Files
truecharts/charts/stable/dispatcharr/values.yaml
T
TrueCharts Bot 4b163d1dc9 feat(dispatcharr): update image docker.io/dispatcharr/dispatcharr 0.22.1 → 0.23.0 (#47157)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[docker.io/dispatcharr/dispatcharr](https://redirect.github.com/Dispatcharr/Dispatcharr)
| minor | `ccdfa7e` → `b731cda` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>Dispatcharr/Dispatcharr
(docker.io/dispatcharr/dispatcharr)</summary>

###
[`v0.23.0`](https://redirect.github.com/Dispatcharr/Dispatcharr/blob/HEAD/CHANGELOG.md#0230---2026-04-17)

[Compare
Source](https://redirect.github.com/Dispatcharr/Dispatcharr/compare/v0.22.1...v0.23.0)

##### Security

- Set `DEFAULT_PERMISSION_CLASSES` to `IsAdmin` in the DRF
configuration. All viewsets and function-based views that require
non-admin or unauthenticated access were explicitly annotated: proxy
streaming endpoints (`stream_ts`, `stream_xc`, `stream_vod`, `head_vod`,
`stream_xc_movie`, `stream_xc_episode`) use
`@permission_classes([AllowAny])` (access is controlled by the
per-stream-type network allow-list inside the view body); the
`UserAgentViewSet`, `StreamProfileViewSet`, `CoreSettingsViewSet`, and
`ProxySettingsViewSet` gained `get_permissions()` methods mapping read
actions to `IsStandardUser` and write actions to `IsAdmin`; and
`AuthViewSet.logout` was updated to return `[Authenticated()]`.
- Fixed missing `network_access_allowed` checks in the VOD proxy.
`stream_vod`, `head_vod`, `stream_xc_movie`, and `stream_xc_episode`
were not checking the `STREAMS` network policy, unlike the equivalent TS
proxy endpoints.
- Explicitly marked the HDHomeRun discovery endpoints
(`DiscoverAPIView`, `LineupAPIView`, `LineupStatusAPIView`,
`HDHRDeviceXMLAPIView`) and the version endpoint with
`permission_classes = [AllowAny]` to document their intentionally public
access now that the global default is `IsAdmin`.
- Fixed path traversal vulnerability in file uploads. The M3U account
upload (`apps/m3u/api_views.py`), logo upload
(`apps/channels/api_views.py`), and backup upload
(`apps/backups/api_views.py`) all used the uploaded filename directly
without sanitization. `os.path.join()` discards all preceding components
when it encounters an absolute path segment, and `pathlib`'s `/`
operator behaves identically; a relative `../` sequence also escapes via
OS path resolution at `open()` time. All three upload paths now strip
directory components via `Path(name).name` and validate the resolved
path remains within the intended upload directory. Exploiting any of
these required admin credentials.
- Prevented users from setting `xc_password` (and other admin-managed
keys) on their own account via the `PATCH /api/accounts/users/me/`
endpoint.
- Hardened the HLS proxy `change_stream` endpoint by converting it from
a plain Django view to a DRF `@api_view` with
`@permission_classes([IsAdmin])`, ensuring the endpoint actually
enforces admin-only access. The previous decorator arrangement
(`@csrf_exempt` + `@permission_classes`) had no effect on a plain Django
view.
- Added rate limiting to the login endpoint (`POST
/api/accounts/token/`) using DRF's built-in throttling. A
`LoginRateThrottle` (3 requests/minute per IP, sliding window) is
applied to the `TokenObtainPairView`. Repeated failed attempts from the
same IP receive `429 Too Many Requests`.
- Extended rate limiting to the session-auth login alias (`POST
/api/accounts/auth/login/`). It now delegates entirely to
`TokenObtainPairView`, inheriting its throttle, network access check,
and audit logging, and returns JWT tokens instead of a session cookie
(the session-based response was unusable since `SessionAuthentication`
is not in `DEFAULT_AUTHENTICATION_CLASSES`). Both endpoints share the
same `"login"` throttle scope, so attempts across either path count
against the same per-IP limit.
- Removed `CORS_ALLOW_CREDENTIALS = True` from CORS configuration.
Dispatcharr authenticates via JWT `Authorization` headers and API keys —
not cookies — so credentials are never sent cross-origin by browsers.
The setting was also redundant: browsers reject
`Access-Control-Allow-Credentials: true` when
`Access-Control-Allow-Origin` is a wildcard (`*`), so it had no effect
in practice.
- Updated frontend npm dependencies to resolve 6 audit vulnerabilities
(6 high):
- Updated `@xmldom/xmldom` 0.8.11 → 0.8.12, resolving **high** XML
injection via unsafe CDATA serialization allowing attacker-controlled
markup insertion
([GHSA-wh4c-j3r5-mjhp](https://redirect.github.com/advisories/GHSA-wh4c-j3r5-mjhp))
- Updated `lodash` 4.17.23 → 4.18.1, resolving **high** Code Injection
via `_.template` imports key names
([GHSA-r5fr-rjxr-66jc](https://redirect.github.com/advisories/GHSA-r5fr-rjxr-66jc))
and **high** Prototype Pollution via array path bypass in `_.unset` and
`_.omit`
([GHSA-f23m-r3pf-42rh](https://redirect.github.com/advisories/GHSA-f23m-r3pf-42rh))
- Updated `vite` 7.3.1 → 7.3.2, resolving **high** Path Traversal in
optimized deps `.map` handling
([GHSA-4w7w-66w2-5vf9](https://redirect.github.com/advisories/GHSA-4w7w-66w2-5vf9)),
**high** `server.fs.deny` bypass with queries
([GHSA-v2wj-q39q-566r](https://redirect.github.com/advisories/GHSA-v2wj-q39q-566r)),
and **high** Arbitrary File Read via dev server WebSocket
([GHSA-p9ff-h696-f583](https://redirect.github.com/advisories/GHSA-p9ff-h696-f583))
- Updated `Django` 6.0.3 → 6.0.4, resolving the following CVEs:
- **CVE-2026-33033**: Potential DoS via `MultiPartParser` through
crafted multipart uploads.
- **CVE-2026-33034**: SGI requests with a missing or understated
`Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE`
limit.
  - **CVE-2026-4292**: Privilege abuse in `ModelAdmin.list_editable`.
- **CVE-2026-3902**: ASGI header spoofing via underscore/hyphen
conflation.
  - **CVE-2026-4277**: Privilege abuse in `GenericInlineModelAdmin`.

