This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.
Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings
with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All
otherauthenticated users receive a stripped response (which is the intended behaviour as
https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands
User.filteredFields to strip sensitive fileds to prevent leaking credentials
Fix a logic flaw in the jellyfin auth guard that allowed unauthenticated users to register accounts
on Plex-configured instances by authenticating against an attacker-controlled Jellyfin server.
* fix(servarr): add timeout to Radarr/Sonarr API requests to prevent infinite loading
Adds a 5-second timeout to all Radarr/Sonarr API requests and displays a warning banner when
services are unreachable. This prevents the Recent Requests section and request list pages from
hanging indefinitely when a configured service has connection issues.
fix#2374
* fix(requests): only show service error banner to users with advanced permissions
* chore(deps): update dependencies and fix security vulnerabilities
Update TypeScript 4.9 → 5.4. Update Zod 3 → 4. Update nodemailer 6 → 7. Update @typescript-eslint
packages to v7. Update xml2js, undici, lodash, axios, swr, winston- Add pnpm.overrides for
transitive dependency vulnerabilities
* chore: fix import ordering for TypeScript 5.4 compatibility
prettier-plugin-organize-imports behaves differently with TypeScript 5.4 vs 4.9, causing CI
formatting checks to fail. This reformats imports to match the ordering expected by the plugin with
the upgraded TS version.
PR #1543 introduced resolution checking to check 4k from non4k media when users have both server
types configured with the same service. Howerver, this causes false deletions for users with only a
single non4k service when radarr upgrades file to 4k resolution. This fix only applies resolution to
checking when both 4k and non4k servers are configured. Otherwise then if file exists then it counts
as available
Removes plex-api dependency and its type declarations. Then extends the ExternalApi class for
PlexAPI implementation to mimick the exact same old behaviour. This should resolve the security
vulnerabilities in transitive dependencies: form-data(critical), request (moderate, deprecated),
tough-cookie (moderate), xml2js (moderate). Plex-api itself is also no longer maintained.
* fix(mediarequest): explicitly set mediaId when creating
Intermittent issue where media_request records were created with mediaId = NULL,causing TypeError
when accessing request.media.tmdbId on the profile page. TypeORM's implicit relation-to-foreign-key
mapping was failing intermittently. This sets the mediaId column explicitly and adds a guard to
check to fail fast if media.id is not populated after save.
fix#2315
* refactor: better logging when media id not found
* fix: configure axios proxy agent socket limits to prevent connection leaks
Add socket pool configuration to HttpProxyAgent and HttpsProxyAgent to
prevent connection leaks.
fix#2297
* fix(proxy): pass forceIpv4First option to custom proxy agent
* fix(proxy): add connection limits and IPv4 support to undici agents
* fix: prevent the delete status from changing unless a new request is made"
refactor: remove parent remove change until later date
refactor: remove console log
* fix: add download progress for deleted badge
fix: check if not processing first for movies
* fix: add season pack change
* fix: sanitize disallowed characters in arr tags
Updates the tag creation to normalize diacritics, replace spaces with hyphens and stip any
non-alphanumeric characters from display name
fix#2229, fix#1897
* refactor: improve display name sanitization in tag creation
* fix: include displayName in user selection for tag migration
* fix(migrator): retrieve all user fields in tag migration
This is a one time migration so performance is neglible. This should trigger the @AfterLoad hooks
which sets the `displayName`
* refactor(jellyfin-scanner): extend BaseScanner for jellyfin scanner
Refactors JellyfinScanner to extend BaseScanner class to align the jellyfin scanner architecture
with the plex scanner and reduce code duplication.
* fix(jellyfin-scanner): add imdbId handling back to fix a regression from original behaviour
* fix: add imdbId assignment for existing media entries
* fix: include imdbId in processed 4k media items and improve 4k detection
* fix(jellyfin-scanner): filter seasons based on settings for special episodes (regression)
