TrueCharts Bot 4b163d1dc9 feat(dispatcharr): update image docker.io/dispatcharr/dispatcharr 0.22.1 → 0.23.0 (#47157)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
|
[docker.io/dispatcharr/dispatcharr](https://redirect.github.com/Dispatcharr/Dispatcharr)
| minor | `ccdfa7e` → `b731cda` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>Dispatcharr/Dispatcharr
(docker.io/dispatcharr/dispatcharr)</summary>

###
[`v0.23.0`](https://redirect.github.com/Dispatcharr/Dispatcharr/blob/HEAD/CHANGELOG.md#0230---2026-04-17)

[Compare
Source](https://redirect.github.com/Dispatcharr/Dispatcharr/compare/v0.22.1...v0.23.0)

##### Security

- Set `DEFAULT_PERMISSION_CLASSES` to `IsAdmin` in the DRF
configuration. All viewsets and function-based views that require
non-admin or unauthenticated access were explicitly annotated: proxy
streaming endpoints (`stream_ts`, `stream_xc`, `stream_vod`, `head_vod`,
`stream_xc_movie`, `stream_xc_episode`) use
`@permission_classes([AllowAny])` (access is controlled by the
per-stream-type network allow-list inside the view body); the
`UserAgentViewSet`, `StreamProfileViewSet`, `CoreSettingsViewSet`, and
`ProxySettingsViewSet` gained `get_permissions()` methods mapping read
actions to `IsStandardUser` and write actions to `IsAdmin`; and
`AuthViewSet.logout` was updated to return `[Authenticated()]`.
- Fixed missing `network_access_allowed` checks in the VOD proxy.
`stream_vod`, `head_vod`, `stream_xc_movie`, and `stream_xc_episode`
were not checking the `STREAMS` network policy, unlike the equivalent TS
proxy endpoints.
- Explicitly marked the HDHomeRun discovery endpoints
(`DiscoverAPIView`, `LineupAPIView`, `LineupStatusAPIView`,
`HDHRDeviceXMLAPIView`) and the version endpoint with
`permission_classes = [AllowAny]` to document their intentionally public
access now that the global default is `IsAdmin`.
- Fixed path traversal vulnerability in file uploads. The M3U account
upload (`apps/m3u/api_views.py`), logo upload
(`apps/channels/api_views.py`), and backup upload
(`apps/backups/api_views.py`) all used the uploaded filename directly
without sanitization. `os.path.join()` discards all preceding components
when it encounters an absolute path segment, and `pathlib`'s `/`
operator behaves identically; a relative `../` sequence also escapes via
OS path resolution at `open()` time. All three upload paths now strip
directory components via `Path(name).name` and validate the resolved
path remains within the intended upload directory. Exploiting any of
these required admin credentials.
- Prevented users from setting `xc_password` (and other admin-managed
keys) on their own account via the `PATCH /api/accounts/users/me/`
endpoint.
- Hardened the HLS proxy `change_stream` endpoint by converting it from
a plain Django view to a DRF `@api_view` with
`@permission_classes([IsAdmin])`, ensuring the endpoint actually
enforces admin-only access. The previous decorator arrangement
(`@csrf_exempt` + `@permission_classes`) had no effect on a plain Django
view.
- Added rate limiting to the login endpoint (`POST
/api/accounts/token/`) using DRF's built-in throttling. A
`LoginRateThrottle` (3 requests/minute per IP, sliding window) is
applied to the `TokenObtainPairView`. Repeated failed attempts from the
same IP receive `429 Too Many Requests`.
- Extended rate limiting to the session-auth login alias (`POST
/api/accounts/auth/login/`). It now delegates entirely to
`TokenObtainPairView`, inheriting its throttle, network access check,
and audit logging, and returns JWT tokens instead of a session cookie
(the session-based response was unusable since `SessionAuthentication`
is not in `DEFAULT_AUTHENTICATION_CLASSES`). Both endpoints share the
same `"login"` throttle scope, so attempts across either path count
against the same per-IP limit.
- Removed `CORS_ALLOW_CREDENTIALS = True` from CORS configuration.
Dispatcharr authenticates via JWT `Authorization` headers and API keys —
not cookies — so credentials are never sent cross-origin by browsers.
The setting was also redundant: browsers reject
`Access-Control-Allow-Credentials: true` when
`Access-Control-Allow-Origin` is a wildcard (`*`), so it had no effect
in practice.
- Updated frontend npm dependencies to resolve 6 audit vulnerabilities
(6 high):
- Updated `@xmldom/xmldom` 0.8.11 → 0.8.12, resolving **high** XML
injection via unsafe CDATA serialization allowing attacker-controlled
markup insertion
([GHSA-wh4c-j3r5-mjhp](https://redirect.github.com/advisories/GHSA-wh4c-j3r5-mjhp))
- Updated `lodash` 4.17.23 → 4.18.1, resolving **high** Code Injection
via `_.template` imports key names
([GHSA-r5fr-rjxr-66jc](https://redirect.github.com/advisories/GHSA-r5fr-rjxr-66jc))
and **high** Prototype Pollution via array path bypass in `_.unset` and
`_.omit`
([GHSA-f23m-r3pf-42rh](https://redirect.github.com/advisories/GHSA-f23m-r3pf-42rh))
- Updated `vite` 7.3.1 → 7.3.2, resolving **high** Path Traversal in
optimized deps `.map` handling
([GHSA-4w7w-66w2-5vf9](https://redirect.github.com/advisories/GHSA-4w7w-66w2-5vf9)),
**high** `server.fs.deny` bypass with queries
([GHSA-v2wj-q39q-566r](https://redirect.github.com/advisories/GHSA-v2wj-q39q-566r)),
and **high** Arbitrary File Read via dev server WebSocket
([GHSA-p9ff-h696-f583](https://redirect.github.com/advisories/GHSA-p9ff-h696-f583))
- Updated `Django` 6.0.3 → 6.0.4, resolving the following CVEs:
- **CVE-2026-33033**: Potential DoS via `MultiPartParser` through
crafted multipart uploads.
- **CVE-2026-33034**: SGI requests with a missing or understated
`Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE`
limit.
  - **CVE-2026-4292**: Privilege abuse in `ModelAdmin.list_editable`.
- **CVE-2026-3902**: ASGI header spoofing via underscore/hyphen
conflation.
  - **CVE-2026-4277**: Privilege abuse in `GenericInlineModelAdmin`.

