Update updates-patch-minor

[truenasbot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
alexta69/metube	patch	2026.04.13 → 2026.04.16
alpine/openclaw (source)	patch	2026.4.14 → 2026.4.15
amir20/dozzle	minor	v10.3.3 → v10.4.0
dxflrs/garage	minor	v2.2.0 → v2.3.0
ghcr.io/cleanuparr/cleanuparr	patch	2.9.7 → 2.9.8
ghcr.io/coder/code-server	minor	4.115.0 → 4.116.0
ghcr.io/dispatcharr/dispatcharr	minor	0.22.1 → 0.23.0
ghcr.io/hargata/lubelogger	patch	v1.6.3 → v1.6.4
ghcr.io/home-operations/jackett (source)	patch	0.24.1608 → 0.24.1614
ghcr.io/linuxserver/kasm (source)	patch	1.18.0 → 1.18.1
ghcr.io/shlinkio/shlink	patch	5.0.1 → 5.0.2
ghcr.io/steveiliop56/tinyauth	patch	v5.0.6 → v5.0.7
ghcr.io/umami-software/umami	minor	3.0.3 → 3.1.0
ghcr.io/viren070/aiostreams	patch	v2.27.0 → v2.27.1
ghcr.io/windmill-labs/windmill	minor	1.684.1 → 1.685.0
grafana/grafana	patch	13.0.0 → 13.0.1
kimai/kimai2 (source)	minor	apache-2.54.0 → apache-2.55.0
lakker/pulsarr	patch	0.15.2 → 0.15.3
mikefarah/yq (source)	minor	4.52.5 → 4.53.2
mongo	patch	8.2.6 → 8.2.7
ollama/ollama	minor	0.20.7-rocm → 0.21.0-rocm
ollama/ollama	minor	0.20.7 → 0.21.0
paradedb/paradedb	minor	0.22.6-pg18 → 0.23.0-pg18
searxng/searxng (source)	patch	2026.4.16-ae0b0e56a → 2026.4.17-8579974f5

---

Release Notes

openclaw/openclaw (alpine/openclaw)

v2026.4.15

Compare Source

Changes

• Anthropic/models: default Anthropic selections, opus aliases, Claude CLI defaults, and bundled image understanding to Claude Opus 4.7.
• Google/TTS: add Gemini text-to-speech support to the bundled google plugin, including provider registration, voice selection, WAV reply output, PCM telephony output, and setup/docs guidance. (#​67515) Thanks @​barronlroth.
• Control UI/Overview: add a Model Auth status card showing OAuth token health and provider rate-limit pressure at a glance, with attention callouts when OAuth tokens are expiring or expired. Backed by a new models.authStatus gateway method that strips credentials and caches for 60s. (#​66211) Thanks @​omarshahine.
• Memory/LanceDB: add cloud storage support to memory-lancedb so durable memory indexes can run on remote object storage instead of local disk only. (#​63502) Thanks @​rugvedS07.
• GitHub Copilot/memory search: add a GitHub Copilot embedding provider for memory search, and expose a dedicated Copilot embedding host helper so plugins can reuse the transport while honoring remote overrides, token refresh, and safer payload validation. (#​61718) Thanks @​feiskyer and @​vincentkoc.
• Agents/local models: add experimental agents.defaults.experimental.localModelLean: true to drop heavyweight default tools like browser, cron, and message, reducing prompt size for weaker local-model setups without changing the normal path. (#​66495) Thanks @​ImLukeF.
• Packaging/plugins: localize bundled plugin runtime deps to their owning extensions, trim the published docs payload, and tighten install/package-manager guardrails so published builds stay leaner and core stops carrying extension-owned runtime baggage. (#​67099) Thanks @​vincentkoc.
• QA/Matrix: split Matrix live QA into a source-linked qa-matrix runner and keep repo-private qa-* surfaces out of packaged and published builds. (#​66723) Thanks @​gumadeiras.
• Docs/showcase: add a scannable hero, complete section jump links, and a responsive video grid for community examples. (#​48493) Thanks @​jchopard69.

