Debian bookworm is frozen at June 2023 package versions. Key problem:
mbedtls 2.28.3-1 (bookworm) vs mbedtls 3.6.6-r0 (Alpine 3.23)
CVE-2026-34875 (9.8 critical) is fixed in mbedtls 3.6.6 — which Alpine
already ships. Debian bookworm won't get that update. Similarly for 5+
other critical/high mbedtls CVEs and gnutls28 CVEs. Total: 149 CVEs on
Debian bookworm vs ~36 on Alpine 3.23.
Alpine's rolling model ships much newer package versions, which actually
means fewer accumulated CVEs in key libraries like mbedtls, despite the
reputation of 'Debian stable = secure'.
Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months
(CVE-2023-51793/94/95/98) that Debian's security team backported patches
for in ffmpeg 5.1.9-0+deb12u1.
Changes:
- Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched)
- Dockerfile.handbrake: same base, adds handbrake-cli
- CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0
- CVE-2025-52194 (libsndfile): Debian marked not reproducible
- CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available
Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead).
ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.
Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg7 7.x,
doubling the ffmpeg CVE surface. HandBrake is optional (ffmpeg handles
encoding by default), so remove it from the default image.
- Dockerfile: ffmpeg + openssh-client only (removes ffmpeg7 family)
- Dockerfile.handbrake: new variant for users who need HandBrake presets
or forced-subtitle burn-in; carries the known higher CVE count
Docker Hub tags:
pyr0ball/discarr:latest / 0.1.2 — lean, ffmpeg only
pyr0ball/discarr:handbrake — includes HandBrake (more CVEs)
- node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30)
- apk upgrade --no-cache combined with apk add to pick up patched
Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps)
- npm install -g npm@latest to patch bundled tar and minimatch CVEs
- Combined upgrade+add into single RUN layer for consistency
Resolves 51 CVEs reported in Docker Hub vulnerability scan including
CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and
CVE-2023-51793/51794/51795 (apk/ffmpeg) groups
- Add 03-radarr-filter.png: browse + filter movies by partial title
- Add 04-radarr-selected.png: movie selected in browse panel
- Add 05-mapped.png: completed drag-and-drop title mapping
- Update 03-title-mapping.png to completed-state screenshot
- docs/integrations/radarr.md: add workflow section with 3 annotated screenshots
- docs/quickstart.md: rewrite step 5 with browse/filter/drag workflow
- README.md and docs/index.md: use completed-mapping screenshot
Builds on push to main (docs/ or mkdocs.yml changes) and deploys to
https://pyr0ball.github.io/discarr via actions/deploy-pages.
Pinned to mkdocs-material 9.x (MIT, <10) — avoids 2.0 licence wall.