##### Added

- **EPG historical data window**: the EPG XML output and XC EPG API now
support a `prev_days` URL parameter (e.g. `&prev_days=3`) to include
past programs in the EPG response. This allows third-party players that
request historical program schedules to receive the data they need. The
EPG URL builder in the Channels page exposes "Days forward" and "Days
back" controls. Per-user defaults for both values (`epg_days` /
`epg_prev_days`) can be configured in the User settings modal and are
applied automatically when no URL parameter is present. (Closes
[#&#8203;1154](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1154))
- **Plugin Hub**: administrators can now browse, install, and update
plugins directly from remote repositories via a new Plugin Hub page in
Settings. (Closes
[#&#8203;393](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/393))
— Thanks [@&#8203;sethwv](https://redirect.github.com/sethwv)
- Install plugins directly from the hub: the release zip is downloaded,
SHA256 integrity is verified, and the plugin is installed atomically.
- Update managed plugins when a newer version is available from their
source repo. Version compatibility constraints
(`min_dispatcharr_version` / `max_dispatcharr_version`) are enforced at
install time.
- Browse available plugins from all enabled repos with name,
description, version, author, and icon.
- Plugins installed from a repo are tracked as "managed": source repo,
slug, installed version, prerelease flag, and deprecated status are all
persisted and surfaced in the UI.
- Add plugin repositories by manifest URL. The official Dispatcharr
Plugins repository is pre-configured; third-party repos are supported by
supplying an optional GPG public key.
- Manifest signatures are verified via GPG; the official repo uses a
bundled public key. Signature status is displayed per-repo.
- Preview a repository URL before adding it - validates the manifest and
reports plugin count and signature status without saving anything.
- Configurable automatic manifest refresh interval (in hours; 0 to
disable) runs as a Celery background task.