##### Added

- **EPG historical data window**: the EPG XML output and XC EPG API now
support a `prev_days` URL parameter (e.g. `&prev_days=3`) to include
past programs in the EPG response. This allows third-party players that
request historical program schedules to receive the data they need. The
EPG URL builder in the Channels page exposes "Days forward" and "Days
back" controls. Per-user defaults for both values (`epg_days` /
`epg_prev_days`) can be configured in the User settings modal and are
applied automatically when no URL parameter is present. (Closes
[#&#8203;1154](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1154))
- **Plugin Hub**: administrators can now browse, install, and update
plugins directly from remote repositories via a new Plugin Hub page in
Settings. (Closes
[#&#8203;393](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/393))
— Thanks [@&#8203;sethwv](https://redirect.github.com/sethwv)
- Install plugins directly from the hub: the release zip is downloaded,
SHA256 integrity is verified, and the plugin is installed atomically.
- Update managed plugins when a newer version is available from their
source repo. Version compatibility constraints
(`min_dispatcharr_version` / `max_dispatcharr_version`) are enforced at
install time.
- Browse available plugins from all enabled repos with name,
description, version, author, and icon.
- Plugins installed from a repo are tracked as "managed": source repo,
slug, installed version, prerelease flag, and deprecated status are all
persisted and surfaced in the UI.
- Add plugin repositories by manifest URL. The official Dispatcharr
Plugins repository is pre-configured; third-party repos are supported by
supplying an optional GPG public key.
- Manifest signatures are verified via GPG; the official repo uses a
bundled public key. Signature status is displayed per-repo.
- Preview a repository URL before adding it - validates the manifest and
reports plugin count and signature status without saving anything.
- Configurable automatic manifest refresh interval (in hours; 0 to
disable) runs as a Celery background task.

##### Removed

- Removed dead `VODConnectionManager` class
(`apps/proxy/vod_proxy/connection_manager.py`) and its associated
helpers, which had been superseded by `MultiWorkerVODConnectionManager`.
All active code already used the multi-worker implementation. Removed
the unused `VODConnectionManager` import from `vod_proxy/views.py`, the
unscheduled `cleanup_vod_connections` task from `apps/proxy/tasks.py`,
and the unscheduled `cleanup_vod_persistent_connections` task from
`core/tasks.py`.
- Removed dead VOD URL routes: `VODPlaylistView` (playlist generation),
`VODPositionView` (position tracking), and the class-based
`VODStatsView` (replaced by the existing function-based `vod_stats`
view).
- Removed dead `updateVODPosition()` API method from
`frontend/src/api.js`, which called the now-removed position tracking
endpoint.

