build(docker): update node.js to v22.21.1

* fix(jellyfin scanner): reduce jellyfin API calls during recently added scan

Significantly reduce number of API calls, addressing CPU spikes on Jellyfin 10.10+ servers.- Move
getSeasons() call outside the seasons loop (N calls to 1)- Request MediaSources via getEpisodes()
field parameter instead of  individual getItemData() calls per episode (N calls to 1 per season)
Performance improvements (tested on library with 12 TV shows):- Scan duration: 43.7s to 9.1s - Peak
CPU: 277% to 115% - CPU spike duration: 36s to 2s Functionality is unchanged, all availability
statuses identicalbefore and after.

* fix: add getEpisodes overloads to remove unsafe type assertion

* refactor(jellyfin): use generics instead of overloads

---------

Co-authored-by: patrick-acland <patrick.acland@kraken.tech>

.github/ISSUE_TEMPLATE/bug.yml

@@ -95,7 +95,7 @@ body:
     id: terms
     attributes:
       label: Code of Conduct
-      description: By submitting this issue, you agree to follow our [Code of Conduct](/../../CODE_OF_CONDUCT.md)
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/seerr-team/seerr/blob/develop/CODE_OF_CONDUCT.md)
       options:
         - label: I agree to follow Seerr's Code of Conduct
           required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,14 +1,33 @@
-#### Description
+<!--
+    Please read contributing guide before submitting
+    your pull request. Please fill in each section below to help us better prioritize your pull request. Thanks!
+-->
 
-#### Screenshot (if UI-related)
+## Description
 
-#### To-Dos
+<!--- Describe your changes in detail -->
+<!--- Why is this change required? What problem does it solve? -->
+<!--- If it fixes an open issue, please link to the issue here. -->
 
-- [ ] Disclosed any use of AI (see our [policy](../CONTRIBUTING.md#ai-assistance-notice))
+- Fixes #XXXX
+
+## How Has This Been Tested?
+
+<!--- Please describe in detail how you tested your changes. -->
+<!--- Include details of your testing environment, and the tests you ran to -->
+<!--- see how your change affects other areas of the code, etc. -->
+
+## Screenshots / Logs (if applicable)
+
+## Checklist:
+
+<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
+<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+
+- [ ] I have read and followed the contribution [guidelines](https://github.com/seerr-team/seerr/blob/develop/CONTRIBUTING.md).
+- [ ] Disclosed any use of AI (see our [policy](https://github.com/seerr-team/seerr/blob/develop/CONTRIBUTING.md#ai-assistance-notice))
+- [ ] I have updated the documentation accordingly.
+- [ ] All new and existing tests passed.
 - [ ] Successful build `pnpm build`
 - [ ] Translation keys `pnpm i18n:extract`
 - [ ] Database migration (if required)
-
-#### Issues Fixed or Closed
-
-- Fixes #XXXX

