menottim/splintarr v1.3.1

v1.3.1 — Security Hardening & Bug Fixes

on GitHub

Security Fixes (4 Advisories Resolved)

• GHSA-x58h-pwmm-vfpf — Container drops to non-root user (appuser) via gosu
• GHSA-9wq6-96r6-j6p6 — SSRF blocklist split: cloud metadata always blocked even with ALLOW_LOCAL_INSTANCES=true
• GHSA-j98q-225j-p8cf — Validation errors no longer include raw input values (passwords stripped)
• GHSA-g27f-2vx9-gvhr — WebSocket Origin header validation prevents CSWSH

Additional Hardening

• Docker read_only: true and cap_drop: ALL enabled
• WebSocket connection limit (50), config import size limit (1MB)
• Registration race condition check, webhook URL SSRF validation
• GitHub CodeQL: 13 alerts triaged, 0 open

Bug Fixes

• "Every Noneh" display — Queue cards now correctly show "Daily at HH:MM" or "Mon, Thu at HH:MM" for daily/weekly queues
• Edit modal schedule mode — API response now includes schedule_mode, schedule_time, schedule_days, jitter_minutes, and budget_aware fields
• Docker read_only compatibility — /app/data symlink created at build time

New Documentation

• GitHub Pages site — Landing page
• Huntarr Lessons — How Splintarr addresses the 21 Huntarr vulnerabilities

Upgrading from v1.3.0

docker-compose pull
docker-compose up -d

No database migrations required.

Full Changelog: v1.2.1...v1.3.1