##### Fixed

- Fixed TV Guide "Record One" always scheduling the recording on the
first channel that matched the program's `tvg_id`, rather than the
channel the user actually selected. When multiple channels share the
same EPG source, the intended channel was silently ignored. The selected
channel object is now passed explicitly through the click handler chain
to `recordOne`, bypassing the `findChannelByTvgId` fallback lookup
entirely. (Fixes
[#&#8203;1140](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1140))
— Thanks [@&#8203;fezster](https://redirect.github.com/fezster)
- Graceful container shutdown: `docker stop` no longer results in exit
137 (SIGKILL). The entrypoint now explicitly stops all child processes —
including uWSGI workers, Celery, Daphne, and Redis, which are spawned as
uWSGI `attach-daemon` children and were previously invisible to the
signal handler. A polling loop replaces the old fixed `sleep`, exiting
as soon as all processes have stopped (up to an 8-second ceiling before
force-stopping). PostgreSQL is stopped using `pg_ctl stop -m immediate`
as a fallback rather than SIGKILL to avoid data corruption. Process
names are now recorded at startup and displayed correctly in crash
diagnostics. The unexpected-exit diagnostic block is now suppressed on
normal `docker stop` shutdowns. — Thanks
[@&#8203;Shokkstokk](https://redirect.github.com/Shokkstokk) for the
initial fix!
- Fixed two race conditions in the VOD proxy that caused the
`profile_connections` counter to go permanently negative, allowing
connections beyond the configured profile limit. (1)
`_decrement_profile_connections()` used a GET-before-DECR guard: two
concurrent decrements could both read the same positive value, both pass
the guard, and both fire, driving the counter below zero. Replaced with
an unconditional `DECR` followed by a clamp-to-zero if the result is
negative. (2) The `stream_generator` decremented `active_streams` and
then checked `has_active_streams()` in two separate Redis round-trips
without locking. A concurrent generator on another worker could read
`active_streams=0` in the window between those two calls and also
decrement the profile counter, producing a double-decrement. A new
`decrement_active_streams_and_check()` method performs both operations
under a single distributed lock, and a `profile_decremented` flag guards
all four call sites in the generator so the profile counter is only ever
decremented once per stream. (Closes
[#&#8203;1125](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1125))
— Thanks
[@&#8203;firestaerter3](https://redirect.github.com/firestaerter3)
- Fixed a provider TCP connection leak in the VOD proxy
`stream_generator`. When a stream ended via an unhandled exception path
that reached the `finally` block without any of the three exception
handlers having run (e.g. an error raised before the first `yield`), the
`finally` block decremented counters but never called
`redis_connection.cleanup()`. The upstream `requests.Response` and
`requests.Session` were left open until garbage collection. The
`finally` block now starts a `delayed_cleanup` daemon thread (matching
the 1-second delay used by the normal-completion and `GeneratorExit`
paths) so that seeking clients have time to reconnect and increment
`active_streams` before `cleanup()` checks whether it is safe to close
the connection.
- Fixed manual stream selection from the Stats page not enforcing M3U
profile connection limits in multi-worker deployments. When a non-owning
worker handled the `change_stream` request it correctly packaged
`stream_id` and `m3u_profile_id` into the Redis pubsub message, but the
owning worker's pubsub handler only consumed `url` and `user_agent`
silently dropping both IDs before calling `stream_manager.update_url()`.
Because `update_url` only calls `update_stream_profile()` when a
`stream_id` is provided, the `profile_connections` counter was never
updated after the switch, causing subsequent capacity checks to see
incorrect counts and bypass the full-profile guard. The handler now
extracts `stream_id` and `m3u_profile_id` from the event and forwards
them to `update_url()`. The bug did not affect single-worker / dev-mode
deployments because the owning worker handles those requests directly
without pubsub.
- Fixed the `next_stream` rotation endpoint applying the same class of
bug: `get_stream_info_for_switch()` was called and returned
`m3u_profile_id`, but the result was dropped when forwarding to
`ChannelService.change_stream_url()`, so `update_stream_profile()` was
never called and `profile_connections` counters were not updated after