.github/cliff.toml

@@ -0,0 +1,94 @@
+# git-cliff ~ configuration
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = ""
+body = """
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+
+{%- set excluded_users = ["github-actions[bot]", "dependabot[bot]", "renovate[bot]"] -%}
+
+{% macro print_commit(commit) -%}
+    - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+        {% if commit.breaking %}[**breaking**] {% endif %}\
+        {{ commit.message | upper_first }} - \
+        ([{{ commit.id | truncate(length=7, end="") }}]({{ self::remote_url() }}/commit/{{ commit.id }}))\
+{% endmacro -%}
+
+{% if version %}\
+    {% if previous.version %}\
+        ## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/compare/{{ previous.version }}..{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+    {% else %}\
+        ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+    {% endif %}\
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {%- for commit in commits | filter(attribute="scope") | sort(attribute="scope") %}
+        {{ self::print_commit(commit=commit) }}
+    {%- endfor %}
+    {%- for commit in commits %}
+        {%- if not commit.scope -%}
+            {{ self::print_commit(commit=commit) }}
+        {%- endif -%}
+    {%- endfor -%}
+{%- endfor -%}
+
+{%- set valid_contributors = [] -%}
+{%- for c in github.contributors | filter(attribute="is_first_time", value=true) %}
+  {%- if c.username and c.username not in excluded_users and c.username not in valid_contributors %}
+    {%- set_global valid_contributors = valid_contributors | concat(with=c.username) %}
+  {%- endif %}
+{%- endfor %}
+
+{%- if valid_contributors | length > 0 %}
+## New Contributors ❤️
+  {%- for username in valid_contributors %}
+* @{{ username }} made their first contribution
+  {%- endfor %}
+{%- endif %}
+"""
+footer = """
+<!-- generated by git-cliff -->
+"""
+trim = true
+postprocessors = []
+
+[git]
+conventional_commits = true
+filter_unconventional = true
+split_commits = false
+filter_commits = true
+commit_preprocessors = [
+  { pattern = '.*\[skip ci\].*', replace = "" },
+  { pattern = '.*\[ci skip\].*', replace = "" },
+]
+commit_parsers = [
+  { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+  { message = "^doc", group = "<!-- 3 -->📖 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^refactor", group = "<!-- 2 -->🚜 Refactor" },
+  { message = "^style", group = "<!-- 5 -->🎨 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Testing" },
+  { message = "^chore\\(release\\): prepare for", skip = true },
+  { message = "^chore\\(deps.*\\)", skip = true },
+  { message = "^chore\\(pr\\)", skip = true },
+  { message = "^chore\\(pull\\)", skip = true },
+  { message = "^chore\\(git-sync\\)", skip = true },
+  { message = "^chore|^ci", group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
+  { body = ".*security", group = "<!-- 8 -->🛡️ Security" },
+  { message = "^revert", group = "<!-- 9 -->◀️ Revert" },
+  { message = '.*\[skip ci\].*', skip = true },
+  { message = '.*\[ci skip\].*', skip = true },
+]
+protect_breaking_commits = false
+tag_pattern = "v?[0-9]+\\.[0-9]+\\.[0-9]+.*"
+skip_tags = "beta|alpha|rc"
+topo_order = false
+sort_commits = "newest"

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ on:
 permissions:
   contents: read
 
+env:
+  DOCKER_HUB: seerr/seerr
+
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
@@ -23,7 +26,7 @@ jobs:
     name: Lint & Test Build
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-24.04
-    container: node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7
+    container: node:22.20.0-alpine3.22@sha256:dbcedd8aeab47fbc0f4dd4bffa55b7c3c729a707875968d467aaaea42d6225af
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -31,7 +34,7 @@ jobs:
           persist-credentials: false
 
       - name: Pnpm Setup
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Get pnpm store directory
         shell: sh
@@ -140,7 +143,7 @@ jobs:
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: |
-            ${{ github.repository }}
+            ${{ env.DOCKER_HUB }}
             ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=develop

.github/workflows/codeql.yml

@@ -42,15 +42,15 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/cypress.yml

@@ -48,7 +48,7 @@ jobs:
           package-manager-cache: false
 
       - name: Pnpm Setup
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile

.github/workflows/docs-deploy.yml

@@ -3,9 +3,10 @@
 name: Deploy to GitHub Pages
 
 on:
+  workflow_dispatch:
   push:
     branches:
-      - develop
+      - legacy-jellyseerr
     paths:
       - 'docs/**'
       - 'gen-docs/**'
@@ -34,7 +35,7 @@ jobs:
           package-manager-cache: false
 
       - name: Pnpm Setup
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Get pnpm store directory
         shell: sh

