v2.1.0 Release Notes

Release Date: March 2026

This release focuses on frontend architecture, security hardening, and expanded Last.fm coverage. The UI was significantly refactored - several "god component" pages were broken into composable pieces - and the API got Zod validation on every route.

What's New

5 New Last.fm Subscription Types

Deeper Last.fm integration with 5 new strategies:

• Tag Albums — discover artists from top albums in a genre
• Related Tags — artists from genres related to a seed tag (e.g. "post-punk" → darkwave, goth rock, cold wave)
• User Albums — artists from your most-scrobbled albums
• Weekly Artists — your most-played artists this week
• Weekly Albums — artists from your most-played albums this week

10 new presets organized into three categories: Charts & Tags, Personal Library, and Similar & Discovery. Total subscription types: 56.

Frontend Architecture Rewrite

Major "god component" pages broken apart:

Connections now uses a 3-step ConnectionWizard modal with per-type form components and extracted hooks (useConnectionForm, useOAuthStatus).

Search is split into SearchBar, BulkActionBar, 5 tab components, MbidModal, and LabelArtistsModal (with infinite scroll), wired via useSearch and useArtistAdd hooks.

Design System Improvements

• Semantic color tokens replace all hardcoded colors
• rounded-container design token for consistent border radius
• Exit animations on Modal, BottomSheet, and Toast
• Staggered fade-in on feed cards
• Accessible Switch component, ConfirmDialog, and Tabs with ARIA + keyboard nav
• Skeleton loading states on every data page
• BottomSheet component for mobile navigation
• Breadcrumb navigation on detail pages
• OpenGraph and Twitter card metadata

Security Hardening

• Redis session store replaces in-memory MemoryStore (sessions now survive restarts)
• Deactivated users properly rejected during session deserialization
• Path traversal validation on slskd poll job
• Connection test endpoint requires authentication after initial setup
• Notification secrets masked in API responses
• hashPassword standardized to bcrypt cost 12
• Setup-only guard on POST /api/settings/base-url
• Connection test errors sanitized to prevent info leakage
• SECURITY.md vulnerability disclosure policy added

API Validation & Reliability

• Zod schemas on all API routes: AI, settings, SSO, slskd, discover, imports, jobs, duplicates
• fetchWithTimeout wrapper on all external API calls
• unhandledRejection and uncaughtException global handlers
• Logging added to all previously silent catch blocks
• Graceful degradation when slskd connection is missing

Architecture

• Strategy pattern for subscriptions: monolithic worker switch replaced with 14 strategy modules
• withTypedConnection middleware on 13 connection routes
• Subscription resultLimit now persisted (was hard-coded to 50)
• Subscription descriptors: auto-generated names like "Last.fm Tag: electronic" instead of just "Last.fm Tag"
• Subscription rename with pencil-to-unlock UX
• Non-root user in unified Docker image
• DB credentials randomized on first boot

Upgrade Instructions

Docker Users

docker compose down
docker compose pull    # or: docker compose build
docker compose up -d

Database migrations run automatically on startup. No manual steps required.

From Source

git pull
npm install
npx prisma db push
npm run build

Breaking Changes

None. This is a backwards-compatible release.

Full Changelog

See CHANGELOG.md or compare v2.0.0...v2.1.0 on GitHub.