##### Removed

- Removed dead `VODConnectionManager` class
(`apps/proxy/vod_proxy/connection_manager.py`) and its associated
helpers, which had been superseded by `MultiWorkerVODConnectionManager`.
All active code already used the multi-worker implementation. Removed
the unused `VODConnectionManager` import from `vod_proxy/views.py`, the
unscheduled `cleanup_vod_connections` task from `apps/proxy/tasks.py`,
and the unscheduled `cleanup_vod_persistent_connections` task from
`core/tasks.py`.
- Removed dead VOD URL routes: `VODPlaylistView` (playlist generation),
`VODPositionView` (position tracking), and the class-based
`VODStatsView` (replaced by the existing function-based `vod_stats`
view).
- Removed dead `updateVODPosition()` API method from
`frontend/src/api.js`, which called the now-removed position tracking
endpoint.

##### Fixed

- Fixed TV Guide "Record One" always scheduling the recording on the
first channel that matched the program's `tvg_id`, rather than the
channel the user actually selected. When multiple channels share the
same EPG source, the intended channel was silently ignored. The selected
channel object is now passed explicitly through the click handler chain
to `recordOne`, bypassing the `findChannelByTvgId` fallback lookup
entirely. (Fixes
[#&#8203;1140](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1140))
— Thanks [@&#8203;fezster](https://redirect.github.com/fezster)
- Graceful container shutdown: `docker stop` no longer results in exit
137 (SIGKILL). The entrypoint now explicitly stops all child processes —
including uWSGI workers, Celery, Daphne, and Redis, which are spawned as
uWSGI `attach-daemon` children and were previously invisible to the
signal handler. A polling loop replaces the old fixed `sleep`, exiting
as soon as all processes have stopped (up to an 8-second ceiling before
force-stopping). PostgreSQL is stopped using `pg_ctl stop -m immediate`
as a fallback rather than SIGKILL to avoid data corruption. Process
names are now recorded at startup and displayed correctly in crash
diagnostics. The unexpected-exit diagnostic block is now suppressed on
normal `docker stop` shutdowns. — Thanks
[@&#8203;Shokkstokk](https://redirect.github.com/Shokkstokk) for the
initial fix!
- Fixed two race conditions in the VOD proxy that caused the
`profile_connections` counter to go permanently negative, allowing
connections beyond the configured profile limit. (1)
`_decrement_profile_connections()` used a GET-before-DECR guard: two
concurrent decrements could both read the same positive value, both pass
the guard, and both fire, driving the counter below zero. Replaced with
an unconditional `DECR` followed by a clamp-to-zero if the result is
negative. (2) The `stream_generator` decremented `active_streams` and
then checked `has_active_streams()` in two separate Redis round-trips
without locking. A concurrent generator on another worker could read
`active_streams=0` in the window between those two calls and also
decrement the profile counter, producing a double-decrement. A new
`decrement_active_streams_and_check()` method performs both operations
under a single distributed lock, and a `profile_decremented` flag guards
all four call sites in the generator so the profile counter is only ever
decremented once per stream. (Closes
[#&#8203;1125](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1125))
— Thanks
[@&#8203;firestaerter3](https://redirect.github.com/firestaerter3)
- Fixed a provider TCP connection leak in the VOD proxy
`stream_generator`. When a stream ended via an unhandled exception path
that reached the `finally` block without any of the three exception
handlers having run (e.g. an error raised before the first `yield`), the
`finally` block decremented counters but never called
`redis_connection.cleanup()`. The upstream `requests.Response` and
`requests.Session` were left open until garbage collection. The
`finally` block now starts a `delayed_cleanup` daemon thread (matching
the 1-second delay used by the normal-completion and `GeneratorExit`
paths) so that seeking clients have time to reconnect and increment
`active_streams` before `cleanup()` checks whether it is safe to close
the connection.
- Fixed manual stream selection from the Stats page not enforcing M3U
profile connection limits in multi-worker deployments. When a non-owning
worker handled the `change_stream` request it correctly packaged
`stream_id` and `m3u_profile_id` into the Redis pubsub message, but the
owning worker's pubsub handler only consumed `url` and `user_agent`
silently dropping both IDs before calling `stream_manager.update_url()`.
Because `update_url` only calls `update_stream_profile()` when a
`stream_id` is provided, the `profile_connections` counter was never
updated after the switch, causing subsequent capacity checks to see
incorrect counts and bypass the full-profile guard. The handler now
extracts `stream_id` and `m3u_profile_id` from the event and forwards
them to `update_url()`. The bug did not affect single-worker / dev-mode
