Gronod
c0dd93a1ab
Some checks failed
Build and Push Docker Image / build (push) Successful in 59s
CI / Security audit (push) Successful in 1m5s
CI / Tests & coverage (push) Successful in 1m24s
Docs Check / Markdown lint (push) Failing after 45s
Docs Check / Mermaid diagram parse check (push) Successful in 1m27s
CI / Security audit (pull_request) Successful in 51s
CI / Tests & coverage (pull_request) Successful in 1m1s
Docs Check / Markdown lint (pull_request) Failing after 39s
Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s
Phase 1 - Licensing & Compliance: - Add MIT LICENSE file - Add copyright headers to server/index.js, poller.js, config.js, sanitizeError.js, and new loadSecrets.js Phase 2 - Security Hardening: - Add server/utils/loadSecrets.js: Docker secrets support via _FILE env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.) - Add SSRF/URL validation in config.js: validates all configured service instance URLs for scheme and well-formedness at startup - Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP connections, 10s force-exit fallback - Warn at startup if COOKIE_SECRET is shorter than 32 characters - Validate EMBY_URL scheme at startup - Improve sanitizeError: redact host:port from axios error URLs while preserving path/query for other redaction patterns Phase 3 - Config Robustness: - Weak COOKIE_SECRET warning (< 32 chars) - EMBY_URL validated via validateInstanceUrl on startup Phase 4 - Docker & Deployment: - .dockerignore: add tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json - docker-compose.yaml: add commented Option B (Docker secrets _FILE pattern) alongside existing plain-env Option A Phase 5 - Docs & Release Readiness: - Add CHANGELOG.md with entries from v1.0.0 to v1.2.0 - Update SECURITY.md: supported versions table, fix Docker secrets note to reflect _FILE support now implemented - Add public/.well-known/security.txt for responsible disclosure - Bump version to 1.2.0
81 lines
3.7 KiB
Markdown
81 lines
3.7 KiB
Markdown
# Changelog
|
|
|
|
All notable changes to this project will be documented in this file.
|
|
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
|
|
---
|
|
|
|
## [1.2.0] - 2025-05-17
|
|
|
|
### Security
|
|
|
|
- **Docker secrets support** — all sensitive environment variables (`COOKIE_SECRET`, `EMBY_API_KEY`, `SABNZBD_API_KEY`, `SONARR_API_KEY`, `RADARR_API_KEY`, `QBITTORRENT_PASSWORD`) now support the standard `_FILE` variant for loading values from mounted secret files (e.g. `COOKIE_SECRET_FILE=/run/secrets/cookie_secret`).
|
|
- **Weak secret warning** — server now warns at startup if `COOKIE_SECRET` is shorter than 32 characters.
|
|
- **EMBY_URL validation** — validates the Emby URL scheme at startup and warns on misconfiguration.
|
|
- **Improved error sanitization** — `sanitizeError()` now also redacts hostnames from full request URLs that may appear in axios error messages.
|
|
- **Graceful shutdown** — `SIGTERM` and `SIGINT` handlers now stop the background poller and drain open HTTP connections before exiting. Prevents data loss and zombie processes on `docker stop`.
|
|
|
|
### Compliance
|
|
|
|
- **MIT LICENSE file** added to project root.
|
|
- **Copyright headers** added to key server source files (`index.js`, `poller.js`, `config.js`, `sanitizeError.js`, `loadSecrets.js`).
|
|
- **`security.txt`** (`/.well-known/security.txt`) added for responsible disclosure.
|
|
|
|
### Configuration
|
|
|
|
- **URL validation** added to `config.js` — all configured service instance URLs are validated for scheme (`http`/`https`) and well-formedness at startup; malformed URLs emit a warning instead of crashing.
|
|
|
|
### Docker / Deployment
|
|
|
|
- **`docker-compose.yaml`** updated with commented Option B (Docker secrets `_FILE` pattern) alongside the existing plain-env Option A.
|
|
- **`.dockerignore`** updated — `tests/`, `coverage/`, `vitest.config.js`, `CHANGELOG.md`, `SECURITY.md`, `LICENSE`, `.markdownlint.json` excluded from the production image.
|
|
|
|
### CI
|
|
|
|
- **`docs-check` workflow** added — separate Gitea Actions workflow that lints all Markdown files and validates Mermaid diagram syntax on every push that touches `.md` files. Both jobs use `continue-on-error: true` so documentation issues never block a release.
|
|
- **Mermaid diagrams** in `docs/ARCHITECTURE.md` fixed — replaced invalid `\n` in stateDiagram transition labels, Unicode arrows/dashes, and double-spaces in flowchart edge definitions.
|
|
|
|
---
|
|
|
|
## [1.1.2] - 2025-05-15
|
|
|
|
### Changed
|
|
|
|
- Server startup message now includes the current version (`sofarr v1.1.2`).
|
|
|
|
---
|
|
|
|
## [1.1.1] - 2025-05-14
|
|
|
|
### Fixed
|
|
|
|
- Docker/TrueNAS SCALE healthcheck: dynamic HTTP/HTTPS selection based on `TLS_ENABLED` environment variable. Prevents containers from being stuck in "starting" state when `TLS_ENABLED=false`.
|
|
|
|
---
|
|
|
|
## [1.1.0] - 2025-05-13
|
|
|
|
### Added
|
|
|
|
- **Episode display** — TV show download cards now show episode information (S01E01 format with title). Multi-episode packs show a "Multiple episodes" badge with a tooltip listing all episodes.
|
|
- **Episode tooltip** — solid background colour (theme-dependent) for readability.
|
|
- Sonarr queue and history API requests now include `includeEpisode=true`.
|
|
|
|
---
|
|
|
|
## [1.0.0] - 2025-05-01
|
|
|
|
### Added
|
|
|
|
- Initial release.
|
|
- SABnzbd queue and history integration.
|
|
- qBittorrent torrent integration.
|
|
- Sonarr and Radarr queue/history matching with user tag filtering.
|
|
- Emby/Jellyfin authentication.
|
|
- Server-Sent Events (SSE) real-time dashboard.
|
|
- Per-request CSP nonce, CSRF double-submit, HSTS, Permissions-Policy.
|
|
- Background polling with configurable interval and on-demand fallback.
|
|
- Docker multi-stage build, non-root user, read-only filesystem.
|
|
- TLS support with bundled snakeoil certificate.
|