an automatic stream rotation.
- Fixed stream switch metadata (`url`, `user_agent`, `stream_id`,
`m3u_profile`) being written to Redis before the switch was confirmed to
succeed. If the switch failed, URL unchanged or exception during
teardown, Redis described a URL not actually in use. Metadata is now
written only after `update_url()` returns `True`; on failure the owner
writes `stream_manager.url` back as the ground truth. The non-owner no
longer pre-writes metadata at all, all needed info is carried in the
pubsub payload and written by the owner after confirmation.
- Fixed the Stats page "Active Stream" dropdown not updating when a
stream switch occurs. The card was matching the active stream by
comparing the URL stored in Redis against stream URLs from the database,
which failed silently when the stored URL was a transformed/rewritten
value that didn't substring-match the original. The dropdown now matches
by `stream_id` (the authoritative value already present in the stats
payload) and re-runs only when `stream_id` changes, so the normal
polling interval drives updates with no extra renders.
- Fixed the XC Password field in the User modal being editable by
standard users despite the backend (`PATCH /api/accounts/users/me/`)
stripping `xc_password` from `custom_properties` for non-admin users,
causing the change to silently revert on save. The field and its
generate button are now disabled with an explanatory description when
the current user is not an administrator.
- Fixed live stream hiccups caused by nginx buffering TS proxy data to
disk. The `/proxy/` location block used `proxy_buffering off` and
`proxy_read/send_timeout` directives, which are silently ignored when
the upstream is `uwsgi_pass` (a different directive family). nginx was
therefore defaulting to `uwsgi_buffering on`, spooling stream data
through temp files on disk. Replaced with the correct `uwsgi_buffering
off`, `uwsgi_read_timeout 300s`, and `uwsgi_send_timeout 300s`
directives so stream data flows directly from uWSGI to the client socket
without intermediate disk I/O.
- Fixed the logo cache endpoint (`/api/channels/logos/{id}/cache/`)
holding a uWSGI greenlet indefinitely when fetching from a slow or
dripping remote server. The previous implementation used
`StreamingHttpResponse(iter_content())` with only a per-chunk read
timeout; a server that drips data just fast enough to reset the per-read
timer could hold the greenlet open forever. Replaced with an eager read
loop enforcing a hard total-download deadline (10 s) and a size cap (5
MB). Also fixed a race condition in the existing negative-cache logic:
the failure entry for a URL was cleared immediately upon receiving HTTP
200, before the body was read. A concurrent greenlet seeing no failure
entry during a slow download that ultimately timed out would also
attempt the fetch, defeating the cache. The entry is now cleared only
after the full body has been successfully received.
- Fixed uploading a local M3U file with no expiration date set sending
the string `"null"` as the `exp_date` field in the `FormData` request,
causing a 400 validation error from the API. Null/undefined values are
now skipped when building the `FormData` body, matching the behaviour
already present in the update path.
- Fixed `PATCH /api/channels/channels/edit/bulk/` returning a 500 error
when the request body included a `streams` list. The bulk edit handler
was iterating `validated_data` directly and calling `setattr(channel,
"streams", value)`, which Django prohibits on ManyToMany fields. Also
added an `@extend_schema` decorator so the Swagger UI correctly
documents the endpoint as accepting a JSON array and shows the `streams`
field. (Fixes
[#&#8203;883](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/883))
- Fixed several incorrect or incomplete OpenAPI (`@extend_schema`)
schemas across the API:
- `POST /api/epg/import/` — request body was undocumented; now correctly
shows the `id` field. Description updated from "import" to "refresh" to
match frontend and backend terminology.
- `DELETE /api/channels/logos/bulk-delete/` — `delete_files` boolean was
missing from the documented request body.
- `POST /api/channels/channels/batch-set-epg/` — `epg_data_id` inside
each association object was not marked `allow_null`/`required=False`,
even though passing `null` is the correct way to remove an EPG link.
- `PUT /api/connect/integrations/{id}/subscriptions/set/` — endpoint had
no `@extend_schema` at all; now documents that the request body is a
JSON array of subscription objects.

