Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
Files
0354531e9535292fa87a71f8e97fe70474a5df22
sofarr/CHANGELOG.md
Gronod c0dd93a1ab
Some checks failed
Build and Push Docker Image / build (push) Successful in 59s
Details
CI / Security audit (push) Successful in 1m5s
Details
CI / Tests & coverage (push) Successful in 1m24s
Details
Docs Check / Markdown lint (push) Failing after 45s
Details
Docs Check / Mermaid diagram parse check (push) Successful in 1m27s
Details
CI / Security audit (pull_request) Successful in 51s
Details
CI / Tests & coverage (pull_request) Successful in 1m1s
Details
Docs Check / Markdown lint (pull_request) Failing after 39s
Details
Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s
Details
feat: production hardening v1.2.0 
Phase 1 - Licensing & Compliance:
- Add MIT LICENSE file
- Add copyright headers to server/index.js, poller.js, config.js,
  sanitizeError.js, and new loadSecrets.js

Phase 2 - Security Hardening:
- Add server/utils/loadSecrets.js: Docker secrets support via _FILE
  env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.)
- Add SSRF/URL validation in config.js: validates all configured
  service instance URLs for scheme and well-formedness at startup
- Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP
  connections, 10s force-exit fallback
- Warn at startup if COOKIE_SECRET is shorter than 32 characters
- Validate EMBY_URL scheme at startup
- Improve sanitizeError: redact host:port from axios error URLs
  while preserving path/query for other redaction patterns

Phase 3 - Config Robustness:
- Weak COOKIE_SECRET warning (< 32 chars)
- EMBY_URL validated via validateInstanceUrl on startup

Phase 4 - Docker & Deployment:
- .dockerignore: add tests/, coverage/, vitest.config.js,
  CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json
- docker-compose.yaml: add commented Option B (Docker secrets
  _FILE pattern) alongside existing plain-env Option A

Phase 5 - Docs & Release Readiness:
- Add CHANGELOG.md with entries from v1.0.0 to v1.2.0
- Update SECURITY.md: supported versions table, fix Docker secrets
  note to reflect _FILE support now implemented
- Add public/.well-known/security.txt for responsible disclosure
- Bump version to 1.2.0
2026-05-17 19:40:07 +01:00

3.7 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file. Format follows Keep a Changelog. This project adheres to Semantic Versioning.

[1.2.0] - 2025-05-17

Security

  • Docker secrets support — all sensitive environment variables (COOKIE_SECRET, EMBY_API_KEY, SABNZBD_API_KEY, SONARR_API_KEY, RADARR_API_KEY, QBITTORRENT_PASSWORD) now support the standard _FILE variant for loading values from mounted secret files (e.g. COOKIE_SECRET_FILE=/run/secrets/cookie_secret).
  • Weak secret warning — server now warns at startup if COOKIE_SECRET is shorter than 32 characters.
  • EMBY_URL validation — validates the Emby URL scheme at startup and warns on misconfiguration.
  • Improved error sanitizationsanitizeError() now also redacts hostnames from full request URLs that may appear in axios error messages.
  • Graceful shutdownSIGTERM and SIGINT handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on docker stop.

Compliance

  • MIT LICENSE file added to project root.
  • Copyright headers added to key server source files (index.js, poller.js, config.js, sanitizeError.js, loadSecrets.js).
  • security.txt (/.well-known/security.txt) added for responsible disclosure.

Configuration

  • URL validation added to config.js — all configured service instance URLs are validated for scheme (http/https) and well-formedness at startup; malformed URLs emit a warning instead of crashing.

Docker / Deployment

  • docker-compose.yaml updated with commented Option B (Docker secrets _FILE pattern) alongside the existing plain-env Option A.
  • .dockerignore updated — tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json excluded from the production image.

CI

  • docs-check workflow added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches .md files. Both jobs use continue-on-error: true so documentation issues never block a release.
  • Mermaid diagrams in docs/ARCHITECTURE.md fixed — replaced invalid \n in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions.

[1.1.2] - 2025-05-15

Changed

  • Server startup message now includes the current version (sofarr v1.1.2).

[1.1.1] - 2025-05-14

Fixed

  • Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on TLS_ENABLED environment variable. Prevents containers from being stuck in "starting" state when TLS_ENABLED=false.

[1.1.0] - 2025-05-13

Added

  • Episode display — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes.
  • Episode tooltip — solid background colour (theme-dependent) for readability.
  • Sonarr queue and history API requests now include includeEpisode=true.

[1.0.0] - 2025-05-01

Added

  • Initial release.
  • SABnzbd queue and history integration.
  • qBittorrent torrent integration.
  • Sonarr and Radarr queue/history matching with user tag filtering.
  • Emby/Jellyfin authentication.
  • Server-Sent Events (SSE) real-time dashboard.
  • Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy.
  • Background polling with configurable interval and on-demand fallback.
  • Docker multi-stage build, non-root user, read-only filesystem.
  • TLS support with bundled snakeoil certificate.
Reference in New Issue View Git Blame Copy Permalink