🔒 Security
- Web dashboard binds to localhost by default: Bare-metal installs now bind to
127.0.0.1instead of all interfaces. SetBIND_HOST=0.0.0.0if you need external access (Docker Compose does this automatically) - Rate limiting:
/start-bot,/stop-bot, and/auth/checkare now rate-limited - SSRF hardening: All URLs passed to axios are now constructed via
URLobject pathname manipulation instead of string interpolation - Translation sanitizer: Rewritten with a DOM-based allowlist parser, closing several XSS bypass vectors
- Misc: Partial API key no longer logged; request payload logging removed; TMDB IDs validated as integers; GitHub Actions workflow permissions scoped to least-privilege
🚀 Added
- Series poster and episode overview in single-episode notifications: Jellyfin webhook notifications for individual episodes now show the series poster and episode overview instead of generic placeholders
⚠️ Migration Notes
Docker Compose users: Add BIND_HOST=0.0.0.0 to your environment: section.