##### Changed

- **Output bitrate DB persistence**: the `ffmpeg_output_bitrate` stat is
no longer written to the database on every FFmpeg stats tick
(\~2/second). Instead, a local exponential moving average (EMA, α=0.1)
accumulates readings continuously. The first 10 samples (\~5 seconds)
are discarded as warmup to avoid polluting the average with FFmpeg's
unstable ramp-up values. After warmup, the smoothed value is flushed to
the database at most once every 30 seconds, and a final flush occurs
when the stream stops but only if the EMA has been seeded (i.e. the
stream ran past warmup). Streams that stop during warmup leave the
existing database value untouched, preserving previously accurate
measurements when channel-hopping.
- Performance: `generate_m3u`, `generate_epg`, and `xc_get_live_streams`
now use `select_related('channel_group', 'logo')` (or
`select_related('logo')` for EPG) on every Channel queryset in
`apps/output/views.py`. Previously each channel in the loop triggered a
separate database query for its `logo` and `channel_group` foreign keys;
with the JOIN-based prefetch this is reduced to a single query per
request. On deployments with \~2 000 channels, `xc_get_live_streams`
response time drops from \~2.5–4 s to \~250–450 ms. (Closes
[#&#8203;1127](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1127))
— Thanks [@&#8203;xBOBxSAGETx](https://redirect.github.com/xBOBxSAGETx)
- Performance: `generate_epg` now uses
`select_related('epg_data__epg_source')` on all EPG channel querysets,
eliminating N+1 database queries for `EPGSource` traversal per channel
(\~15 s improvement on \~2000-channel deployments; total EPG generation
time dropped from \~87 s to \~72 s in benchmarks).
- Performance: `xc_get_epg` now uses
`select_related('epg_data__epg_source')` on all three channel fetch
paths. Previously each request triggered 2 additional queries to resolve
`channel.epg_data` and `channel.epg_data.epg_source`.
- Performance: `generate_m3u` now uses `prefetch_related` for streams
when `?direct=true` is requested, eliminating N+1 stream queries (one
per channel) on that code path.
- Performance: `EPGGridAPIView` (`apps/epg/api_views.py`) now uses
`select_related('epg_data__epg_source')` on the
`channels_with_custom_dummy` queryset, eliminating 2 extra queries per
channel (for `epg_data` and `epg_source`) in the dummy EPG generation
loop.
- Performance: `generate_epg` now issues a single cross-channel
`ProgramData` bulk query. `.values()` returns plain dicts, bypassing
per-row Django model instantiation. Results are consumed in independent
5000-row keyset-paginated chunks. Combined with the `select_related`
improvements above, EPG generation time on large deployments is
significantly reduced.
- Performance: `xc_get_live_streams` no longer calls
`ChannelGroup.objects.get_or_create(name="Default Group")` once per
null-group channel; replaced with a lazy-initialised closure that
executes at most one query regardless of how many ungrouped channels are
present.
- AIO containers now connect to the internal PostgreSQL instance via a
Unix domain socket instead of TCP loopback. Users who have
`POSTGRES_HOST` explicitly set to `localhost` or `127.0.0.1` in their
compose file are automatically migrated to the socket path; any other
explicit value (external host/IP) is left untouched. — Thanks
[@&#8203;JCBird1012](https://redirect.github.com/JCBird1012)
- Improved the EPG response cache key. Previously it was based on the
raw query string and username, meaning a user default of `epg_days=7`
and an explicit `&days=7` URL parameter produced different cache entries
for identical output. The key is now built from all resolved effective
parameter values (`days`, `prev_days`, `cachedlogos`, `tvg_id_source`)
so semantically equivalent requests always share the same cache entry.
- Improved the HDHR, M3U, and EPG URL builder popovers in the Channels
table: each popover now opens with a brief intro sentence describing its
purpose. Toggle switches were refactored to use Mantine's native `label`
and `description` props (replacing the previous manual
`Group`/`Stack`/`Text` layout), giving each switch a properly styled
description line beneath its label. Switch alignment was also corrected.
Toggles now appear on the left with the label and description stacked to
the right, consistent with standard Mantine form layout.
- Redesigned the User settings modal with a tabbed layout: **Account**
(username, email, name, password), **Permissions** (user level, stream
limit, channel profiles, mature content filter - admin only), **EPG
Defaults** (days forward/back), and **API & XC** (XC password, API key
