Added
- External
/api/v1/widgetendpoint returns API-key-protected dashboard totals, backed by schema v19widget_api_keystorage. (#604) - Settings page can generate, regenerate, and revoke the Houndarr API key, showing plaintext only once for widget clients. (#605)
- New Homepage integration guide covers
/api/v1/widget,X-Api-Key, and Settings > Admin > API key rotation. (#606) - Instance settings gain an
Enable missing searchtoggle that pauses the missing-search pass per instance; existing instances stay enabled after the v18 migration. (#619) - Instance settings gain
Tag Filter · IncludeandTag Filter · Excludefields that scope searches to (or away from) items tagged in the upstream *arr, resolved against/tageach cycle. Schema v20 adds the two columns with empty defaults. (#637) - Missing search settings gain optional hot retry windows after post-release grace, backed by schema v21 window and interval columns. (#630)
Changed
- Python floor raised from 3.12 to 3.13. From-source installs and the Docker image now require a 3.13 interpreter; Python 3.13 has upstream support through October 2029. (#596)
Fixed
- Transient library-fetch failures on any *arr no longer produce a recurring
upgrade pool fetch failedlog row each upgrade cycle. (#620) - Login and widget rate limiters no longer leak one in-memory entry per unique source IP under sustained probing; entries evict on read and via a five-minute background sweep. (#632)
Security
urllib3bumped to 2.7.0, closing two upstream advisories on decompression-bomb safeguards and sensitive-header forwarding through proxied redirects. Houndarr exercises neither path; the bump clearspip-auditand Trivy alerts. (#623)idnabumped to 3.15; closes CVE-2026-45409 (oversized input incheck_labelbefore contextual-rule processing). Houndarr does not pass attacker-controlled hostnames through the IDN encoder; the bump clearspip-auditand Trivy alerts. (#639)