Fixes

• Gateway/tools: anchor trusted local MEDIA: tool-result passthrough on the exact raw name of this run's registered built-in tools, and reject client tool definitions whose names normalize-collide with a built-in or with another client tool in the same request (400 invalid_request_error on both JSON and SSE paths), so a client-supplied tool named like a built-in can no longer inherit its local-media trust. (#​67303)
• Agents/replay recovery: classify the provider wording 401 input item ID does not belong to this connection as replay-invalid, so users get the existing /new session reset guidance instead of a raw 401-style failure. (#​66475) Thanks @​dallylee.
• Gateway/webchat: enforce localRoots containment on webchat audio embedding path [AI-assisted]. (#​67298) Thanks @​pgondhi987.
• Matrix/pairing: block DM pairing-store entries from authorizing room control commands [AI-assisted]. (#​67294) Thanks @​pgondhi987.
• Docker/build: verify @matrix-org/matrix-sdk-crypto-nodejs native bindings with find under node_modules instead of a hardcoded .pnpm/... path so pnpm v10+ virtual-store layouts no longer fail the image build. (#​67143) thanks @​ly85206559.
• Matrix/E2EE: keep startup bootstrap conservative for passwordless token-auth bots, still attempt the guarded repair pass without requiring channels.matrix.password, and document the remaining password-UIA limitation. (#​66228) Thanks @​SARAMALI15792.
• Cron/announce delivery: suppress mixed-content isolated cron announce replies that end with NO_REPLY so trailing silent sentinels no longer leak summary text to the target channel. (#​65004) thanks @​neo1027144-creator.
• Plugins/bundled channels: partition bundled channel lazy caches by active bundled root so OPENCLAW_BUNDLED_PLUGINS_DIR flips stop reusing stale plugin, setup, secrets, and runtime state. (#​67200) Thanks @​gumadeiras.
• Packaging/plugins: prune common test/spec cargo from bundled plugin runtime dependencies and fail npm release validation if packaged test cargo reappears, keeping published tarballs leaner without plugin-specific special cases. (#​67275) thanks @​gumadeiras.
• Agents/context + Memory: trim default startup/skills prompt budgets, cap memory_get excerpts by default with explicit continuation metadata, and keep QMD reads aligned with the same bounded excerpt contract so long sessions pull less context by default without losing deterministic follow-up reads.
• Matrix/commands: skip DM pairing-store reads on room traffic now that room control-command authorization ignores pairing-store entries, keeping the room path narrower without changing room auth behavior. (#​67325) Thanks @​gumadeiras.
• Memory-core/dreaming: skip dreaming narrative transcripts from session-store metadata before bootstrap records land so dream diary prompt/prose lines do not pollute session ingestion. (#​67315) thanks @​jalehman.
• Agents/local models: clarify low-context preflight hints for self-hosted models, point config-backed caps at the relevant OpenClaw setting, and stop suggesting larger models when agents.defaults.contextTokens is the real limit. (#​66236) Thanks @​ImLukeF.
• Dreaming/memory-core: change the default dreaming.storage.mode from inline to separate so Dreaming phase blocks (## Light Sleep, ## REM Sleep) land in memory/dreaming/{phase}/YYYY-MM-DD.md instead of being injected into memory/YYYY-MM-DD.md. Daily memory files no longer get dominated by structured candidate output, and the daily-ingestion scanner that already strips dream marker blocks no longer has to compete with hundreds of phase-block lines on every run. Operators who want the previous behavior can opt in by setting plugins.entries.memory-core.config.dreaming.storage.mode: "inline". (#​66412) Thanks @​mjamiv.
• Control UI/Overview: fix false-positive "missing" alerts on the Model Auth status card for aliased providers, env-backed OAuth with auth.profiles, and unresolvable env SecretRefs. (#​67253) Thanks @​omarshahine.
• Dashboard: constrain exec approval modal overflow on desktop so long command content no longer pushes action buttons out of view. (#​67082) Thanks @​Ziy1-Tan.
• Agents/CLI transcripts: persist successful CLI-backed turns into the OpenClaw session transcript so google-gemini-cli replies appear in session history and the Control UI again. (#​67490) Thanks @​obviyus.
• Discord/tool-call text: strip standalone Gemma-style <function>...</function> tool-call payloads from visible assistant text without truncating prose examples or trailing replies. (#​67318) Thanks @​joelnishanth.
• WhatsApp/web-session: drain the pending per-auth creds save queue before reopening sockets so reconnect-time auth bootstrap no longer races in-flight creds.json writes and falsely restores from backup. (#​67464) Thanks @​neeravmakwana.