management). Fields are now logically grouped rather than split across
two ad-hoc columns.
- EPG channel scanning now automatically removes stale `EPGData`
entries. tvg-ids that were present in a previous scan but are no longer
found in the upstream source, provided they are not mapped to any
channel. This prevents unbounded database bloat over time. Entries
mapped to at least one channel are always preserved.
- Rewrote the M3U line parser as an `iter_m3u_entries` generator that
owns the full per-entry state machine. Intermediate directive lines
between `#EXTINF` and the stream URL are now handled correctly rather
than corrupting the pending entry or being silently misassigned. A
`#EXTINF` with no following URL is discarded with a warning instead of
carrying over a `url`-less entry into batch processing. Attribute keys
are normalised to lowercase during parsing (provider attribute names
remain case-insensitive end-to-end). The `#EXTINF` attribute regex is
pre-compiled at module load, and attribute lookups use O(1) `dict.get()`
instead of linear scans — approximately 10% faster parsing on large M3U
files.
- Added support for the `#EXTGRP` directive in M3U files. When a
`group-title` attribute is absent from the `#EXTINF` line, the value
from a following `#EXTGRP:` line is used as the group. An explicit
`group-title` attribute always takes priority. (Closes
[#&#8203;1088](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1088))
- Added accumulation of `#EXTVLCOPT` directives per entry. Options are
stored as a list under `vlc_opts` inside the stream's
`custom_properties`, available for downstream use (e.g. passing
VLC-specific options to the player). This is for a planned future
enhancement and can also be utlized with the API.
- M3U stream name parsing now uses the comma text (the canonical display
title per the base `#EXTINF` spec) as the primary stream name, falling
back to `tvc-guide-title`, then `tvg-name`, rather than preferring
`tvg-name` first. Providers that use `tvg-name` as an EPG key and put
the human-readable title after the comma will now display the correct
name. Providers that duplicate the same value in both fields are
unaffected. (Fixes
[#&#8203;1081](https://redirect.github.com/Dispatcharr/Dispatcharr/issues/1081))
- FloatingVideo player: the native video controls (timeline, play/pause,
volume) are now hidden by default when a live stream starts and only
appear when the user hovers over the player.
- Enhanced Swagger UI authorization dialog: registered a custom
`OpenApiAuthenticationExtension` for `ApiKeyAuthentication` so
drf-spectacular now generates an `ApiKeyAuth (apiKey)` entry alongside
`jwtAuth`. Both entries include descriptive text linking to the relevant
endpoints (`/api/accounts/token/`, `/api/accounts/api-keys/generate/`,
`/api/accounts/api-keys/revoke/`).
- Refactored frontend form components (`AccountInfoModal`,
`AssignChannelNumbers`, `Channel`, `ChannelBatch`, `ChannelGroup`,
`Connection`, `CronBuilder`, `DummyEPG`, and `EPG`) to extract business
logic into dedicated utility modules under `src/utils/forms/`. Each
extracted module is covered by unit tests. Mantine compound component
references (`Table.Tbody`, `Popover.Target`, `Accordion.Item`, etc.)
have been updated to use flat named imports. — Thanks
[@&#8203;nick4810](https://redirect.github.com/nick4810)
- Improved the EPG BOM fix from v0.22.1: replaced the
`lstrip(b'\xef\xbb\xbf')` / `startswith` approach with
`start.find(b'<?xml')`, which locates the XML declaration regardless of
any leading bytes BOM, whitespace, or other encoding markers without
needing to know what those bytes are.
- Dependency updates:
  - `Django` 6.0.3 → 6.0.4 (security patch; see Security section)
  - `djangorestframework` 3.16.1 → 3.17.1
  - `requests` 2.33.0 → 2.33.1
  - `gevent` 25.9.1 → 26.4.0
  - `rapidfuzz` 3.14.3 → 3.14.5
  - `sentence-transformers` 5.3.0 → 5.4.0
  - `lxml` 6.0.2 → 6.0.3
- Added `python-gnupg` for GPG signature verification of official and
third-party plugin repository manifests.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yOS4yIiwidXBkYXRlZEluVmVyIjoiNDMuMjkuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJhcHAvZGlzcGF0Y2hhcnIiLCJhdXRvbWVyZ2UiLCJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19-->

Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com>
2026-04-18 18:29:11 +00:00
2026-04-17 22:06:12 +02:00
2026-01-25 15:43:25 +00:00

title
title
TrueCharts

Community Helm Chart Catalog

docs Discord GitHub last commit


TrueCharts is a catalog of highly optimised Helm Charts. Made for the community, by the community!

