Skip to content

v0.7.5 — Plugin install hotfix (CSP + bind-mount perms)

Choose a tag to compare

@Arediss Arediss released this 26 Apr 00:43

Hotfix

Two prod-blocking bugs uncovered while testing the 0.7.4 plugin install flow against a live self-hosted instance.

Fixes

  • Resolve plugin install URL server-side. 0.7.4 added a frontend fetch() to api.github.com to prefer a Release asset over the GitHub-generated source tarball. The prod CSP blocks api.github.com from connect-src, so the fetch silently failed and the install fell back to the source tarball — same broken end state as 0.7.3 for plugins like kedaewyn/Leonarr that don't commit dist/ to their repo. The resolution now lives backend-side (already trusted with GitHub calls for the update check), so the fix actually applies in prod. The /plugins/install endpoint accepts { repository } from the registry path and a raw { url } for manual installs.

  • Auto-chown the plugins directory at boot. Self-hosters with a host bind-mount for /app/packages/plugins (the docker-compose default) hit EACCES when Oscarr tried to mkdir the staging dir for an install — the host directory wasn't owned by uid 1001 (the in-container oscarr user). The entrypoint now chowns + chmod 2775 (setgid) the plugins dir at boot, the same way it already handles /data. Files dropped by the host maintainer keep the right group and both sides can write.

If GITHUB_TOKEN is set on the Oscarr container's env, the install resolution path uses it — useful if your registry's source is rate-limited.


Full changelog: v0.7.4...v0.7.5

Upgrading

```
docker pull ghcr.io/arediss/oscarr:0.7.5
```
or
```
docker pull ghcr.io/arediss/oscarr:latest
```