sofarr/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file. Format follows Keep a Changelog. This project adheres to Semantic Versioning.

---

[1.2.1] - 2026-05-17

Added

• Version footer — the dashboard footer now displays the running app version (e.g. sofarr v1.2.1), fetched from the /health endpoint on page load.

---

[1.2.0] - 2025-05-17

Security

• Docker secrets support — all sensitive environment variables (COOKIE_SECRET, EMBY_API_KEY, SABNZBD_API_KEY, SONARR_API_KEY, RADARR_API_KEY, QBITTORRENT_PASSWORD) now support the standard _FILE variant for loading values from mounted secret files (e.g. COOKIE_SECRET_FILE=/run/secrets/cookie_secret).
• Weak secret warning — server now warns at startup if COOKIE_SECRET is shorter than 32 characters.
• EMBY_URL validation — validates the Emby URL scheme at startup and warns on misconfiguration.
• Improved error sanitization — sanitizeError() now also redacts hostnames from full request URLs that may appear in axios error messages.
• Graceful shutdown — SIGTERM and SIGINT handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on docker stop.

Compliance

• MIT LICENSE file added to project root.
• Copyright headers added to key server source files (index.js, poller.js, config.js, sanitizeError.js, loadSecrets.js).
• security.txt (/.well-known/security.txt) added for responsible disclosure.

Configuration

• URL validation added to config.js — all configured service instance URLs are validated for scheme (http/https) and well-formedness at startup; malformed URLs emit a warning instead of crashing.

Docker / Deployment

• docker-compose.yaml updated with commented Option B (Docker secrets _FILE pattern) alongside the existing plain-env Option A.
• .dockerignore updated — tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json excluded from the production image.

CI

• docs-check workflow added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches .md files. Both jobs use continue-on-error: true so documentation issues never block a release.
• Mermaid diagrams in docs/ARCHITECTURE.md fixed — replaced invalid \n in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions.

---

[1.1.2] - 2025-05-15

Changed

• Server startup message now includes the current version (sofarr v1.1.2).

---

[1.1.1] - 2025-05-14

Fixed

• Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on TLS_ENABLED environment variable. Prevents containers from being stuck in "starting" state when TLS_ENABLED=false.

---

[1.1.0] - 2025-05-13

Added

• Episode display — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes.
• Episode tooltip — solid background colour (theme-dependent) for readability.
• Sonarr queue and history API requests now include includeEpisode=true.

---

[1.0.0] - 2025-05-01

Added

• Initial release.
• SABnzbd queue and history integration.
• qBittorrent torrent integration.
• Sonarr and Radarr queue/history matching with user tag filtering.
• Emby/Jellyfin authentication.
• Server-Sent Events (SSE) real-time dashboard.
• Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy.
• Background polling with configurable interval and on-demand fallback.
• Docker multi-stage build, non-root user, read-only filesystem.
• TLS support with bundled snakeoil certificate.