0.8.10

Added Emby and Tracearr provider support, plus the new basic local auth bypass mode.

Features

• Added Emby direct media-source support for shows and movies, including setup/test wiring, cached background refresh, provider-aware drilldowns, image proxying, mismatch-center participation, and Emby-backed diagnostics and insights.
• Added Emby as a selectable enrichment provider, including setup reuse when Emby is already chosen as the active media source.
• Added Tracearr as a selectable history provider, including setup/test/save wiring, cache/refresh support, mismatch-center participation, and playback-match diagnostics support.
• Tracearr support now uses its public API with automatic fallback from stable-ID matching to title/year matching when the newer public fields are unavailable.
• Added an explicit basic_local_bypass authentication mode for trusted direct LAN installs. This mode requires configured Basic Auth credentials, a direct proxy mode, and an explicit local-bypass opt-in; only direct peer addresses in the configured local CIDRs can bypass the browser auth prompt, and forwarded headers are ignored for bypass decisions.
• Auth modes are now explicitly split as:
  • basic: Sortarr challenges every client with its own Basic Auth credentials.
  • basic_local_bypass: Sortarr still requires Basic Auth credentials, but allowed direct local peers can bypass the browser auth prompt.
  • external: Sortarr trusts a configured upstream auth header from a trusted reverse proxy and does not require Sortarr-managed Basic Auth for steady-state access.
• Setup, /api/config, and setup bootstrap payloads now expose shared provider-state data for media, history, and enrichment, making selected, available, effective, and reason values explicit.

Fixes

• Setup source selection is now authoritative: when a specific media, history, or enrichment provider is selected, Sortarr warns when that provider is not configured or not currently effective instead of silently falling back to another configured provider.
• Split media-source, history-source, and enrichment-provider semantics more consistently across setup summaries, helper text, and provider-specific actions so history-only flows no longer imply that media-provider features are active.

0.8.9

0.8.9

Features

• Setup now shows live per-section header summaries so collapsed steps indicate the current media, history, security, and advanced configuration state at a glance.
• Setup now prioritizes Plex, Jellystat, Streamystats, or Tautulli within the history/playback section based on the selected preferred history source, keeping the chosen provider closest to the top of the step.
• Setup now progressively reveals optional Sonarr and Radarr instances behind explicit add actions, keeps history/playback provider forms hidden until they are preferred, already configured, or explicitly added, and adds explicit Remove connection actions for saved optional provider blocks.
• Setup now adds section-level setup status badges, routes validation failures back to the relevant step, keeps stored-secret-backed sections understandable even when secret fields are blank, and splits setup validation into section-oriented backend helpers.
• Setup now uses a five-step source-category flow: Media info source, History source, Playback and enrichment providers, Protect access, and Advanced network and performance, with explicit Plex/Jellyfin connection reuse between steps.
• Added Jellyfin direct media-source support for shows and movies, including provider-aware drilldowns, image proxying, mismatch-center support, and provider-aware insights.
• Added Jellyfin diagnostics and provider-aware /api/playback/insights support, including library-scoped Jellyfin match-health views.
• Added Streamystats as a selectable history provider, including setup/test/save wiring, background refresh/cache support, mismatch-center participation, and Streamystats-backed playback overlays for Sonarr/Radarr rows.