.github/workflows/helm.yml

@@ -55,7 +55,7 @@ jobs:
               # get current version
               current_version=$(grep '^version:' "$chart_path/Chart.yaml" | awk '{print $2}')
               # try to get current release version
-              if oras manifest fetch "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:${current_version}" >/dev/null 2>&1; then
+              if oras manifest fetch "ghcr.io/${{ github.repository }}/${chart_name}:${current_version}" >/dev/null 2>&1; then
                 echo "No version change for $chart_name. Skipping."
               else
                 helm dependency build "$chart_path"
@@ -87,8 +87,8 @@ jobs:
     name: Publish to ghcr.io
     runs-on: ubuntu-24.04
     permissions:
-      packages: write # needed for pushing to github registry
-      id-token: write # needed for signing the images with GitHub OIDC Token
+      packages: write
+      id-token: write
     needs: [package-helm-chart]
     if: needs.package-helm-chart.outputs.has_artifacts == 'true'
     steps:
@@ -105,7 +105,7 @@ jobs:
         uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Downloads artifacts
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
@@ -128,17 +128,59 @@ jobs:
             # push chart to OCI
             chart_release_file=$(basename "$chart_path")
             chart_name=${chart_release_file%-*}
-            helm push ${chart_path} oci://ghcr.io/${GITHUB_REPOSITORY@L} |& tee helm-push-output.log
+            helm push ${chart_path} oci://ghcr.io/${{ github.repository }} |& tee helm-push-output.log
             chart_digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
             # sign chart
-            cosign sign "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}@${chart_digest}"
+            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}@${chart_digest}"
             # push artifacthub-repo.yml to OCI
             oras push \
-              ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:artifacthub.io \
+              ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io \
               --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
               charts/$chart_name/artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \
               |& tee oras-push-output.log
             artifacthub_digest=$(grep "Digest:" oras-push-output.log | awk '{print $2}')
             # sign artifacthub-repo.yml
-            cosign sign "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:artifacthub.io@${artifacthub_digest}"
+            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io@${artifacthub_digest}"
+          done
+
+  verify:
+    name: Verify signatures for each chart tag
+    needs: [publish]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Downloads artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: artifacts
+          path: .cr-release-packages/
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify signatures for each chart tag
+        run: |
+          for chart_path in $(find .cr-release-packages -name '*.tgz' -print); do
+            chart_release_file=$(basename "$chart_path")
+            chart_name=${chart_release_file%-*}
+            version=${chart_release_file#$chart_name-}
+            version=${version%.tgz}
+
+            cosign verify "ghcr.io/${{ github.repository }}/${chart_name}:${version}" \
+              --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
           done

.github/workflows/preview.yml

@@ -11,6 +11,9 @@ on:
 permissions:
   contents: read
 
+env:
+  DOCKER_HUB: seerr/seerr
+
 concurrency:
   group: preview-${{ github.ref }}
   cancel-in-progress: true
@@ -115,7 +118,7 @@ jobs:
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: |
-            ${{ github.repository }}
+            ${{ env.DOCKER_HUB }}
             ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=preview-${{ steps.ver.outputs.version }}

.github/workflows/release.yml

@@ -3,7 +3,9 @@
 name: Seerr Release
 
 on:
-  workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
 
 permissions:
   contents: read
@@ -12,15 +14,17 @@ concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  DOCKER_HUB: seerr/seerr
+
 jobs:
-  semantic-release:
-    name: Tag and release latest version
-    runs-on: ubuntu-22.04
-    env:
-      HUSKY: 0
+  changelog:
+    name: Generate changelog
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
-      new_release_published: ${{ steps.release.outputs.new_release_published }}
-      new_release_version: ${{ steps.release.outputs.new_release_version }}
+      release_body: ${{ steps.git-cliff.outputs.content }}
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -28,46 +32,36 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set up Node.js
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      - name: Generate changelog
+        id: git-cliff
+        uses: orhun/git-cliff-action@d77b37db2e3f7398432d34b72a12aa3e2ba87e51 # v4.6.0
         with:
-          node-version-file: package.json
-          package-manager-cache: false
-
-      - name: Pnpm Setup
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
-
-      - name: Get pnpm store directory
-        shell: sh
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - name: Setup pnpm cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-
-      - name: Install dependencies
-        run: pnpm install
-
-      - name: Release
-        id: release
-        uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0
-        with:
-          extra_plugins: |
-            @semantic-release/git@10
-            @semantic-release/changelog@6
-            @codedependant/semantic-release-docker@5
+          config: .github/cliff.toml
+          args: -vv --current
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          OUTPUT: CHANGELOG.md
+          GITHUB_REPO: ${{ github.repository }}
+
+  create-draft-release:
+    name: Create draft release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    needs: changelog
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Draft Release
+        run: gh release create ${GITHUB_REF_NAME} -t "Release ${GITHUB_REF_NAME}" -n "${RELEASE_BODY}" --draft
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_BODY: ${{ needs.changelog.outputs.release_body }}
 
