github ZL154/JellyfinSecurity v2.4.4

latest releases: v2.5.18, v2.5.17, v2.5.16...
one month ago

v2.4.4

OpenSSF Scorecard hygiene release. No behavior changes — plugin DLL byte-identical to v2.4.3 except for the version number. In-place upgrade is harmless.

License classification fix

GitHub's license classifier expects the canonical MIT text in LICENSE without modifications. The previous file appended "Third-party components" and "Summary" sections, which tripped the auto-detect and showed up as Warn: project license file does not contain an FSF or OSI license on Scorecard.

LICENSE now contains only canonical MIT. Everything that used to live below the legal text moved to a new top-level THIRD-PARTY.md — same content, more discoverable, and the classifier sees a clean license file.

Pinned Docker base image

.clusterfuzzlite/Dockerfile referenced gcr.io/oss-fuzz-base/base-builder-csharp, which is referenced in ClusterFuzzLite's csharp docs but is not actually published to gcr.io and is not in the OSS-Fuzz upstream infra/base-images/ tree. Swapped to the generic gcr.io/oss-fuzz-base/base-builder (which exists) pinned by SHA256. This fixes Scorecard's Pinned-Dependencies finding without changing anything that runs (the CFLite C# GitHub Action wrapper still doesn't accept language: csharp, so the harness still only runs locally for now).

Provenance now attached to release assets

actions/attest-build-provenance writes the SLSA attestation to GitHub's attestation registry (queryable via gh attestation verify). Scorecard's Signed-Releases check, however, inspects release assets directly and looks for files ending in .intoto.jsonl. The release workflow now also copies the attestation bundle into dist/ and uploads it as a release asset, so Scorecard sees provenance on the same page it sees the zip.

What downstream users see

  • A new Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.zip.intoto.jsonl file on the GitHub Release page next to the existing .zip, .md5, .sha256, .sig, .pem.
  • LICENSE now reads more cleanly; legal terms unchanged.
  • Everything else identical to v2.4.3.

Upgrade

In-place. No config or behavior changes; the plugin .dll inside the zip is functionally the same.

Package checksums

  • MD5: see Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.md5
  • SHA256: see Jellyfin.Plugin.TwoFactorAuthv2.4.4.0.sha256

Sigstore-signed + SLSA-attested. Verify with cosign verify-blob or gh attestation verify.

Don't miss a new JellyfinSecurity release

NewReleases is sending notifications on new releases.