Fixes

• Stopped deleting on-disk Arr, Plex, Tautulli, and Jellystat caches on routine app-version changes during startup. Sortarr now keeps warm caches across normal upgrades and instead relies on explicit cache payload version mismatches to invalidate stale cache formats.
• Basic Auth setup now accepts a newly entered password even if the remove-password checkbox is ticked, avoiding the upgrade/setup trap where replacing credentials could be misread as requiring the old password to be cleared first.
• Added env-driven iframe embedding control via SORTARR_FRAME_ANCESTORS while keeping the secure default deny posture. Same-origin embedding now emits X-Frame-Options: SAMEORIGIN; multi-origin embedding relies on CSP frame-ancestors.
• Sonarr season expansion layout now supports a Merged mode in the season dropdown, combining visible seasons into one sortable episode grid.
• Sonarr season expansion episode lists now support field-based sorting, including CF Score, via both sticky header clicks and dedicated sort field/order controls.
• Sonarr score extrema columns now default hidden, and the visible labels/tooltips clarify that they represent the lowest and highest episode custom format scores found within the series or season.
• Reused the existing startup Arr bootstrap load instead of issuing a second duplicate first-tab fetch during frontend init, reducing redundant initial network and render work without changing visible behavior.
• Delayed only the hidden-tab startup Arr prefetch so first-load audits prioritize the active tab; manual refreshes and later background refresh behavior are unchanged.
• Deferred non-critical mobile startup UI wiring for filter/panel controls and Radarr poster hover behavior until after first paint settles, reducing mobile main-thread startup work without changing table load behavior.
• Expanded header-triggered column filters to more unambiguous numeric and boolean fields, still reusing the existing filter-token engine so sorting and active-filter state stay in sync.
• Added contextual per-column active filter chips inside the header filter popup so existing column-specific filters are visible and removable without leaving the header workflow.
• Expanded header-triggered column filters to additional real table columns with unambiguous existing parser semantics, including Instance, Sonarr Avg / Ep and Title Slug, Edition, Video HDR, Watch Time, and TMDB ID.
• Added the remaining date-like header funnels with conservative raw date-fragment matching for Date Added, Last Aired, Last Search, and Last Watched, keeping the existing parser semantics instead of inventing new date operators.
• Added a first Excel-style Values mode for safe enum/bool header filters, using the existing popup shell and token engine with dataset-driven checklist values for columns like Status, Monitored, Quality, Resolution, Video Codec, Audio Codec, Has File, Available, and related low-cardinality fields.
• Expanded the mixed Values/Advanced header popup to Studio and Release Group, using case-insensitive distinct values from the active dataset while keeping the existing advanced text matching available.
• Capped noisy header checklist popups, added an in-popup overflow hint with search guidance, and frequency-sorted Studio and Release Group values so large distinct-value lists remain usable without disabling mixed mode.
• Kept Audio Languages and Subtitle Languages in Advanced mode only after auditing the underlying language data, and fixed Users Watched so its header condition menu correctly exposes the numeric operators.
• Upgraded requests to 2.33.0 to address the current GitHub dependabot advisory for insecure temporary file reuse in extract_zipped_paths().
• Hardened local secret-file resolution so only files whose real paths remain under the expected base/secrets roots are eligible for loading.
• Added a defensive secret scrub in env-file writes so plaintext secret values are converted to file/credential refs, or cleared when an external secret ref already exists, before persisting config.
• Added a lightweight Plex sections bootstrap cache so /api/config can populate plex_libraries without loading the full Plex index cache on cold startup, while still validating the snapshot against the current Plex server URL/token and falling back to the full cache when needed.
• Jellyfin direct media rows now populate size and bitrate fields from Jellyfin media metadata instead of relying only on local filesystem stats.
• Jellyfin and Plex direct-media modes now hide Arr-only workflow columns that do not make sense outside Sonarr/Radarr-backed views.
• Fixed Jellyfin mismatch-center inclusion, insights provider selection, and cache/refresh edge cases that could leave stale partial Jellyfin state in use.
• Fixed provider-aware match-health reporting so Plex and Jellyfin insights reflect the active playback/history provider instead of misleading provider self-match totals, and now label match summaries as Series / Movies.
• Fixed direct-media season and episode drilldowns plus poster proxying for Jellyfin and Plex-backed views.
• Removed the hardcoded sample SORTARR_FRAME_ANCESTORS value from the Docker Compose example, refreshed the Unraid template product description, and expanded Docker entrypoint ownership prep to cover Plex, Jellyfin, Jellystat, and Streamystats cache path overrides.