• BlueBubbles/catchup: add a per-message retry ceiling (catchup.maxFailureRetries, default 10) so a persistently-failing message with a malformed payload no longer wedges the catchup cursor forever. After N consecutive processMessage failures against the same GUID, catchup logs a WARN, skips that message on subsequent sweeps, and lets the cursor advance past it. Transient failures still retry from the same point as before. Also fixes a lost-update race in the persistent dedupe file lock that silently dropped inbound GUIDs on concurrent writes, a dedupe file naming migration gap on version upgrade, and a balloon-event bypass that let catchup replay debouncer-coalesced events as standalone messages. (#​67426, #​66870) Thanks @​omarshahine.
• Ollama/chat: strip the ollama/ provider prefix from Ollama chat request model ids so configured refs like ollama/qwen3:14b-q8_0 stop 404ing against the Ollama API. (#​67457) Thanks @​suboss87.
• Agents/tools: resolve non-workspace host tilde paths against the OS home directory and keep edit recovery aligned with that same path target, so ~/... host edit/write operations stop failing or reading back the wrong file when OPENCLAW_HOME differs. (#​62804) Thanks @​stainlu.
• Speech/TTS: auto-enable the bundled Microsoft and ElevenLabs speech providers, and route generic TTS directive tokens through the explicit or active provider first so overrides like [[tts:speed=1.2]] stop silently landing on the wrong provider. (#​62846) Thanks @​stainlu.
• OpenAI Codex/models: normalize stale native transport metadata in both runtime resolution and discovery/listing so legacy openai-codex rows with missing api or https://chatgpt.com/backend-api/v1 self-heal to the canonical Codex transport instead of routing requests through broken HTML/Cloudflare paths, combining the original fixes proposed in #​66969 (saamuelng601-pixel) and #​67159 (hclsys). (#​67635)
• Agents/failover: treat HTML provider error pages as upstream transport failures for CDN-style 5xx responses without misclassifying embedded body text as API rate limits, while still preserving auth remediation for HTML 401/403 pages and proxy remediation for HTML 407 pages. (#​67642) Thanks @​stainlu.
• Gateway/skills: bump the cached skills-snapshot version whenever a config write touches skills.* (for example skills.allowBundled, skills.entries.<id>.enabled, or skills.profile). Existing agent sessions persist a skillsSnapshot in sessions.json that reuses the skill list frozen at session creation; without this invalidation, removing a bundled skill from the allowlist left the old snapshot live and the model kept calling the disabled tool, producing Tool <name> not found loops that ran until the embedded-run timeout. (#​67401) Thanks @​xantorres.
• Agents/tool-loop: enable the unknown-tool stream guard by default. Previously resolveUnknownToolGuardThreshold returned undefined unless tools.loopDetection.enabled was explicitly set to true, which left the protection off in the default configuration. A hallucinated or removed tool (for example himalaya after it was dropped from skills.allowBundled) would then loop "Tool X not found" attempts until the full embedded-run timeout. The guard has no false-positive surface because it only triggers on tools that are objectively not registered in the run, so it now stays on regardless of tools.loopDetection.enabled and still accepts tools.loopDetection.unknownToolThreshold as a per-run override (default 10). (#​67401) Thanks @​xantorres.
• TUI/streaming: add a client-side streaming watchdog to tui-event-handlers so the streaming · Xm Ys activity indicator resets to idle after 30s of delta silence on the active run. Guards against lost or late state: "final" chat events (WS reconnects, gateway restarts, etc.) leaving the TUI stuck on streaming indefinitely; a new system log line surfaces the reset so users know to send a new message to resync. The window is configurable via the new streamingWatchdogMs context option (set to 0 to disable), and the handler now exposes a dispose() that clears the pending timer on shutdown. (#​67401) Thanks @​xantorres.
• Extensions/lmstudio: add exponential backoff to the inference-preload wrapper so an LM Studio model-load failure (for example the built-in memory guardrail rejecting a load because the swap is saturated) no longer produces a WARN line every ~2s for every chat request. The wrapper now records consecutive preload failures per (baseUrl, modelKey, contextLength) tuple with a 5s → 10s → 20s → … → 5min cooldown and skips the preload step entirely while a cooldown is active, letting chat requests proceed directly to the stream (the model is often already loaded via the LM Studio UI). The combined preload failed log line now reports consecutive-failure count and remaining cooldown so operators can act on the real issue instead of drowning in repeated warnings. (#​67401) Thanks @​xantorres.
• Agents/replay: re-run tool/result pairing after strict replay tool-call ID sanitization on outbound requests so Anthropic-compatible providers like MiniMax no longer receive malformed orphan tool-result IDs such as ...toolresult1 during compaction and retry flows. (#​67620) Thanks @​stainlu.