deployments because the owning worker handles those requests directly
without pubsub.
- Fixed the `next_stream` rotation endpoint applying the same class of
bug: `get_stream_info_for_switch()` was called and returned
`m3u_profile_id`, but the result was dropped when forwarding to
`ChannelService.change_stream_url()`, so `update_stream_profile()` was
never called and `profile_connections` counters were not updated after
an automatic stream rotation.
- Fixed stream switch metadata (`url`, `user_agent`, `stream_id`,
`m3u_profile`) being written to Redis before the switch was confirmed to
succeed. If the switch failed, URL unchanged or exception during
teardown, Redis described a URL not actually in use. Metadata is now
written only after `update_url()` returns `True`; on failure the owner
writes `stream_manager.url` back as the ground truth. The non-owner no
longer pre-writes metadata at all, all needed info is carried in the
pubsub payload and written by the owner after confirmation.
- Fixed the Stats page "Active Stream" dropdown not updating when a
stream switch occurs. The card was matching the active stream by
comparing the URL stored in Redis against stream URLs from the database,
which failed silently when the stored URL was a transformed/rewritten
value that didn't substring-match the original. The dropdown now matches
by `stream_id` (the authoritative value already present in the stats
payload) and re-runs only when `stream_id` changes, so the normal
polling interval drives updates with no extra renders.
- Fixed the XC Password field in the User modal being editable by
standard users despite the backend (`PATCH /api/accounts/users/me/`)
stripping `xc_password` from `custom_properties` for non-admin users,
causing the change to silently revert on save. The field and its
generate button are now disabled with an explanatory description when
the current user is not an administrator.
- Fixed live stream hiccups caused by nginx buffering TS proxy data to
disk. The `/proxy/` location block used `proxy_buffering off` and
`proxy_read/send_timeout` directives, which are silently ignored when
the upstream is `uwsgi_pass` (a different directive family). nginx was
therefore defaulting to `uwsgi_buffering on`, spooling stream data
through temp files on disk. Replaced with the correct `uwsgi_buffering
off`, `uwsgi_read_timeout 300s`, and `uwsgi_send_timeout 300s`
directives so stream data flows directly from uWSGI to the client socket
without intermediate disk I/O.
- Fixed the logo cache endpoint (`/api/channels/logos/{id}/cache/`)
holding a uWSGI greenlet indefinitely when fetching from a slow or
dripping remote server. The previous implementation used
`StreamingHttpResponse(iter_content())` with only a per-chunk read
timeout; a server that drips data just fast enough to reset the per-read
timer could hold the greenlet open forever. Replaced with an eager read
loop enforcing a hard total-download deadline (10 s) and a size cap (5
MB). Also fixed a race condition in the existing negative-cache logic:
the failure entry for a URL was cleared immediately upon receiving HTTP
200, before the body was read. A concurrent greenlet seeing no failure
entry during a slow download that ultimately timed out would also
attempt the fetch, defeating the cache. The entry is now cleared only
after the full body has been successfully received.
- Fixed uploading a local M3U file with no expiration date set sending
the string `"null"` as the `exp_date` field in the `FormData` request,
causing a 400 validation error from the API. Null/undefined values are
now skipped when building the `FormData` body, matching the behaviour
already present in the update path.
- Fixed `PATCH /api/channels/channels/edit/bulk/` returning a 500 error
when the request body included a `streams` list. The bulk edit handler
was iterating `validated_data` directly and calling `setattr(channel,
"streams", value)`, which Django prohibits on ManyToMany fields. Also
added an `@extend_schema` decorator so the Swagger UI correctly
documents the endpoint as accepting a JSON array and shows the `streams`
field. (Fixes
[#&#8203;883](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/883))
- Fixed several incorrect or incomplete OpenAPI (`@extend_schema`)
schemas across the API:
- `POST /api/epg/import/` — request body was undocumented; now correctly
shows the `id` field. Description updated from "import" to "refresh" to
match frontend and backend terminology.
- `DELETE /api/channels/logos/bulk-delete/` — `delete_files` boolean was
missing from the documented request body.
- `POST /api/channels/channels/batch-set-epg/` — `epg_data_id` inside
each association object was not marked `allow_null`/`required=False`,
even though passing `null` is the correct way to remove an EPG link.
- `PUT /api/connect/integrations/{id}/subscriptions/set/` — endpoint had
no `@extend_schema` at all; now documents that the request body is a
JSON array of subscription objects.