0.8.8

Fixes

• Stopped deleting on-disk Arr, Plex, Tautulli, and Jellystat caches on routine app-version changes during startup. Sortarr now keeps warm caches across normal upgrades and instead relies on explicit cache payload version mismatches to invalidate stale cache formats.
• Basic Auth setup now accepts a newly entered password even if the remove-password checkbox is ticked, avoiding the upgrade/setup trap where replacing credentials could be misread as requiring the old password to be cleared first.
• Added env-driven iframe embedding control via SORTARR_FRAME_ANCESTORS while keeping the secure default deny posture. Same-origin embedding now emits X-Frame-Options: SAMEORIGIN; multi-origin embedding relies on CSP frame-ancestors.
• Sonarr season expansion layout now supports a Merged mode in the season dropdown, combining visible seasons into one sortable episode grid.
• Sonarr season expansion episode lists now support field-based sorting, including CF Score, via both sticky header clicks and dedicated sort field/order controls.
• Sonarr score extrema columns now default hidden, and the visible labels/tooltips clarify that they represent the lowest and highest episode custom format scores found within the series or season.
• Reused the existing startup Arr bootstrap load instead of issuing a second duplicate first-tab fetch during frontend init, reducing redundant initial network and render work without changing visible behavior.
• Delayed only the hidden-tab startup Arr prefetch so first-load audits prioritize the active tab; manual refreshes and later background refresh behavior are unchanged.
• Deferred non-critical mobile startup UI wiring for filter/panel controls and Radarr poster hover behavior until after first paint settles, reducing mobile main-thread startup work without changing table load behavior.
• Expanded header-triggered column filters to more unambiguous numeric and boolean fields, still reusing the existing filter-token engine so sorting and active-filter state stay in sync.
• Added contextual per-column active filter chips inside the header filter popup so existing column-specific filters are visible and removable without leaving the header workflow.
• Expanded header-triggered column filters to additional real table columns with unambiguous existing parser semantics, including Instance, Sonarr Avg / Ep and Title Slug, Edition, Video HDR, Watch Time, and TMDB ID.
• Added the remaining date-like header funnels with conservative raw date-fragment matching for Date Added, Last Aired, Last Search, and Last Watched, keeping the existing parser semantics instead of inventing new date operators.
• Added a first Excel-style Values mode for safe enum/bool header filters, using the existing popup shell and token engine with dataset-driven checklist values for columns like Status, Monitored, Quality, Resolution, Video Codec, Audio Codec, Has File, Available, and related low-cardinality fields.
• Expanded the mixed Values/Advanced header popup to Studio and Release Group, using case-insensitive distinct values from the active dataset while keeping the existing advanced text matching available.
• Capped noisy header checklist popups, added an in-popup overflow hint with search guidance, and frequency-sorted Studio and Release Group values so large distinct-value lists remain usable without disabling mixed mode.
• Kept Audio Languages and Subtitle Languages in Advanced mode only after auditing the underlying language data, and fixed Users Watched so its header condition menu correctly exposes the numeric operators.
• Upgraded requests to 2.33.0 to address the current GitHub dependabot advisory for insecure temporary file reuse in extract_zipped_paths().
• Hardened local secret-file resolution so only files whose real paths remain under the expected base/secrets roots are eligible for loading.
• Added a defensive secret scrub in env-file writes so plaintext secret values are converted to file/credential refs, or cleared when an external secret ref already exists, before persisting config.
• Added a lightweight Plex sections bootstrap cache so /api/config can populate plex_libraries without loading the full Plex index cache on cold startup, while still validating the snapshot against the current Plex server URL/token and falling back to the full cache when needed.

0.8.7

Features

• Added Sonarr Lowest Custom Format Score and Highest Custom Format Score row fields, sorting, filtering, CSV export, and season-expansion summaries for score-based analysis.

Fixes

• Allowed setup-only same-host HTTP/HTTPS scheme drift during CSRF validation when the setup request carries a valid CSRF token, unblocking bootstrap/save flows behind reverse proxies that terminate HTTPS but forward setup POSTs to Sortarr over plain HTTP without usable forwarded scheme headers.
• Fixed Plex data/index enrichment so existing Plex rows populate stream and metadata fields more reliably instead of dropping details that were already expected to work.

