nodemon@2 depends on simple-update-notifier which depends on a
vulnerable range of semver (7.0.0-7.5.1, GHSA-c2qf-rxjj-qqgw).
Upgrading to nodemon@3 pulls in a clean dependency tree.
npm audit now reports 0 vulnerabilities.
Added .gitea/workflows/ci.yml which runs 'npm audit --audit-level=moderate'
on every push and PR. Fails the build on any moderate or higher severity
finding.
Also added 'npm run audit' and 'npm run audit:fix' convenience scripts
to package.json for local use.
Adds X-DNS-Prefetch-Control, X-Frame-Options, X-Content-Type-Options,
Referrer-Policy, X-XSS-Protection, HSTS (in prod) and others.
CSP disabled for now as the SPA uses inline scripts/styles; a
nonce/hash-based policy is a future hardening step.
Uses express-rate-limit@6 (pinned for Node 12 dev compat; Node 18
in prod container is unaffected). Limits each IP to 10 attempts per
15-minute window. Returns 429 with a safe error message on breach.
- Fix seriesMap key (use Sonarr internal id, not tvdbId)
- Fix Sonarr tag resolution (use tag map like Radarr)
- Use sourceTitle for history record matching
- Fall back to embedded movie/series objects when API timeouts
- Add includeMovie/includeSeries params to queue/history API calls
- Add coverArt field to all download responses (TMDB poster URLs)
- Add cover art display to frontend download cards
- Fix user-summary route to use instance config and tag maps