• Gateway/startup: fix spurious SIGUSR1 restart loop on Linux/systemd when plugin auto-enable is the only startup config write; the config hash guard was not captured for that write path, causing chokidar to treat each boot write as an external change and trigger a reload → restart cycle that corrupts manifest.db after repeated cycles. Fixes #​67436. (#​67557) thanks @​openperf
• Codex/harness: auto-enable the Codex plugin when codex is selected as an embedded agent harness runtime, including forced default, per-agent, and OPENCLAW_AGENT_RUNTIME paths. (#​67474) Thanks @​duqaXxX.
• OpenAI Codex/CLI: keep resumed codex exec resume runs on the safe non-interactive path without reintroducing the removed dangerous bypass flag by passing the supported --skip-git-repo-check resume arg plus Codex's native sandbox_mode="workspace-write" config override. (#​67666) Thanks @​plgonzalezrx8.
• Codex/app-server: parse Desktop-originated app-server user agents such as Codex Desktop/0.118.0, keeping the version gate working when the Codex CLI inherits a multi-word originator. (#​64666) Thanks @​cyrusaf.
• Cron/announce delivery: keep isolated announce NO_REPLY stripping case-insensitive across direct and text delivery, preserve structured media-only sends when a caption strips silent, and derive main-session awareness from the cleaned payloads so silent captions no longer leak stale NO_REPLY text. (#​65016) Thanks @​BKF-Gitty.
• Sessions/Codex: skip redundant delivery-mirror transcript appends only when the latest assistant message has the same visible text, preventing duplicate visible replies on Codex-backed turns without suppressing repeated answers across turns. (#​67185) Thanks @​andyylin.
• Auto-reply/prompt-cache: keep volatile inbound chat IDs out of the stable system prompt so task-scoped adapters can reuse prompt caches across runs, while preserving conversation metadata for the user turn and media-only messages. (#​65071) Thanks @​MonkeyLeeT.
• BlueBubbles/inbound: restore inbound image attachment downloads on Node 22+ by stripping incompatible bundled-undici dispatchers from the non-SSRF fetch path, accept updated-message webhooks carrying attachments, use event-type-aware dedup keys so attachment follow-ups are not rejected as duplicates, and retry attachment fetch from the BB API when the initial webhook arrives with an empty array. (#​64105, #​61861, #​65430, #​67510) Thanks @​omarshahine.
• Agents/skills: sort prompt-facing available_skills entries by skill name after merging sources so skills.load.extraDirs order no longer changes prompt-cache prefixes. (#​64198) Thanks @​Bartok9.
• Agents/OpenAI Responses: add models.providers.*.models.*.compat.supportsPromptCacheKey so OpenAI-compatible proxies that forward prompt_cache_key can keep prompt caching enabled while incompatible endpoints can still force stripping. (#​67427) Thanks @​damselem.
• Agents/context engines: keep loop-hook and final afterTurn prompt-cache touch metadata aligned with the current assistant turn so cache-aware context engines retain accurate cache TTL state during tool loops. (#​67767) thanks @​jalehman.
• Memory/dreaming: strip AI-facing inbound metadata envelopes from session-corpus user turns before normalization so REM topic extraction sees the user's actual message text, including array-shaped split envelopes. (#​66548) Thanks @​zqchris.
• Agents/errors: detect standalone Cloudflare/CDN HTML challenge pages before transport DNS classification so provider block pages no longer appear as local DNS lookup failures. (#​67704) Thanks @​chris-yyau.
• Security/approvals: redact secrets in exec approval prompts so inline approval review can no longer leak credential material in rendered prompt content. (#​61077, #​64790)
• CLI/configure: re-read the persisted config hash after writes so config updates stop failing with stale-hash races. (#​64188, #​66528)
• CLI/update: prune stale packaged dist chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#​66959) Thanks @​obviyus.
• Onboarding/CLI: fix channel-selection crashes on globally installed CLI setups during onboarding. (#​66736)
• Video generation/live tests: bound provider polling for live video smoke, default to the fast non-FAL text-to-video path, and use a one-second lobster prompt so release validation no longer waits indefinitely on slow provider queues.
• Memory-core/QMD memory_get: reject reads of arbitrary workspace markdown paths and only allow canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/**) plus exact paths of active indexed QMD workspace documents, so the QMD memory backend can no longer be used as a generic workspace-file read shim that bypasses read tool-policy denials. (#​66026) Thanks @​eleqtrizit.
• Cron/agents: forward embedded-run tool policy and internal event params into the attempt layer so --tools allowlists, cron-owned message-tool suppression, explicit message targeting, and command-path internal events all take effect at runtime again. (#​62675) Thanks @​hexsprite.
