Skip to content

Releases: drohack/Keeparr

v0.3.6

Choose a tag to compare

@github-actions github-actions released this 07 Jul 19:01

Full Changelog: v0.3.5...v0.3.6

v0.3.5 — Plex discovery uses the LAN IP

Choose a tag to compare

@drohack drohack released this 07 Jul 16:37

Fixed

  • Plex server discovery now connects to the raw LAN IP (http://<ip>:<port>) for local servers instead of the .plex.direct HTTPS URL. The .plex.direct address needs public DNS + certificate validation that a Docker bridge container often can't satisfy, which made clicking a discovered Local connection silently fail. Discovery now hands the container the directly-reachable address — the same thing you'd set manually.
  • A failed connection test during discovery now prompts to save anyway instead of doing nothing.

Install / update

ghcr.io/drohack/keeparr:latest

Unraid: update from the Docker tab. Multi-arch (amd64 + arm64).

v0.3.4 — Security hardening (pre-CA-listing)

Choose a tag to compare

@drohack drohack released this 07 Jul 15:10

Security hardening release ahead of the Unraid Community Applications listing. No functional changes to the keep/report workflow.

Security fixes

Auth & access

  • The poster image proxy (/api/image) now enforces its own authentication — a request with a bogus X-Api-Key header can no longer bypass the gate.
  • New per-user session revocation: a "Sign out all devices" action in the user menu (and admin-disabling a user) immediately invalidates that account's outstanding session tokens.
  • Login brute-force protection now buckets per-username and globally, so rotating X-Forwarded-For can't sidestep it; the Plex PIN create/poll endpoints are rate-limited too.
  • First-run setup rejects non-HTTP(S) server URLs before probing.
  • In production, Keeparr now fails closed on a missing/insecure SESSION_SECRET and warns on a weak one.

Container (Unraid-friendly)

  • Runs non-root with PUID/PGID support (defaults 1001; use 99/100 on Unraid). The container fixes /data ownership on start, so a fresh appdata path no longer causes a permission error.
  • HEALTHCHECK honors a custom PORT; app files are root-owned/read-only; base image is digest-pinned.

Hardening

  • 15s timeout on all outbound requests; poster proxy clamps dimensions and only serves images.
  • GitHub Actions pinned to commit SHAs with Dependabot to keep them current.

Upgrade notes

  • If you set SESSION_SECRET yourself, make sure it's high-entropy (openssl rand -hex 32) — a short value now warns at boot.
  • On Unraid, set PUID=99 / PGID=100 to match your appdata ownership.

v0.3.3 — security hardening

Choose a tag to compare

@drohack drohack released this 07 Jul 14:10

A security-hardening pass ahead of the Unraid Community Applications listing. No user-facing feature changes.

Fixed

  • SSRF hardening — the poster proxy now allowlists the image path (Plex /library/… only; no :///..), so it can't be used to make the media server fetch arbitrary URLs.
  • Login rate limiting — Jellyfin/Emby credential logins are capped per IP (brute-force defense).
  • Constant-time API-key comparison.
  • Loud warning on a production boot using the default SESSION_SECRET.
  • Dependencies: npm audit clean (postcss pinned).
  • Image: npm/yarn/corepack stripped from the runtime layer → no HIGH/CRITICAL CVEs in the published image.
  • Response headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a frame-ancestors CSP (clickjacking protection).

Install

ghcr.io/drohack/keeparr:latest

Multi-arch (amd64 + arm64).

v0.3.2 — zero-config install

Choose a tag to compare

@drohack drohack released this 07 Jul 03:24

What's new

No required secrets at install. The container now auto-generates SESSION_SECRET on first boot and persists it in appdata (/data/.session-secret) — the same pattern as Sonarr/Seerr. Installing Keeparr is now just: pick a port, pick an appdata path, go.

  • The SESSION_SECRET env var still wins when set — existing deploys are completely unaffected
  • The generated secret lives beside the database it protects, so appdata backups and moves carry it automatically
  • Never change a secret that's in use — it encrypts your stored service tokens

Install

ghcr.io/drohack/keeparr:latest

Multi-arch (amd64 + arm64). Unraid Community Applications listing coming soon.

Full details: README → Install

v0.3.1 — first release

Choose a tag to compare

@drohack drohack released this 07 Jul 02:42

The first tagged Keeparr release — and the first with a published Docker image:

ghcr.io/drohack/keeparr:latest

Multi-arch (linux/amd64 + linux/arm64), built and tested by CI on every release.

Highlights (everything since 0.1.0)

Platform (0.2.0)

  • Health checks — standing warnings with fix-it links (⚠ chip in the top bar for admins)
  • Update notice — Keeparr now tells you when a new release is out (this release turns that on!)
  • Database backups — scheduled daily with retention, one-click restore, download
  • API docs — interactive reference at /api-docs; API key is now a persistent masked field with copy
  • Reverse proxy docs — subdomain setup for NPM / nginx / Caddy

UI polish (0.3.0)

  • Auto / Light / Dark theme + a color-impaired mode — per-user, in the avatar menu
  • Toasts for failed actions, relative timestamps with exact time on hover
  • Logs viewer — keyword search, auto-refresh with pause, copy-a-line, download as .txt
  • Installable as an app (PWA) with Keep / Browse / Big Picture shortcuts
  • Press ? anywhere for keyboard shortcuts

0.3.1

  • Docker image fix: public/ assets (PWA icons/manifest) are now served correctly
  • CI/CD: tests gate every image; releases auto-publish latest + version tags

Install

Upgrading from a source-built deploy: keep your data/ directory and your SESSION_SECRET — see the migration note in the README.