Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg7 7.x,
doubling the ffmpeg CVE surface. HandBrake is optional (ffmpeg handles
encoding by default), so remove it from the default image.
- Dockerfile: ffmpeg + openssh-client only (removes ffmpeg7 family)
- Dockerfile.handbrake: new variant for users who need HandBrake presets
or forced-subtitle burn-in; carries the known higher CVE count
Docker Hub tags:
pyr0ball/discarr:latest / 0.1.2 — lean, ffmpeg only
pyr0ball/discarr:handbrake — includes HandBrake (more CVEs)
- node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30)
- apk upgrade --no-cache combined with apk add to pick up patched
Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps)
- npm install -g npm@latest to patch bundled tar and minimatch CVEs
- Combined upgrade+add into single RUN layer for consistency
Resolves 51 CVEs reported in Docker Hub vulnerability scan including
CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and
CVE-2023-51793/51794/51795 (apk/ffmpeg) groups
- Add 03-radarr-filter.png: browse + filter movies by partial title
- Add 04-radarr-selected.png: movie selected in browse panel
- Add 05-mapped.png: completed drag-and-drop title mapping
- Update 03-title-mapping.png to completed-state screenshot
- docs/integrations/radarr.md: add workflow section with 3 annotated screenshots
- docs/quickstart.md: rewrite step 5 with browse/filter/drag workflow
- README.md and docs/index.md: use completed-mapping screenshot
Builds on push to main (docs/ or mkdocs.yml changes) and deploys to
https://pyr0ball.github.io/discarr via actions/deploy-pages.
Pinned to mkdocs-material 9.x (MIT, <10) — avoids 2.0 licence wall.