• Setup/providers: guard preferred-provider lookup during setup so malformed plugin metadata with a missing provider id no longer crashes the wizard with Cannot read properties of undefined (reading 'trim'). (#​66649) Thanks @​Tianworld.
• Matrix/security: normalize sandboxed profile avatar params, preserve mxc:// avatar URLs, and surface gmail watcher stop failures during reload. (#​64701) Thanks @​slepybear.
• Telegram/documents: drop leaked binary caption bytes from inbound Telegram text handling so document uploads like .mobi or .epub no longer explode prompt token counts. (#​66663) Thanks @​joelnishanth.
• Gateway/auth: resolve the active gateway bearer per-request on the HTTP server and the HTTP upgrade handler via getResolvedAuth(), mirroring the WebSocket path, so a secret rotated through secrets.reload or config hot-reload stops authenticating on /v1/*, /tools/invoke, plugin HTTP routes, and the canvas upgrade path immediately instead of remaining valid on HTTP until gateway restart. (#​66651) Thanks @​mmaps.
• Agents/compaction: cap the compaction reserve-token floor to the model context window so small-context local models (e.g. Ollama with 16K tokens) no longer trigger context-overflow errors or infinite compaction loops on every prompt. (#​65671) Thanks @​openperf.
• Agents/OpenAI Responses: classify the exact Unknown error (no error details in response) transport failure as failover reason unknown so assistant/model fallback still runs for that no-details failure path. (#​65254) Thanks @​OpenCodeEngineer.
• Models/probe: surface invalid-model probe failures as format instead of unknown in models list --probe, and lock the invalid-model fallback path in with regression coverage. (#​50028) Thanks @​xiwuqi.
• Agents/failover: classify OpenAI-compatible finish_reason: network_error stream failures as timeout so model fallback retries continue instead of stopping with an unknown failover reason. (#​61784) thanks @​lawrence3699.
• Onboarding/channels: normalize channel setup metadata before discovery and validation so malformed or mixed-shape channel plugin metadata no longer breaks setup and onboarding channel lists. (#​66706) Thanks @​darkamenosa.
• Slack/native commands: fix option menus for slash commands such as /verbose when Slack renders native buttons by giving each button a unique action ID while still routing them through the shared openclaw_cmdarg* listener. Thanks @​Wangmerlyn.
• Feishu/webhook: harden the webhook transport and card-action replay guards to fail closed on missing encryptKey and blank callback tokens — refuse to start the webhook transport without an encryptKey, reject unsigned requests when no key is present instead of accepting them, and drop blank card-action tokens before the dedupe claim and dispatcher. Defense-in-depth over the already-closed monitor-account layer. (#​66707) Thanks @​eleqtrizit.
• Agents/workspace files: route agents.files.get, agents.files.set, and workspace listing through the shared fs-safe helpers (openFileWithinRoot/readFileWithinRoot/writeFileWithinRoot), reject symlink aliases for allowlisted agent files, and have fs-safe resolve opened-file real paths from the file descriptor before falling back to path-based realpath so a symlink swap between open and realpath can no longer redirect the validated path off the intended inode. (#​66636) Thanks @​eleqtrizit.
• Gateway/MCP loopback: switch the /mcp bearer comparison from plain !== to constant-time safeEqualSecret (matching the convention every other auth surface in the codebase uses), and reject non-loopback browser-origin requests via checkBrowserOrigin before the auth gate runs. Loopback origins (127.0.0.1:*, localhost:*, same-origin) still go through, including the localhost↔127.0.0.1 host mismatch that browsers flag as Sec-Fetch-Site: cross-site. (#​66665) Thanks @​eleqtrizit.
• Auto-reply/billing: classify pure billing cooldown fallback summaries from structured fallback reasons so users see billing guidance instead of the generic failure reply. (#​66363) Thanks @​Rohan5commit.
• Agents/fallback: preserve the original prompt body on model fallback retries with session history so the retrying model keeps the active task instead of only seeing a generic continue message. (#​66029) Thanks @​WuKongAI-CMU.
• Reply/secrets: resolve active reply channel/account SecretRefs before reply-run message-action discovery so channel token SecretRefs (for example Discord) do not degrade into discovery-time unresolved-secret failures. (#​66796) Thanks @​joshavant.
• Agents/Anthropic: ignore non-positive Anthropic Messages token overrides and fail locally when no positive token budget remains, so invalid max_tokens values no longer reach the provider API. (#​66664) thanks @​jalehman
• Agents/context engines: preserve prompt-only token counts, not full request totals, when deferred maintenance reuses after-turn runtime context so background compaction bookkeeping matches the active prompt window. (#​66820) thanks @​jalehman.