##### Changed

- **Output bitrate DB persistence**: the `ffmpeg_output_bitrate` stat is
no longer written to the database on every FFmpeg stats tick
(\~2/second). Instead, a local exponential moving average (EMA, α=0.1)
accumulates readings continuously. The first 10 samples (\~5 seconds)
are discarded as warmup to avoid polluting the average with FFmpeg's
unstable ramp-up values. After warmup, the smoothed value is flushed to
the database at most once every 30 seconds, and a final flush occurs
when the stream stops but only if the EMA has been seeded (i.e. the
stream ran past warmup). Streams that stop during warmup leave the
existing database value untouched, preserving previously accurate
measurements when channel-hopping.
- Performance: `generate_m3u`, `generate_epg`, and `xc_get_live_streams`
now use `select_related('channel_group', 'logo')` (or
`select_related('logo')` for EPG) on every Channel queryset in
`apps/output/views.py`. Previously each channel in the loop triggered a
separate database query for its `logo` and `channel_group` foreign keys;
with the JOIN-based prefetch this is reduced to a single query per
request. On deployments with \~2 000 channels, `xc_get_live_streams`
response time drops from \~2.5–4 s to \~250–450 ms. (Closes
[#&#8203;1127](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1127))
— Thanks [@&#8203;xBOBxSAGETx](https://redirect.github.com/xBOBxSAGETx)
- Performance: `generate_epg` now uses
`select_related('epg_data__epg_source')` on all EPG channel querysets,
eliminating N+1 database queries for `EPGSource` traversal per channel
(\~15 s improvement on \~2000-channel deployments; total EPG generation
time dropped from \~87 s to \~72 s in benchmarks).
- Performance: `xc_get_epg` now uses
`select_related('epg_data__epg_source')` on all three channel fetch
paths. Previously each request triggered 2 additional queries to resolve
`channel.epg_data` and `channel.epg_data.epg_source`.
- Performance: `generate_m3u` now uses `prefetch_related` for streams
when `?direct=true` is requested, eliminating N+1 stream queries (one
per channel) on that code path.
- Performance: `EPGGridAPIView` (`apps/epg/api_views.py`) now uses
`select_related('epg_data__epg_source')` on the
`channels_with_custom_dummy` queryset, eliminating 2 extra queries per
channel (for `epg_data` and `epg_source`) in the dummy EPG generation
loop.
- Performance: `generate_epg` now issues a single cross-channel
`ProgramData` bulk query. `.values()` returns plain dicts, bypassing
per-row Django model instantiation. Results are consumed in independent
5000-row keyset-paginated chunks. Combined with the `select_related`
improvements above, EPG generation time on large deployments is
significantly reduced.
- Performance: `xc_get_live_streams` no longer calls
`ChannelGroup.objects.get_or_create(name="Default Group")` once per
null-group channel; replaced with a lazy-initialised closure that
executes at most one query regardless of how many ungrouped channels are
present.
- AIO containers now connect to the internal PostgreSQL instance via a
Unix domain socket instead of TCP loopback. Users who have
`POSTGRES_HOST` explicitly set to `localhost` or `127.0.0.1` in their
compose file are automatically migrated to the socket path; any other
explicit value (external host/IP) is left untouched. — Thanks
[@&#8203;JCBird1012](https://redirect.github.com/JCBird1012)
- Improved the EPG response cache key. Previously it was based on the
raw query string and username, meaning a user default of `epg_days=7`
and an explicit `&days=7` URL parameter produced different cache entries
for identical output. The key is now built from all resolved effective
parameter values (`days`, `prev_days`, `cachedlogos`, `tvg_id_source`)
so semantically equivalent requests always share the same cache entry.
- Improved the HDHR, M3U, and EPG URL builder popovers in the Channels
table: each popover now opens with a brief intro sentence describing its
purpose. Toggle switches were refactored to use Mantine's native `label`
and `description` props (replacing the previous manual
`Group`/`Stack`/`Text` layout), giving each switch a properly styled
description line beneath its label. Switch alignment was also corrected.
Toggles now appear on the left with the label and description stacked to
the right, consistent with standard Mantine form layout.
- Redesigned the User settings modal with a tabbed layout: **Account**