All our charts are supposed to work together and be easy to setup using any helm-compatible deployment tool, above all, give the average user more than enough options to tune things to their liking.


Getting started using TrueCharts

docs


Support

Please check our FAQ, manual and Issue tracker There is a significant chance your issue has been reported before!

Still something not working as expected? Contact us! and we'll figure it out together!

Development

pre-commit renovate GitHub last commit


Our development process is fully distributed and agile, so every chart-maintainer is free to set their own roadmap and development speed and does not have to comply to a centralised roadmap. This ensures freedom and flexibility for everyone involved and makes sure you, the end user, always has the latest and greatest of every Chart installed.

Getting into creating Charts

For more information check the website: https://truecharts.org

Contact and Support

Discord


To contact the TrueCharts project:




Contributors

All Contributors

Thanks goes to these wonderful people (emoji key):


Kjeld Schouten-Lebbing
Kjeld Schouten-Lebbing

💻 🚇 📖 👀 💵
Justin Clift
Justin Clift

📖
whiskerz007
whiskerz007

💻
Stavros Kois
Stavros Kois

💻 📖 🐛 👀 💵
allen-4
allen-4

💻
Troy Prelog
Troy Prelog

💻 📖 💵
Dan Sheridan
Dan Sheridan

💻
Sebastien Dupont
Sebastien Dupont

📖 💵
Vegetto
Vegetto

👀
Ellie Nieuwdorp
Ellie Nieuwdorp

💻
Nate Walck
Nate Walck

💻
Lloyd
Lloyd

💻 💵
Dave Withnall
Dave Withnall

📖
ksimm1
ksimm1

📖 🐛 💵 🧑‍🏫
Aaron Johnson
Aaron Johnson

📖
Ralph
Ralph

💻
Joachim Baten
Joachim Baten

💻 🐛
Michael Yang
Michael Yang

💻
Ciaran Farley
Ciaran Farley

📖
Heavybullets8
Heavybullets8

📖 💻 🐛 📹 🧑‍🏫 💵
662
662

💻
alex171
alex171

📖
Techno Tim
Techno Tim

📖
Mingyao Liu
Mingyao Liu

💻 🐛
NightShaman
NightShaman

💻 📖 🐛 💵 🧑‍🏫
Andrew Smith
Andrew Smith

📖 ⚠️
Bob Klosinski
Bob Klosinski

💻
Sukarn
Sukarn

💻 📖
sebs
sebs

💻
Dyllan Tinoco
Dyllan Tinoco

💻
StevenMcElligott
StevenMcElligott

💻 💵 📖 🐛 🧑‍🏫
brothergomez
brothergomez

💻 🐛
sagit
sagit

💻 🐛 📹 📖 🧑‍🏫
Nevan Chow
Nevan Chow

💻
Daniel Carlsson
Daniel Carlsson

🐛
Devon Louie
Devon Louie

🐛
Alex-Orsholits
Alex-Orsholits

🐛
Tails32
Tails32

🐛
Menaxerius
Menaxerius

🐛
hidefog
hidefog

🐛
Darren Gibbard
Darren Gibbard

🐛
Barti
Barti

🐛
Sunii
Sunii

🐛
trbmchs
trbmchs

🐛
Light
Light

🐛
Boostflow
Boostflow

🐛
Trigardon
Trigardon

🐛
dbb12345
dbb12345

🐛 💻
karypid
karypid

🐛
Philipp
Philipp

🐛
John
John

🐛 📖
John Parton
John Parton

🐛
Marc
Marc

🐛
fdzaebel
fdzaebel

🐛
kloeckwerx
kloeckwerx

🐛
Bradley Bare
Bradley Bare

🐛
Alexander Thamm
Alexander Thamm

🐛
rexit1982
rexit1982

🐛
iaxx
iaxx

🐛
Xstar97
Xstar97

💻 🐛 🧑‍🏫
ornias
ornias

📹
Josh Asplund
Josh Asplund

💵
midnight33233
midnight33233

💵
kbftech
kbftech

💵
hogenf
hogenf

💵
Hawks
Hawks

💵
Jim Russell
Jim Russell

💵
TheGovnah
TheGovnah

💵
famewolf
famewolf

💵 🐛
Konrad Bujak
Konrad Bujak

📖
190n
190n

💻 📖
Alexej Kubarev
Alexej Kubarev

📖
r-vanooyen
r-vanooyen

📖
shadofall
shadofall

📖 🧑‍🏫
agreppin
agreppin

💻
Stavros Ntentos
Stavros Ntentos

💻 🤔
Vlad-Florin Ilie
Vlad-Florin Ilie

💻
huma2000
huma2000

🐛
hugalafutro
hugalafutro

🐛 💵
yehia Amer
yehia Amer

📖
Tyler Stransky
Tyler Stransky

🐛
juggie
juggie

🐛
Ben Tilford
Ben Tilford

🐛 💻
I-nebukad-I
I-nebukad-I

🐛 💻
Ethan Leisinger
Ethan Leisinger

💻 📖
Cullen Murphy
Cullen Murphy

💻 🐛
Jason Thatcher
Jason Thatcher

💻 🐛 📖
Stefan Schramek
Stefan Schramek

🐛
nokaka
nokaka

🐛
Gal Szkolnik
Gal Szkolnik

🐛
Evgeny Stepanovych
Evgeny Stepanovych

🐛
Waqar Ahmed
Waqar Ahmed

🐛
DrSKiZZ
DrSKiZZ

💵
Jan Puciłowski
Jan Puciłowski

💻 ⚠️
Shaun Coyne
Shaun Coyne

💵
Christoph
Christoph

💵
Brandon Rutledge
Brandon Rutledge

🐛
Michael Bestas
Michael Bestas

🐛
Jurģis Rudaks
Jurģis Rudaks

🐛
brunofatia
brunofatia

💵
TopicsLP
TopicsLP

📖
Michael Schnerring
Michael Schnerring

🐛 💻
Tamas Nagy
Tamas Nagy

🐛
OpenSpeedTest™️
OpenSpeedTest™️

💻
Richard James Acton
Richard James Acton

📖
lps-rocks
lps-rocks

🐛
Faust
Faust

🐛
uranderu
uranderu

🐛
Tom Cassady
Tom Cassady

🐛
Huftierchen
Huftierchen

🐛
ZasX
ZasX

📖 🧑‍🏫 💻
Kevin T.
Kevin T.

🐛
Steven Scott
Steven Scott

📖
Watteel Pascal
Watteel Pascal

💻
JamesOsborn-SE
JamesOsborn-SE

💻 📖
NeoToxic
NeoToxic

🧑‍🏫 🐛
jab416171
jab416171

📖
Anna
Anna

📖
ChaosBlades
ChaosBlades

🐛
Patric Stout
Patric Stout

💻
Ben Kochie
Ben Kochie

💻
Jeff Bachtel
Jeff Bachtel

📖
Ben Woods
Ben Woods

💻
Karl Shea
Karl Shea

🐛
Balakumaran MN
Balakumaran MN

📖
Jesperbelt
Jesperbelt

📖
cccs31
cccs31

🐛
Sam Smucny
Sam Smucny

💻
Keith Cirkel
Keith Cirkel

💻
mgale456
mgale456

💻
Alec Fenichel
Alec Fenichel

💻
John Dorman
John Dorman

💻
Dan
Dan

💻
u4ium
u4ium

📖
ErroneousBosch
ErroneousBosch

🐛
MaverickD650
MaverickD650

💻 🐛
Grogdor
Grogdor

📖
Ryan Gooler
Ryan Gooler

📖
Rob Herley
Rob Herley

📖
Christian Heimlich
Christian Heimlich

📖
l-moon-git
l-moon-git

💻
hughes5
hughes5

📖
sdimovv
sdimovv

💻
AllieQpzm
AllieQpzm

💻
Dominik
Dominik

🐛
renovate[bot]
renovate[bot]

🔧
allcontributors[bot]
allcontributors[bot]

🔧
dependabot[bot]
dependabot[bot]