• BlueBubbles/inbound: add a persistent file-backed GUID dedupe so MessagePoller webhook replays after BB Server restart or reconnect no longer cause the agent to re-reply to already-handled messages. (#​19176, #​12053, #​66816) Thanks @​omarshahine.
• Secrets/plugins/status: align SecretRef inspect-vs-strict handling across plugin preload, read-only status/agents surfaces, and runtime auth paths so unresolved refs no longer crash read-only CLI flows while runtime-required non-env refs stay strict. (#​66818) Thanks @​joshavant.
• Memory/dreaming: stop ordinary transcripts that merely quote the dream-diary prompt from being classified as internal dreaming runs and silently dropped from session recall ingestion. (#​66852) Thanks @​gumadeiras.
• Telegram/documents: sanitize binary reply context and ZIP-like archive extraction so .epub and .mobi uploads can no longer leak raw binary into prompt context through reply metadata or archive-to-text/plain coercion. (#​66877) Thanks @​martinfrancois.
• Telegram/native commands: restore plugin-registry-backed auto defaults for native commands and native skills so Telegram slash commands keep registering when commands.native and commands.nativeSkills stay on auto. (#​66843) Thanks @​kashevk0.
• OpenRouter/Qwen3: parse reasoning_details stream deltas as thinking content without skipping same-chunk tool calls, so Qwen3 replies no longer fail empty on OpenRouter and mixed reasoning/tool-call chunks still execute normally. (#​66905) Thanks @​bladin.
• BlueBubbles/catchup: replay missed webhook messages after gateway restart via a persistent per-account cursor and /api/v1/message/query?after=<ts> pass, so messages delivered while the gateway was down no longer disappear. Uses the existing processMessage path and is deduped by #​66816's inbound GUID cache. (#​66857, #​66721) Thanks @​omarshahine.
• Telegram/native commands: keep Telegram command-sync cache process-local so gateway restarts re-register the menu instead of trusting stale on-disk sync state after Telegram cleared commands out-of-band. (#​66730) Thanks @​nightq.
• Audio/self-hosted STT: restore models.providers.*.request.allowPrivateNetwork for audio transcription so private or LAN speech-to-text endpoints stop tripping SSRF blocks after the v2026.4.14 regression. (#​66692) Thanks @​jhsmith409.
• Auto-reply/media: allow workspace-rooted absolute media paths in auto-reply send flows so valid local media references no longer fail path validation. (#​66689)
• WhatsApp/Baileys media upload: harden encrypted upload handling so large outbound media sends avoid buffer spikes and reliability regressions. (#​65966) Thanks @​frankekn.
• QQBot/cron: guard against undefined event.content in parseFaceTags and filterInternalMarkers so cron-triggered agent turns with no content payload no longer crash with TypeError: Cannot read properties of undefined (reading 'startsWith'). (#​66302) Thanks @​xinmotlanthua.
• CLI/plugins: stop --dangerously-force-unsafe-install plugin installs from falling back to hook-pack installs after security scan failures, while still preserving non-security fallback behavior for real hook packs. (#​58909) Thanks @​hxy91819.
• Claude CLI/sessions: classify No conversation found with session ID as session_expired so expired CLI-backed conversations clear the stale binding and recover on the next turn. (#​65028) thanks @​Ivan-Fn.
• Context Engine: gracefully fall back to the legacy engine when a third-party context engine plugin fails at resolution time (unregistered id, factory throw, or contract violation), preventing a full gateway outage on every channel. (#​66930) Thanks @​openperf.
• Control UI/chat: keep optimistic user message cards visible during active sends by deferring same-session history reloads until the active run ends, including aborted and errored runs. (#​66997) Thanks @​scotthuang and @​vincentkoc.
• Media/Slack: allow host-local CSV and Markdown uploads only when the fallback buffer actually decodes as text, so real plain-text files work without letting opaque non-text blobs renamed to .csv or .md slip past the host-read guard. (#​67047) Thanks @​Unayung.
• Ollama/onboarding: split setup into Cloud + Local, Cloud only, and Local only, support direct OLLAMA_API_KEY cloud setup without a local daemon, and keep Ollama web search on the local-host path. (#​67005) Thanks @​obviyus.
• Webchat/security: reject remote-host file:// URLs in the media embedding path. (#​67293) Thanks @​pgondhi987.
• Dreaming/memory-core: use the ingestion day, not the source file day, for daily recall dedupe so repeat sweeps of the same daily note can increment dailyCount across days instead of stalling at 1. (#​67091) Thanks @​Bartok9.
• Node-host/tools.exec: let approval binding distinguish known native binaries from mutable shell payload files, while still fail-closing unknown or racy file probes so absolute-path node-host commands like /usr/bin/whoami no longer get rejected as unsafe interpreter/runtime commands. (#​66731) Thanks @​tmimmanuel.

