Releases: drohack/Keeparr
Release list
v0.3.6
Full Changelog: v0.3.5...v0.3.6
v0.3.5 — Plex discovery uses the LAN IP
Fixed
- Plex server discovery now connects to the raw LAN IP (
http://<ip>:<port>) for local servers instead of the.plex.directHTTPS URL. The.plex.directaddress needs public DNS + certificate validation that a Docker bridge container often can't satisfy, which made clicking a discovered Local connection silently fail. Discovery now hands the container the directly-reachable address — the same thing you'd set manually. - A failed connection test during discovery now prompts to save anyway instead of doing nothing.
Install / update
ghcr.io/drohack/keeparr:latest
Unraid: update from the Docker tab. Multi-arch (amd64 + arm64).
v0.3.4 — Security hardening (pre-CA-listing)
Security hardening release ahead of the Unraid Community Applications listing. No functional changes to the keep/report workflow.
Security fixes
Auth & access
- The poster image proxy (
/api/image) now enforces its own authentication — a request with a bogusX-Api-Keyheader can no longer bypass the gate. - New per-user session revocation: a "Sign out all devices" action in the user menu (and admin-disabling a user) immediately invalidates that account's outstanding session tokens.
- Login brute-force protection now buckets per-username and globally, so rotating
X-Forwarded-Forcan't sidestep it; the Plex PIN create/poll endpoints are rate-limited too. - First-run setup rejects non-HTTP(S) server URLs before probing.
- In production, Keeparr now fails closed on a missing/insecure
SESSION_SECRETand warns on a weak one.
Container (Unraid-friendly)
- Runs non-root with
PUID/PGIDsupport (defaults1001; use99/100on Unraid). The container fixes/dataownership on start, so a fresh appdata path no longer causes a permission error. HEALTHCHECKhonors a customPORT; app files are root-owned/read-only; base image is digest-pinned.
Hardening
- 15s timeout on all outbound requests; poster proxy clamps dimensions and only serves images.
- GitHub Actions pinned to commit SHAs with Dependabot to keep them current.
Upgrade notes
- If you set
SESSION_SECRETyourself, make sure it's high-entropy (openssl rand -hex 32) — a short value now warns at boot. - On Unraid, set
PUID=99/PGID=100to match your appdata ownership.
v0.3.3 — security hardening
A security-hardening pass ahead of the Unraid Community Applications listing. No user-facing feature changes.
Fixed
- SSRF hardening — the poster proxy now allowlists the image
path(Plex/library/…only; no:///..), so it can't be used to make the media server fetch arbitrary URLs. - Login rate limiting — Jellyfin/Emby credential logins are capped per IP (brute-force defense).
- Constant-time API-key comparison.
- Loud warning on a production boot using the default
SESSION_SECRET. - Dependencies:
npm auditclean (postcss pinned). - Image: npm/yarn/corepack stripped from the runtime layer → no HIGH/CRITICAL CVEs in the published image.
- Response headers:
X-Frame-Options,X-Content-Type-Options,Referrer-Policy, and aframe-ancestorsCSP (clickjacking protection).
Install
ghcr.io/drohack/keeparr:latest
Multi-arch (amd64 + arm64).
v0.3.2 — zero-config install
What's new
No required secrets at install. The container now auto-generates SESSION_SECRET on first boot and persists it in appdata (/data/.session-secret) — the same pattern as Sonarr/Seerr. Installing Keeparr is now just: pick a port, pick an appdata path, go.
- The
SESSION_SECRETenv var still wins when set — existing deploys are completely unaffected - The generated secret lives beside the database it protects, so appdata backups and moves carry it automatically
- Never change a secret that's in use — it encrypts your stored service tokens
Install
ghcr.io/drohack/keeparr:latest
Multi-arch (amd64 + arm64). Unraid Community Applications listing coming soon.
Full details: README → Install
v0.3.1 — first release
The first tagged Keeparr release — and the first with a published Docker image:
ghcr.io/drohack/keeparr:latest
Multi-arch (linux/amd64 + linux/arm64), built and tested by CI on every release.
Highlights (everything since 0.1.0)
Platform (0.2.0)
- Health checks — standing warnings with fix-it links (⚠ chip in the top bar for admins)
- Update notice — Keeparr now tells you when a new release is out (this release turns that on!)
- Database backups — scheduled daily with retention, one-click restore, download
- API docs — interactive reference at
/api-docs; API key is now a persistent masked field with copy - Reverse proxy docs — subdomain setup for NPM / nginx / Caddy
UI polish (0.3.0)
- Auto / Light / Dark theme + a color-impaired mode — per-user, in the avatar menu
- Toasts for failed actions, relative timestamps with exact time on hover
- Logs viewer — keyword search, auto-refresh with pause, copy-a-line, download as .txt
- Installable as an app (PWA) with Keep / Browse / Big Picture shortcuts
- Press
?anywhere for keyboard shortcuts
0.3.1
- Docker image fix:
public/assets (PWA icons/manifest) are now served correctly - CI/CD: tests gate every image; releases auto-publish
latest+ version tags
Install
- Unraid: Community Applications listing coming soon — meanwhile, use the template from https://github.com/drohack/unraid-templates
- Docker: see the README
Upgrading from a source-built deploy: keep your data/ directory and your SESSION_SECRET — see the migration note in the README.