   build:
-    name: Build (per-arch, native runners)
-    needs: semantic-release
-    if: needs.semantic-release.outputs.new_release_published == 'true'
+    name: Build (${{ matrix.arch }})
     strategy:
       matrix:
         include:
@@ -78,6 +72,8 @@ jobs:
             platform: linux/arm64
             arch: arm64
     runs-on: ${{ matrix.runner }}
+    env:
+      VERSION: ${{ github.ref_name }}
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -91,7 +87,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Warm cache (no push) — ${{ matrix.platform }}
+      - name: Warm cache [${{ matrix.platform }}]
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
@@ -100,21 +96,23 @@ jobs:
           push: false
           build-args: |
             COMMIT_TAG=${{ github.sha }}
-            BUILD_VERSION=${{ needs.semantic-release.outputs.new_release_version }}
+            BUILD_VERSION=${{ env.VERSION }}
             SOURCE_DATE_EPOCH=${{ steps.ts.outputs.TIMESTAMP }}
           cache-from: type=gha,scope=${{ matrix.platform }}
           cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
           provenance: false
 
   publish:
-    name: Publish multi-arch image
-    needs: [semantic-release, build]
-    if: needs.semantic-release.outputs.new_release_published == 'true'
+    name: Publish multi-arch manifests
+    needs: build
     runs-on: ubuntu-24.04
     permissions:
       contents: read
-      id-token: write
       packages: write
+    outputs:
+      image_digest: ${{ steps.digests.outputs.IMAGE_DIGEST }}
+    env:
+      VERSION: ${{ github.ref_name }}
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -146,14 +144,14 @@ jobs:
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: |
-            ${{ github.repository }}
+            ${{ env.DOCKER_HUB }}
             ghcr.io/${{ github.repository }}
           tags: |
-            type=raw,value=${{ needs.semantic-release.outputs.new_release_version }}
+            type=raw,value=${{ env.VERSION }}
           labels: |
             org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}
 
-      - name: Build & Push (multi-arch, single tag)
+      - name: Build & Push (multi-arch)
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
@@ -162,7 +160,7 @@ jobs:
           push: true
           build-args: |
             COMMIT_TAG=${{ github.sha }}
-            BUILD_VERSION=${{ needs.semantic-release.outputs.new_release_version }}
+            BUILD_VERSION=${{ env.VERSION }}
             SOURCE_DATE_EPOCH=${{ steps.ts.outputs.TIMESTAMP }}
           labels: ${{ steps.meta.outputs.labels }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -172,37 +170,158 @@ jobs:
           cache-to: type=gha,mode=max
           provenance: false
 