amir20/dozzle (amir20/dozzle)

v10.4.0

Compare Source

   🚀 Features

• Add native compose file deployment  -  by @​amir20 and Claude Opus 4.6 (1M context) in #​4618 (d09b2)

    View changes on GitHub

Dispatcharr/Dispatcharr (ghcr.io/dispatcharr/dispatcharr)

v0.23.0

Compare Source

Security

• Set DEFAULT_PERMISSION_CLASSES to IsAdmin in the DRF configuration. All viewsets and function-based views that require non-admin or unauthenticated access were explicitly annotated: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()].
• Fixed missing network_access_allowed checks in the VOD proxy. stream_vod, head_vod, stream_xc_movie, and stream_xc_episode were not checking the STREAMS network policy, unlike the equivalent TS proxy endpoints.
• Explicitly marked the HDHomeRun discovery endpoints (DiscoverAPIView, LineupAPIView, LineupStatusAPIView, HDHRDeviceXMLAPIView) and the version endpoint with permission_classes = [AllowAny] to document their intentionally public access now that the global default is IsAdmin.
• Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials.
• Prevented users from setting xc_password (and other admin-managed keys) on their own account via the PATCH /api/accounts/users/me/ endpoint.
• Hardened the HLS proxy change_stream endpoint by converting it from a plain Django view to a DRF @api_view with @permission_classes([IsAdmin]), ensuring the endpoint actually enforces admin-only access. The previous decorator arrangement (@csrf_exempt + @permission_classes) had no effect on a plain Django view.
• Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests.
• Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit.
• Removed CORS_ALLOW_CREDENTIALS = True from CORS configuration. Dispatcharr authenticates via JWT Authorization headers and API keys — not cookies — so credentials are never sent cross-origin by browsers. The setting was also redundant: browsers reject Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin is a wildcard (*), so it had no effect in practice.
• Updated frontend npm dependencies to resolve 6 audit vulnerabilities (6 high):
  • Updated @xmldom/xmldom 0.8.11 → 0.8.12, resolving high XML injection via unsafe CDATA serialization allowing attacker-controlled markup insertion (GHSA-wh4c-j3r5-mjhp)
  • Updated lodash 4.17.23 → 4.18.1, resolving high Code Injection via _.template imports key names (GHSA-r5fr-rjxr-66jc) and high Prototype Pollution via array path bypass in _.unset and _.omit (GHSA-f23m-r3pf-42rh)
  • Updated vite 7.3.1 → 7.3.2, resolving high Path Traversal in optimized deps .map handling (GHSA-4w7w-66w2-5vf9), high server.fs.deny bypass with queries (GHSA-v2wj-q39q-566r), and high Arbitrary File Read via dev server WebSocket (GHSA-p9ff-h696-f583)
• Updated Django 6.0.3 → 6.0.4, resolving the following CVEs:
  • CVE-2026-33033: Potential DoS via MultiPartParser through crafted multipart uploads.
  • CVE-2026-33034: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit.
  • CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable.
  • CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation.
  • CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin.

Added

• EPG historical data window: the EPG XML output and XC EPG API now support a prev_days URL parameter (e.g. &prev_days=3) to include past programs in the EPG response. This allows third-party players that request historical program schedules to receive the data they need. The EPG URL builder in the Channels page exposes "Days forward" and "Days back" controls. Per-user defaults for both values (epg_days / epg_prev_days) can be configured in the User settings modal and are applied automatically when no URL parameter is present. (Closes #​1154)
• Plugin Hub: administrators can now browse, install, and update plugins directly from remote repositories via a new Plugin Hub page in Settings. (Closes #​393) — Thanks @​sethwv
  • Install plugins directly from the hub: the release zip is downloaded, SHA256 integrity is verified, and the plugin is installed atomically.
  • Update managed plugins when a newer version is available from their source repo. Version compatibility constraints (min_dispatcharr_version / max_dispatcharr_version) are enforced at install time.
  • Browse available plugins from all enabled repos with name, description, version, author, and icon.
  • Plugins installed from a repo are tracked as "managed": source repo, slug, installed version, prerelease flag, and deprecated status are all persisted and surfaced in the UI.
  • Add plugin repositories by manifest URL. The official Dispatcharr Plugins repository is pre-configured; third-party repos are supported by supplying an optional GPG public key.
  • Manifest signatures are verified via GPG; the official repo uses a bundled public key. Signature status is displayed per-repo.
  • Preview a repository URL before adding it - validates the manifest and reports plugin count and signature status without saving anything.
  • Configurable automatic manifest refresh interval (in hours; 0 to disable) runs as a Celery background task.

Removed

• Removed dead VODConnectionManager class (apps/proxy/vod_proxy/connection_manager.py) and its associated helpers, which had been superseded by MultiWorkerVODConnectionManager. All active code already used the multi-worker implementation. Removed the unused VODConnectionManager import from vod_proxy/views.py, the unscheduled cleanup_vod_connections task from apps/proxy/tasks.py, and the unscheduled cleanup_vod_persistent_connections task from core/tasks.py.
• Removed dead VOD URL routes: VODPlaylistView (playlist generation), VODPositionView (position tracking), and the class-based VODStatsView (replaced by the existing function-based vod_stats view).
• Removed dead updateVODPosition() API method from frontend/src/api.js, which called the now-removed position tracking endpoint.

