Skip to content

v1.3.0 — queue authority + security hardening

Choose a tag to compare

View all tags
@coaxk coaxk released this 07 Jun 20:00
· 79 commits to main since this release
v1.3.0
9455596

subarr v1.3.0 — the queue you control, plus a security-hardening pass. Recommended upgrade for everyone (includes security fixes).

Queue authority (#66) + throttled backfill (#116)

subarr now holds its own pending queue in front of subgen and feeds it at a set depth instead of flooding it. New Pending panel on the Queue page: promote / demote / reorder + pause/resume + target-depth. Backfill gaps drains your whole verified-gap backlog gently in the background — steady catch-up, no GPU stampede. subgen's queue is treated as shared, so subarr never steps on jobs other tools queued.

Smarter coverage

  • Settle-window (#117) — optionally let Bazarr/providers land a real sub before subarr transcribes a freshly-imported file (opt-in; manual transcribe always bypasses).
  • Mis-grouped-series detector (#140) — catches a Sonarr series that's secretly two different shows (e.g. Korean + Russian episodes) via per-episode spoken-language divergence, with a per-series dismiss.

Reliability + fixes

  • Health page (#157) — background loops are supervised; a silent failure now shows up red with its traceback instead of freezing quietly.
  • Update checker (#158) — now reads the GitHub releases Atom feed, fixing the 403 rate limit exceeded that stopped update checks for users behind NAT/CGNAT.
  • GPU is now optional + uses the portable runtime: nvidia form (#162) — subarr never transcodes (subgen does); it only ran nvidia-smi for the Monitor sparkline. No more forced Swarm-style GPU block on GPU-less hosts.
  • settle_minutes + queue controls now persist on save; the Bazarr-badge probe no longer logs a stray traceback on a transient blip.

Security

A full adversarial audit — the code itself came back clean (no injection, path-traversal, XSS, or SSRF bypass; restrictive CSP; parameterized SQL; anonymous telemetry). Hardened the edges:

  • *Onboarding state no longer returns arr/Plex API keys in cleartext (masked, with a merge-guard so a resuming wizard can't clobber a stored key).
  • Supervised-task tracebacks redact credential query-string params (Tautulli ?apikey=, Plex ?X-Plex-Token=).
  • /api/health trimmed to {status, version} — no config leak; auth-disabled now warns loudly.
  • The example compose uses a read-only Docker socket-proxy by default (no raw /var/run/docker.sock) — removes the host-RCE blast radius if subarr is ever exposed/compromised. Trade-off: in-app subgen auto-restart is disabled under this default; mount the raw socket if you want it back.

Image

ghcr.io/coaxk/subarr:1.3.0 (also :1.3, :1, :latest)

Full details in CHANGELOG.md.

Assets 2
Loading