🔧
TrueCharts Bot
TrueCharts Bot

🔧 🚇 💻
Mend Renovate
Mend Renovate

🔧
Simone
Simone

💻
Jean-François Roy
Jean-François Roy

💻
Whiskey24
Whiskey24

💻
inmanturbo
inmanturbo

📖
Alex
Alex

💻
Brian Semrad
Brian Semrad

💻
Christopher
Christopher

💻 📖
Csaba Engedi
Csaba Engedi

💻
Cyb3rzombie
Cyb3rzombie

💻
Eric Cavalcanti
Eric Cavalcanti

💻
Gavin Chappell
Gavin Chappell

💻 🐛
raynay-r
raynay-r

💻
Jip-Hop
Jip-Hop

📖
Jonas Wrede
Jonas Wrede

💻
SilentNyte
SilentNyte

📖
Stan
Stan

💻
Tiago Gaspar
Tiago Gaspar

💻
gismo2004
gismo2004

💻
jsegaert
jsegaert

📖
Miguel Angel Nubla
Miguel Angel Nubla

💻
xal3xhx
xal3xhx

💻
jeremybox
jeremybox

📖
Cameron Sabuda
Cameron Sabuda

📖
Jeroen Schepens
Jeroen Schepens

🐛
James Wright
James Wright

📖
Malpractis
Malpractis

🐛
CommanderStarhump
CommanderStarhump

🐛
Vianchiel
Vianchiel

🐛
Maximilian Ehlers
Maximilian Ehlers

🐛
nautilus7
nautilus7

🐛 💻
kqmaverick
kqmaverick

🐛
ccalby
ccalby

🐛
kofeyh
kofeyh

🐛
imjustleaving
imjustleaving

🐛
Cristian Torres
Cristian Torres

🐛
schopenhauer
schopenhauer

🐛
Zackptg5
Zackptg5

🐛
Brad Ackerman
Brad Ackerman

🐛
mcspiff313
mcspiff313

🐛
Fletcher Nichol
Fletcher Nichol

💻 🐛
Marco Faggian
Marco Faggian

💻
John P
John P

📖
kryojenik
kryojenik

💻
Malcolm
Malcolm

📖
depasseg
depasseg

📖
j1mbl3s
j1mbl3s

📖
VictorienXP
VictorienXP

💻
yelhouti
yelhouti

💻
Jaroslav Lichtblau
Jaroslav Lichtblau

📖
MaximilianS
MaximilianS

📖
Dion Larson
Dion Larson

💻 📖
Physics-Dude
Physics-Dude

📖
waflint
waflint

💻
Henry Wilkinson
Henry Wilkinson

💻 📖
cedstrom
cedstrom

💻
v3DJG6GL
v3DJG6GL

🐛 💻
polarstack
polarstack

💻
Keyvan
Keyvan

💻
MickaelFontes
MickaelFontes

💻
David CM
David CM

💻
Aamir Azad
Aamir Azad

📖
Jordan Woyak
Jordan Woyak

💻
Simon Hofman
Simon Hofman

💻
notyouraveragegamer
notyouraveragegamer

📖
Varac
Varac

💻
tuxsudo
tuxsudo

💻
TylerRudie
TylerRudie

📖
qnb59bny5x
qnb59bny5x

💻
Filip Bednárik
Filip Bednárik

🐛
Serhii Shcherbinin
Serhii Shcherbinin

💻
Quentin Raynaud
Quentin Raynaud

🐛
Felix Schäfer
Felix Schäfer

📖
Julien Nicolas de Verteuil
Julien Nicolas de Verteuil

💻
Gabriel Donadel Dall'Agnol
Gabriel Donadel Dall'Agnol

📖
Jon S. Stumpf
Jon S. Stumpf

📖
Tanguille
Tanguille

📖
Dennis
Dennis

🐛 📖
TheIceCreamTroll
TheIceCreamTroll

💻
Atanas Pamukchiev
Atanas Pamukchiev

💻
Boemeltrein
Boemeltrein

📖
Yiannis Marangos
Yiannis Marangos

💻
Michael Ruoss
Michael Ruoss

💻
Aron Kahrs
Aron Kahrs

💻
nemesis1982
nemesis1982

📖
Ed P
Ed P

💻
Frédéric Nadeau
Frédéric Nadeau

📖
frapbod
frapbod

💻
Max Bachhuber
Max Bachhuber

💻
zierbeek
zierbeek

💻
Ac1dburn
Ac1dburn

💻
Antoine Saget
Antoine Saget

📖
Ben Bodenmiller
Ben Bodenmiller

🐛
felixfon
felixfon

📖
adtwomey
adtwomey

📖
alfi0812
alfi0812

💻 📖 🐛 👀
Agassi
Agassi

💻
Artur
Artur

💻
Morgan Hunter
Morgan Hunter

💻
Aleksandr Oleinikov
Aleksandr Oleinikov

💻
Jamie
Jamie

💻
David Gries
David Gries

🐛 💻
Phreeman33
Phreeman33

💻 🐛
Jens Wolvers
Jens Wolvers

💻
Bart Willems
Bart Willems

💻
Caidy
Caidy

💻
Mr Khachaturov
Mr Khachaturov

💻
LordCrash101
LordCrash101

📖
elendil95
elendil95

💻
TheDodger
TheDodger

💻
Saad Awan
Saad Awan

💻
Felix von Arx
Felix von Arx

💻
yodatak
yodatak

💻
Marcel Henrich
Marcel Henrich

💻
Florent Viel
Florent Viel

💻
SniperAsh6
SniperAsh6

💻
Alexandre Acebedo
Alexandre Acebedo

💻
Douglas Chimento
Douglas Chimento

💻
Addison McDermid
Addison McDermid

💻
Jaël Gareau
Jaël Gareau

💻
Steve Sampson
Steve Sampson

📖
Albert Romkes
Albert Romkes

💻
Maja Bojarska
Maja Bojarska

💻
astro-stan
astro-stan

💻
Oliver Simons
Oliver Simons

💻

This project follows the all-contributors specification. Contributions of any kind welcome!

Licence

License


Truecharts, is primarily based on the AGPL-v3 license, this ensures almost everyone can use and modify our charts. Licences can vary on a per-Chart basis. This can easily be seen by the presence of a "LICENSE" file in that folder.

An exception to this, has been made for every document inside folders labeled as docs or doc and their subfolders: those folders are not licensed under AGPL-v3 and are considered "all rights reserved". Said content can be modified and changes submitted per PR, in accordance to the github End User License Agreement.

SPDX-License-Identifier: AGPL-3.0


built-with-resentment contains-technical-debt

S
Description
Fork of trueforge-org/truecharts with some customizations
Readme 890 MiB
luanti-v1.0.0 Latest
2026-07-08 18:51:26 +00:00
Languages
Go Template 97.9%
Shell 2.1%