(username, email, name, password), **Permissions** (user level, stream
limit, channel profiles, mature content filter - admin only), **EPG
Defaults** (days forward/back), and **API & XC** (XC password, API key
management). Fields are now logically grouped rather than split across
two ad-hoc columns.
- EPG channel scanning now automatically removes stale `EPGData`
entries. tvg-ids that were present in a previous scan but are no longer
found in the upstream source, provided they are not mapped to any
channel. This prevents unbounded database bloat over time. Entries
mapped to at least one channel are always preserved.
- Rewrote the M3U line parser as an `iter_m3u_entries` generator that
owns the full per-entry state machine. Intermediate directive lines
between `#EXTINF` and the stream URL are now handled correctly rather
than corrupting the pending entry or being silently misassigned. A
`#EXTINF` with no following URL is discarded with a warning instead of
carrying over a `url`-less entry into batch processing. Attribute keys
are normalised to lowercase during parsing (provider attribute names
remain case-insensitive end-to-end). The `#EXTINF` attribute regex is
pre-compiled at module load, and attribute lookups use O(1) `dict.get()`
instead of linear scans — approximately 10% faster parsing on large M3U
files.
- Added support for the `#EXTGRP` directive in M3U files. When a
`group-title` attribute is absent from the `#EXTINF` line, the value
from a following `#EXTGRP:` line is used as the group. An explicit
`group-title` attribute always takes priority. (Closes
[#&#8203;1088](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1088))
- Added accumulation of `#EXTVLCOPT` directives per entry. Options are
stored as a list under `vlc_opts` inside the stream's
`custom_properties`, available for downstream use (e.g. passing
VLC-specific options to the player). This is for a planned future
enhancement and can also be utlized with the API.
- M3U stream name parsing now uses the comma text (the canonical display
title per the base `#EXTINF` spec) as the primary stream name, falling
back to `tvc-guide-title`, then `tvg-name`, rather than preferring
`tvg-name` first. Providers that use `tvg-name` as an EPG key and put
the human-readable title after the comma will now display the correct
name. Providers that duplicate the same value in both fields are
unaffected. (Fixes
[#&#8203;1081](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1081))
- FloatingVideo player: the native video controls (timeline, play/pause,
volume) are now hidden by default when a live stream starts and only
appear when the user hovers over the player.
- Enhanced Swagger UI authorization dialog: registered a custom
`OpenApiAuthenticationExtension` for `ApiKeyAuthentication` so
drf-spectacular now generates an `ApiKeyAuth (apiKey)` entry alongside
`jwtAuth`. Both entries include descriptive text linking to the relevant
endpoints (`/api/accounts/token/`, `/api/accounts/api-keys/generate/`,
`/api/accounts/api-keys/revoke/`).
- Refactored frontend form components (`AccountInfoModal`,
`AssignChannelNumbers`, `Channel`, `ChannelBatch`, `ChannelGroup`,
`Connection`, `CronBuilder`, `DummyEPG`, and `EPG`) to extract business
logic into dedicated utility modules under `src/utils/forms/`. Each
extracted module is covered by unit tests. Mantine compound component
references (`Table.Tbody`, `Popover.Target`, `Accordion.Item`, etc.)
have been updated to use flat named imports. — Thanks
[@&#8203;nick4810](https://redirect.github.com/nick4810)
- Improved the EPG BOM fix from v0.22.1: replaced the
`lstrip(b'\xef\xbb\xbf')` / `startswith` approach with
`start.find(b'<?xml')`, which locates the XML declaration regardless of
any leading bytes BOM, whitespace, or other encoding markers without
needing to know what those bytes are.
- Dependency updates:
  - `Django` 6.0.3 → 6.0.4 (security patch; see Security section)
  - `djangorestframework` 3.16.1 → 3.17.1
  - `requests` 2.33.0 → 2.33.1
  - `gevent` 25.9.1 → 26.4.0
  - `rapidfuzz` 3.14.3 → 3.14.5
  - `sentence-transformers` 5.3.0 → 5.4.0
  - `lxml` 6.0.2 → 6.0.3
- Added `python-gnupg` for GPG signature verification of official and
third-party plugin repository manifests.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yOS4yIiwidXBkYXRlZEluVmVyIjoiNDMuMjkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhcHAvZGlzcGF0Y2hhcnIiLCJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19-->

Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
2026-04-18 18:29:11 +00:00

81 lines
2.7 KiB
YAML

# yaml-language-server: $schema=./values.schema.json
image:
pullPolicy: IfNotPresent
repository: docker.io/dispatcharr/dispatcharr
tag: 0.23.0@sha256:b731cda8daa302c5bc28f5031158895f9996c4b1995d7f292e96d4a7461c6263
securityContext:
container:
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0
service:
main:
ports:
main:
protocol: http
targetPort: 9191
port: 9191
workload:
main:
podSpec:
initContainers:
setup-postgres-dirs:
enabled: true
type: init
name: setup-postgres-dirs
image: alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
command:
- /bin/sh
- -c
- |
echo "Setting up PostgreSQL directories..."
# Create and set permissions for /var/run/postgresql
mkdir -p /var/run/postgresql
chown 999:999 /var/run/postgresql
chmod 2775 /var/run/postgresql
echo "✓ /var/run/postgresql created (999:999, 2775)"
# Fix permissions for /data/db (restored from backup)
if [ -d /data/db ]; then
echo "Found existing /data/db, fixing permissions..."
# Recursively fix ownership of ALL files inside /data/db
chown -R 999:999 /data/db
# Set directory permissions to 0700
chmod 0700 /data/db
# Fix permissions on all subdirectories and files
find /data/db -type d -exec chmod 0700 {} \;
find /data/db -type f -exec chmod 0600 {} \;
echo "✓ /data/db permissions fixed recursively (999:999, 0700)"
else
echo "Creating /data/db..."
mkdir -p /data/db
chown 999:999 /data/db
chmod 0700 /data/db
echo "✓ /data/db created (999:999, 0700)"
fi
# Verify permissions
echo "Checking /data/db permissions:"
ls -la /data/db | head -10
ls -la /var/run/ | grep postgresql || echo "Warning: postgres dir not found"
echo "Setup complete."
containers:
main:
env:
DISPATCHARR_ENV: aio # Set to 'aio' for all-in-one mode with embedded PostgreSQL. Currently, only 'aio' is supported.
# DISPATCHARR_LOG_LEVEL: info
persistence:
data:
enabled: true
mountPath: /data
targetSelector:
main:
main:
mountPath: /data
setup-postgres-dirs:
mountPath: /data
postgres-run:
enabled: true
mountPath: /var/run/postgresql