Fixed

• Fixed TV Guide "Record One" always scheduling the recording on the first channel that matched the program's tvg_id, rather than the channel the user actually selected. When multiple channels share the same EPG source, the intended channel was silently ignored. The selected channel object is now passed explicitly through the click handler chain to recordOne, bypassing the findChannelByTvgId fallback lookup entirely. (Fixes #​1140) — Thanks @​fezster
• Graceful container shutdown: docker stop no longer results in exit 137 (SIGKILL). The entrypoint now explicitly stops all child processes — including uWSGI workers, Celery, Daphne, and Redis, which are spawned as uWSGI attach-daemon children and were previously invisible to the signal handler. A polling loop replaces the old fixed sleep, exiting as soon as all processes have stopped (up to an 8-second ceiling before force-stopping). PostgreSQL is stopped using pg_ctl stop -m immediate as a fallback rather than SIGKILL to avoid data corruption. Process names are now recorded at startup and displayed correctly in crash diagnostics. The unexpected-exit diagnostic block is now suppressed on normal docker stop shutdowns. — Thanks @​Shokkstokk for the initial fix!
• Fixed two race conditions in the VOD proxy that caused the profile_connections counter to go permanently negative, allowing connections beyond the configured profile limit. (1) _decrement_profile_connections() used a GET-before-DECR guard: two concurrent decrements could both read the same positive value, both pass the guard, and both fire, driving the counter below zero. Replaced with an unconditional DECR followed by a clamp-to-zero if the result is negative. (2) The stream_generator decremented active_streams and then checked has_active_streams() in two separate Redis round-trips without locking. A concurrent generator on another worker could read active_streams=0 in the window between those two calls and also decrement the profile counter, producing a double-decrement. A new decrement_active_streams_and_check() method performs both operations under a single distributed lock, and a profile_decremented flag guards all four call sites in the generator so the profile counter is only ever decremented once per stream. (Closes #​1125) — Thanks @​firestaerter3
• Fixed a provider TCP connection leak in the VOD proxy stream_generator. When a stream ended via an unhandled exception path that reached the finally block without any of the three exception handlers having run (e.g. an error raised before the first yield), the finally block decremented counters but never called redis_connection.cleanup(). The upstream requests.Response and requests.Session were left open until garbage collection. The finally block now starts a delayed_cleanup daemon thread (matching the 1-second delay used by the normal-completion and GeneratorExit paths) so that seeking clients have time to reconnect and increment active_streams before cleanup() checks whether it is safe to close the connection.
• Fixed manual stream selection from the Stats page not enforcing M3U profile connection limits in multi-worker deployments. When a non-owning worker handled the change_stream request it correctly packaged stream_id and m3u_profile_id into the Redis pubsub message, but the owning worker's pubsub handler only consumed url and user_agent silently dropping both IDs before calling stream_manager.update_url(). Because update_url only calls update_stream_profile() when a stream_id is provided, the profile_connections counter was never updated after the switch, causing subsequent capacity checks to see incorrect counts and bypass the full-profile guard. The handler now extracts stream_id and m3u_profile_id from the event and forwards them to update_url(). The bug did not affect single-worker / dev-mode deployments because the owning worker handles those requests directly without pubsub.
• Fixed the next_stream rotation endpoint applying the same class of bug: get_stream_info_for_switch() was called and returned m3u_profile_id, but the result was dropped when forwarding to ChannelService.change_stream_url(), so update_stream_profile() was never called and profile_connections counters were not updated after an automatic stream rotation.
• Fixed stream switch metadata (url, user_agent, stream_id, m3u_profile) being written to Redis before the switch was confirmed to succeed. If the switch failed, URL unchanged or exception during teardown, Redis described a URL not actually in use. Metadata is now written only after update_url() returns True; on failure the owner writes stream_manager.url back as the ground truth. The non-owner no longer pre-writes metadata at all, all needed info is carried in the pubsub payload and written by the owner after confirmation.
• Fixed the Stats page "Active Stream" dropdown not updating when a stream switch occurs. The card was matching the active stream by comparing the URL stored in Redis against stream URLs from the database, which failed silently when the stored URL was a transformed/rewritten value that didn't substring-match the original. The dropdown now matches by stream_id (the authoritative value already present in the stats payload) and re-runs only when stream_id changes, so the normal polling interval drives updates with no extra renders.
• Fixed the XC Password field in the User modal being editable by standard users despite the backend (PATCH /api/accounts/users/me/) stripping `

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Stable

Home-Assistant

Affected areas: static_config, metadata
Modified files:

• app.yaml
• ix_values.yaml

---

Notifying the following about changes to the trains:
@truenas/docs-team