0.8.6

[0.8.6] - 2026-03-18

Fixes

• Added a simple Sonarr-style authentication choice in Setup and config: Basic or External. Direct installs and transparent reverse proxies keep the existing Basic default, while External is now an explicit opt-in for trusted reverse proxies that already handle login.
• Centralized route and /setup auth evaluation so both flows use the same auth boundary, and added local regression coverage for trusted-upstream auth, spoof rejection, and external-mode setup access.
• Added SORTARR_AUTH_METHOD and SORTARR_UPSTREAM_AUTH_HEADER, plus diagnostics/self-check reporting for the active auth source. External mode now requires an explicit SORTARR_WAITRESS_TRUSTED_PROXY and no longer falls back to a browser Basic Auth challenge.
• Fixed setup/session cookie transport policy so plain HTTP setup/save flows no longer force Secure cookies just because proxy mode is configured or still unset during bootstrap. Session and CSRF cookies now follow the effective request scheme by default, with SORTARR_SESSION_COOKIE_SECURE=1|0 still available as an explicit override.
• Fixed proxied HTTPS setup/save CSRF origin mismatches on Waitress by stopping Waitress from stripping trusted X-Forwarded-* headers before Sortarr's own proxy middleware can translate them. Sortarr now preserves the raw proxy peer first, then applies trusted forwarded host/proto/port handling for proxied requests.
• Setup now preserves submitted non-secret values after failed validation or connection testing so operators do not have to re-enter proxy settings, URLs, path maps, and other advanced fields on every failed save attempt.
• Setup, CSRF diagnostics, and the security self-check now warn explicitly when plain HTTP would still receive Secure session/CSRF cookies, including the forced-override case that would cause the next POST to drop those cookies.
• Cookie security now also honors an explicit https://... public URL/origin hint from SORTARR_PUBLIC_HOST / SORTARR_PUBLIC_URL / SORTARR_PUBLIC_ORIGIN, preventing accidental cookie downgrades when an HTTPS deployment still has incomplete proxy trust.
• Upgrade note: if SORTARR_PUBLIC_HOST, SORTARR_PUBLIC_URL, or SORTARR_PUBLIC_ORIGIN is set to https://..., Sortarr now treats that as an HTTPS hint for cookie security. If your actual deployment is still plain HTTP, remove that https://... value or set SORTARR_SESSION_COOKIE_SECURE=0 so browsers will return the setup/session cookies on the next POST.

0.8.5.1

[0.8.5.1] - 2026-03-12

Fixes

• Hotfix for the 0.8.5 container publish failure: removed run_waitress.py from .gitignore and added the shared Waitress entrypoint to the repository so Docker releases can actually copy /app/run_waitress.py during image builds.

0.8.5

[0.8.5] - 2026-03-12

Fixes

• Fixed the Docker release packaging regression introduced in 0.8.4 by restoring run_waitress.py to the Docker build context, so published images can copy the shared Waitress entrypoint and container releases build successfully again.
• Reduced Waitress proxy-trust startup logging to coarse state only (trust_mode, proxy count, header count) instead of logging exact trusted proxy/header values, resolving the latest CodeQL clear-text logging alerts without losing useful diagnostics.

0.8.4

Fixes

• Preserved trusted X-Forwarded-* headers when running behind a proxy on Waitress 3.x by mapping Sortarr proxy mode/hops into Waitress trusted-proxy settings before Flask ProxyFix runs. This fixes proxied setup/save CSRF origin mismatches where upstream headers reached Traefik but were stripped before Sortarr saw them.
• Limited Waitress trust to the forwarded headers Sortarr is configured to trust, so custom proxy modes no longer over-trust X-Forwarded-Host / Proto / Port when only X-Forwarded-For should be honored.
• Routed all Waitress entrypoints through the same startup helper so Docker/alternate Waitress launches no longer bypass the proxy-trust fix.
• Added explicit SORTARR_WAITRESS_TRUSTED_PROXY support so proxied deployments can avoid wildcard * Waitress trust; proxied wildcard fallback now emits a startup warning.
• Narrowed X-Forwarded-Prefix handling so normal single / double presets keep strict proxy-header clearing, while prefix trust is now an explicit custom-mode opt-in (SORTARR_PROXY_HOPS_PREFIX=1) with a startup warning about the reduced Waitress sanitization.
• Added SORTARR_WAITRESS_TRUSTED_PROXY to the Setup UI under Advanced Network & CSRF, so proxied deployments can be fully configured from the app instead of editing env files manually.
• Setup now warns when proxy header trust changes were saved but a restart is still required, and CSRF diagnostics now show live runtime proxy/Waitress settings separately from the saved config.
• CSRF diagnostics and mismatch logging now warn explicitly when X-Forwarded-Proto or X-Forwarded-Port arrive as comma-separated lists, because Waitress 3.x rejects those trusted-header shapes; operators are now told to normalize them at the immediate proxy instead of chasing a generic CSRF failure.

