Circuit-Forge/discarr
4
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions 1
13 commits 1 branch 5 tags 740 KiB
Commit graph

5 commits

Author SHA1 Message Date
pyr0ball
362a7499c2 fix: revert to Alpine base (Debian bookworm has 149 CVEs vs Alpine's ~36) 
Debian bookworm is frozen at June 2023 package versions. Key problem:
  mbedtls 2.28.3-1 (bookworm) vs mbedtls 3.6.6-r0 (Alpine 3.23)

CVE-2026-34875 (9.8 critical) is fixed in mbedtls 3.6.6 — which Alpine
already ships. Debian bookworm won't get that update. Similarly for 5+
other critical/high mbedtls CVEs and gnutls28 CVEs. Total: 149 CVEs on
Debian bookworm vs ~36 on Alpine 3.23.

Alpine's rolling model ships much newer package versions, which actually
means fewer accumulated CVEs in key libraries like mbedtls, despite the
reputation of 'Debian stable = secure'.
 2026-05-27 10:45:04 -07:00
pyr0ball
93afa60b4f fix: switch to node:22-bookworm-slim (Debian) base for better CVE coverage 
Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months
(CVE-2023-51793/94/95/98) that Debian's security team backported patches
for in ffmpeg 5.1.9-0+deb12u1.

Changes:
- Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched)
- Dockerfile.handbrake: same base, adds handbrake-cli
- CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0
- CVE-2025-52194 (libsndfile): Debian marked not reproducible
- CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available

Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead).
ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.
 2026-05-27 10:36:38 -07:00
pyr0ball
9a1f0e0d39 fix: drop HandBrake from default image, add :handbrake variant 
Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg7 7.x,
doubling the ffmpeg CVE surface. HandBrake is optional (ffmpeg handles
encoding by default), so remove it from the default image.

- Dockerfile: ffmpeg + openssh-client only (removes ffmpeg7 family)
- Dockerfile.handbrake: new variant for users who need HandBrake presets
  or forced-subtitle burn-in; carries the known higher CVE count

Docker Hub tags:
  pyr0ball/discarr:latest / 0.1.2  — lean, ffmpeg only
  pyr0ball/discarr:handbrake        — includes HandBrake (more CVEs)
 2026-05-27 10:26:25 -07:00
pyr0ball
e475d3433c fix: upgrade to Node 22 LTS, apk upgrade, npm update to fix CVEs 
- node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30)
- apk upgrade --no-cache combined with apk add to pick up patched
  Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps)
- npm install -g npm@latest to patch bundled tar and minimatch CVEs
- Combined upgrade+add into single RUN layer for consistency

Resolves 51 CVEs reported in Docker Hub vulnerability scan including
CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and
CVE-2023-51793/51794/51795 (apk/ffmpeg) groups
 2026-05-27 10:18:02 -07:00
pyr0ball
c8ea76292f feat: initial public release — disc scanning and HEVC encode queue for Sonarr/Radarr 2026-05-26 15:19:12 -07:00