Skip to content

v0.8.1

Choose a tag to compare

@Arediss Arediss released this 10 May 02:26

⚠️ BREAKING — OSCARR_SECRET_KEY is now MANDATORY

Before upgrading, generate a 32-byte hex key and add it to your environment. Without it, Oscarr will refuse to boot.

Generate one (host with Node):

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

No Node on host? Just boot the container without the key — Oscarr exits with a friendly message and a freshly-generated key you can copy-paste:

docker compose up
# … look for the "Oscarr — secret key required" block in the logs:
#   OSCARR_SECRET_KEY=<copy this line into your .env>

Then add to your compose / env file:

environment:
  - JWT_SECRET=your_random_jwt_secret
  - OSCARR_SECRET_KEY=your_64_hex_chars_key

🔐 Lose this key = stored service credentials become unrecoverable and need to be re-entered manually. Treat it like a password — back it up.

Existing plaintext credentials get flagged in the admin (floating banner, bottom-right) and re-encrypted automatically on next save.


Compose gotcha

Compose reads .env for YAML interpolation only — vars don't reach the container unless declared in environment: or loaded via env_file:. The bundled docker-compose.yml was patched post-release to do both. If you maintain your own compose file, make sure it has either:

env_file:
  - .env

…or…

environment:
  - OSCARR_SECRET_KEY=${OSCARR_SECRET_KEY}

Verify with: docker compose config | grep OSCARR_SECRET_KEY (must show the real value, not the placeholder).


Highlights

New

  • Seerr-compatible API at /api/v1/* — third-party tools (Homarr, Doplarr) can talk to Oscarr without a custom integration. Endpoints not yet implemented return a clean 501 Not Implemented.
  • Per-app API keys with revocation (Admin → Access → API Keys) — each external integration gets its own scoped credential.
  • AES-256-GCM encryption at rest for service credentials. Master key derived from OSCARR_SECRET_KEY via HKDF-SHA256.
  • Secure password reveal/copy modal — replaces the native prompt() for credential reveal in the admin.
  • TMDB trending backdrop on the login page — random pick from the top 10 trending titles.

Improved

  • qBittorrent 5.x compatibility — provider now uses API-key auth (Authorization: Bearer). Drops username/password. Pause/resume hit the new /torrents/stop and /torrents/start endpoints.
  • Searchable plugin Discover with filters (Hide installed, Nouveau pill).
  • Reusable ConfirmModal — replaces confirm()/alert() across destructive admin actions.

Removed

  • *Drop arr tag-based request sync — replaced by the upcoming Seerr import path (#192).

Fixes

  • Bump better-sqlite3 to 12.9 for Node 24+ support.
  • Slim README + extract docs/installation.md.

CI

  • Advisory React Doctor job on push + PR.

Image

ghcr.io/arediss/oscarr:0.8.1
ghcr.io/arediss/oscarr:latest

Multi-arch (linux/amd64, linux/arm64), keyless-signed (Sigstore / cosign), SPDX SBOM attached.