0.8.3.1

[0.8.3.1] - 2026-03-10

Security

• Fixed bootstrap/remediation routing so a partially populated Basic Auth config no longer blocks / with Basic auth misconfigured; bootstrap and setup helper requests now reach Setup instead of failing before the redirect/remediation flow runs.
• Setup connection-test failures now return normalized connection errors instead of helper-specific exception text, and secret-related startup/migration warnings now use count-based summaries instead of enumerating secret-setting identifiers.
• Removed the remaining state-changing item refresh from GET item endpoints; forced playback refresh now uses CSRF-protected POST /api/sonarr/item/playback_refresh and POST /api/radarr/item/playback_refresh before the follow-up item fetch.

0.8.3

[0.8.3] - 2026-03-10

Security

• Added a 0.8.3 security-upgrade flow for configured installs from 0.8.2.1 and earlier: upgrades now lock into a one-time Setup remediation save before normal access resumes.
• Persistent session-secret references are now the enforced steady-state model. First bootstrap may use a temporary ephemeral session secret until the first successful Setup save, but configured startup aborts when a persistent secret cannot be resolved and unsafe recovery is not enabled.
• Session-secret resolution is now secure by default: SORTARR_SECRET_KEY honors *_FILE, *_CRED_TARGET, and wincred: references, plaintext secret values are treated as migration-only input, and startup rewrites legacy plaintext secrets to secret files or Windows Credential Manager refs before Flask resolves the signing key.
• Added bounded unsafe recovery mode via SORTARR_ALLOW_UNSAFE_EPHEMERAL_RECOVERY=1 for lockout repair only; recovery windows now auto-expire and cannot be combined with trusted origins unless explicitly forced.
• Configured installs now remain in setup-required state until both Basic Auth and persistent-secret requirements are satisfied. Partial Basic Auth config routes into Setup remediation instead of returning a hard 503.
• Disabled interactive setup connection testing until Basic Auth is configured and security remediation is complete, removing the remaining pre-auth outbound test path while preserving final save-time validation.
• Setup connection-test failures now return normalized connection errors instead of helper-specific exception text, and secret-related startup/migration warnings now use count-based summaries instead of enumerating secret-setting identifiers.
• Hardened CSRF policy around exact trusted origins: trusted-origin fallback is token-gated, same-host by default, cross-host only with ALLOW_CROSS_HOST_TRUSTED_ORIGINS=1, and setup/startup now reject mismatched trusted-origin/public-host combinations.
• Added proxy/CSRF diagnostics (GET /api/diagnostics/csrf) and security self-check diagnostics (GET /api/diagnostics/security-self-check) so operators can validate proxy forwarding, cookie policy, persistent-secret posture, unsafe recovery state, and trusted-origin policy.
• Tightened the default CSP connect-src policy to same-origin only, and made session/CSRF cookie Secure defaults follow deployment mode: direct HTTP remains usable by default, while proxied modes stay Secure unless explicitly overridden.
• Removed state-changing GET ?refresh=1; refresh actions now use CSRF-protected POST endpoints, including Plex insights refresh and per-item playback refresh flows.

Features

• Sonarr series expansion now includes Season and Episode sort controls (Ascending/Descending) with persisted UI preferences.
• Episode-list sort controls now use the glass custom-select treatment for consistent styling with the rest of the UI.
• Episode-list sort carets now indicate selected sort direction (up for ascending, down for descending), independent of open/closed menu state.

UI/UX

• Upgraded main table column sort indicators from text glyphs to animated caret indicators with direction classes.
• Tuned sort-indicator sizing and active-state contrast for both light and dark themes.
• Updated the Filters show/hide button to use a single animated glyph path with synced aria-label/title state, removing duplicate-icon rendering paths.

Fixes

• Hardened expansion scroll behavior by disabling table scroll-anchor capture/restore while any Sonarr series expansion is active.
• Reduced first-interaction expansion jump risk by preferring live measured expansion heights and using a conservative fallback estimate in virtualized Sonarr expansion calculations.