31961 reports filtered_cache stopped suppressing linkquality-only messages after upgrading from 2.9.2 to 2.10.1, with the reporter seeing host CPU around 20 percent versus a 7 percent baseline. The repo does not contain the Zigbee2MQTT application configuration.yaml, because the role mounts /etc/zigbee2mqtt/data into the container, so CI cannot rule out this setting in the deployed data directory.
• Open upstream issue 32008 reports OTA updates hanging on 2.10.1, requiring a Zigbee2MQTT restart to recover. It is labeled fixed-in-dev, and the related abort-OTA work is still open in upstream pull request 32022, so the proposed stable release does not yet include that mitigation.

Features & UX

• Zigbee2MQTT v2.10.0 adds Home Assistant MQTT group entity discovery through upstream pull request 31663. It requires Home Assistant newer than 2026.4 and already configured member entities; after Zigbee2MQTT publishes the group discovery payloads, the Home Assistant MQTT integration must be reloaded for group entities to appear.
• This repo has Home Assistant MQTT configuration in kubernetes/hass/config/configuration.yaml, but the Zigbee2MQTT app configuration that would show homeassistant.enabled is not stored in the repo. To use the new feature, the mounted Zigbee2MQTT config needs homeassistant: enabled: true and actual Zigbee groups in the Zigbee2MQTT data directory.

Security

• No CVEs or GitHub Security Advisories were found for the direct zigbee2mqtt 2.9.2 to 2.10.1 range in the upstream GitHub security advisories endpoint or in OSV. OSV also returned no advisories for the checked changed runtime packages zigbee-herdsman, zigbee-herdsman-converters, and express-static-gzip at the old and new versions.

Key Fixes

• Zigbee2MQTT v2.10.1 is a hotfix release for several Tuya device attributes that were not updating or writable, including issue 31851, issue 31835, and issue 31850. This is beneficial only if the deployed Zigbee network contains those affected Tuya devices, and the repo does not include the Zigbee2MQTT database.db device inventory.
• Pull request 31845 replaces deprecated url.parse usage in the frontend websocket upgrade path. The local Docker Compose template exposes the Zigbee2MQTT frontend through Traefik on container port 8080, so the frontend code path is part of this deployment when the UI is used.

Newer Versions

• 2.10.1 is the latest upstream release in the release list as of May 21, 2026, so there is no newer stable version to skip to.
• The unresolved OTA report in issue 32008 has fixed-in-dev signal and upstream pull request 32022 is still open. That suggests a future stable may contain relevant recovery behavior, but it is not available in the proposed 2.10.1 image.

Hazards & Risks

• Known upstream regression: issue 31961 says filtered_cache worked on 2.9.2 and no longer filters linkquality-only messages on 2.10.1, with material CPU impact in the reporter's setup. The deployed app config is outside this repo, so this cannot be dismissed in CI.
• Known upstream regression: issue 31847 says Lutron Aurora Z3-1BRL button action_level alternation is broken on 2.10.0 and recovers on rollback to 2.9.1. The repo does not include the Zigbee2MQTT device database, so this cannot be ruled out for the local network.
• Known upstream risk: issue 32008 reports OTA sessions hanging on 2.10.1 and needing a Zigbee2MQTT restart; the linked mitigation in pull request 32022 is not merged into a stable release.
• Lower-confidence device-specific risk: issue 32062 reports Namron Touch thermostat 4512737 management failures on 2.10.1, but upstream requested logs and noted the suspected converter refactor was not released. Treat this as watch-list evidence, not the primary reason for the label.
• Deployment impact: the Ansible role templates docker-compose.yaml and starts the Compose project with wait: true; changing the image pin will recreate or restart the Zigbee2MQTT container on the pantrypi host when the role is applied.

Sources

• Infra PR 2234 file diff
• Zigbee2MQTT v2.10.1 release
• Zigbee2MQTT v2.10.0 release
• Zigbee2MQTT 2.9.2 to 2.10.1 compare
• Home Assistant group discovery PR 31663
• filtered_cache regression issue 31961
• Lutron Aurora regression issue 31847
• OTA instability issue 32008
• OTA abort PR 32022
• Namron thermostat issue 32062
• Zigbee2MQTT security advisories
• OSV vulnerability database

---

🔴 Verdict: Risk

Label this renovate:risk: the PR updates the live Zigbee2MQTT runtime and there are open upstream 2.10.x regressions that cannot be ruled out from the CI-only repo because the deployed Zigbee2MQTT config and device database are host-mounted data. CI is mostly passing, but the deployment decision should account for rollback readiness and post-deploy monitoring of MQTT volume, OTA behavior, and Zigbee device actions.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (2.10.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.