+      - name: Resolve manifest digest
+        id: digests
+        run: |
+          DIGEST=$(docker buildx imagetools inspect "${{ env.DOCKER_HUB }}:${{ env.VERSION }}" --format '{{json .Manifest.Digest}}' | tr -d '"')
+          echo "IMAGE_DIGEST=$DIGEST" >> $GITHUB_OUTPUT
+
       - name: Also tag :latest (non-pre-release only)
         shell: bash
+        if: ${{ !contains(env.VERSION, '-') }}
         run: |
-          VER="${{ needs.semantic-release.outputs.new_release_version }}"
-          if [[ "$VER" != *"-"* ]]; then
-            docker buildx imagetools create \
-              -t ${{ github.repository }}:latest \
-              ${{ github.repository }}:${VER}
-            docker buildx imagetools create \
-              -t ghcr.io/${{ github.repository }}:latest \
-              ghcr.io/${{ github.repository }}:${VER}
-          fi
+          docker buildx imagetools create \
+            -t ${{ env.DOCKER_HUB }}:latest \
+            ${{ env.DOCKER_HUB }}:${{ env.VERSION }}
+
+          docker buildx imagetools create \
+            -t ghcr.io/${{ github.repository }}:latest \
+            ghcr.io/${{ github.repository }}:${{ env.VERSION }}
+
+  sign:
+    name: Sign images and create SBOM attestations
+    needs: publish
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    env:
+      VERSION: ${{ github.ref_name }}
+      COSIGN_YES: 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Install Trivy
+        uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # v0.2.4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign images
+        run: |
+          cosign sign --recursive "ghcr.io/${{ github.repository }}@${{ needs.publish.outputs.image_digest }}"
+          cosign sign --recursive "${{ env.DOCKER_HUB }}@${{ needs.publish.outputs.image_digest }}"
+
+      - name: Generate SBOMs
+        run: |
+          trivy image --format cyclonedx --output seerr-ghcr-image-${{ env.VERSION }}.sbom \
+            "ghcr.io/${{ github.repository }}@${{ needs.publish.outputs.image_digest }}"
+
+          trivy image --format cyclonedx --output seerr-dockerhub-image-${{ env.VERSION }}.sbom \
+            "${{ env.DOCKER_HUB }}@${{ needs.publish.outputs.image_digest }}"
+
+      - name: Attest SBOMs
+        run: |
+          cosign attest \
+            --type cyclonedx \
+            --predicate seerr-ghcr-image-${{ env.VERSION }}.sbom \
+            "ghcr.io/${{ github.repository }}@${{ needs.publish.outputs.image_digest }}"
+
+          cosign attest \
+            --type cyclonedx \
+            --predicate seerr-dockerhub-image-${{ env.VERSION }}.sbom \
+            "${{ env.DOCKER_HUB }}@${{ needs.publish.outputs.image_digest }}"
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sboms-${{ env.VERSION }}
+          path: '*.sbom'
+          if-no-files-found: error
+          retention-days: 1
+
+  verify:
+    name: Verify signatures and attestations
+    needs: [publish, sign]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    env:
+      VERSION: ${{ github.ref_name }}
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Verify signatures
+        run: |
+          cosign verify "ghcr.io/${{ github.repository }}@${{ needs.publish.outputs.image_digest }}" \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+          cosign verify "${{ env.DOCKER_HUB }}@${{ needs.publish.outputs.image_digest }}" \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+      - name: Verify attestations
+        run: |
+          cosign verify-attestation "ghcr.io/${{ github.repository }}@${{ needs.publish.outputs.image_digest }}" \
+            --type cyclonedx \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" > /dev/null
+
+          cosign verify-attestation "${{ env.DOCKER_HUB }}@${{ needs.publish.outputs.image_digest }}" \
+            --type cyclonedx \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" > /dev/null
+
+  publish-release:
+    name: Publish release
+    needs: [create-draft-release, verify]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    env:
+      VERSION: ${{ github.ref_name }}
+    steps:
+      - name: Publish release
+        run: gh release edit "${{ env.VERSION }}" --draft=false --repo "${{ github.repository }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   discord:
     name: Send Discord Notification
-    needs: publish
+    needs: publish-release
     if: always()
     runs-on: ubuntu-24.04
     steps:
-      - name: Determine Workflow Status
+      - name: Determine status
         id: status
         run: |
-          case "${{ needs.publish.result }}" in
+          case "${{ needs.publish-release.result }}" in
             success)   echo "status=Success"   >> $GITHUB_OUTPUT; echo "colour=3066993"  >> $GITHUB_OUTPUT ;;
             failure)   echo "status=Failure"   >> $GITHUB_OUTPUT; echo "colour=15158332" >> $GITHUB_OUTPUT ;;
             cancelled) echo "status=Cancelled" >> $GITHUB_OUTPUT; echo "colour=10181046" >> $GITHUB_OUTPUT ;;
             *)         echo "status=Skipped"   >> $GITHUB_OUTPUT; echo "colour=9807270"  >> $GITHUB_OUTPUT ;;
           esac
 
-      - name: Send Discord notification
-        shell: bash
+      - name: Send notification
         run: |
           WEBHOOK="${{ secrets.DISCORD_WEBHOOK }}"
 
@@ -217,7 +336,7 @@ jobs:
                 { "name": "Event",        "value": "${{ github.event_name }}", "inline": true },
                 { "name": "Triggered by", "value": "${{ github.actor }}", "inline": true },
                 { "name": "Workflow",     "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": true }
-              ],
+              ]
             }]
           }
           EOF

.github/workflows/renovate-helm-custom-hooks.yml

@@ -0,0 +1,181 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Renovate Helm Hooks
+
+on:
+  pull_request:
+    branches:
+      - develop
+    paths:
+      - 'charts/**'
+
+permissions: {}
+
+concurrency:
+  group: renovate-helm-hooks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  renovate-post-run:
+    name: Renovate Bump Chart Version
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    if: github.actor == 'renovate[bot]'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: 2138788
+          private-key: ${{ secrets.APP_SEERR_HELM_PRIVATE_KEY }}
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed="$(ct list-changed --target-branch ${TARGET_BRANCH})"
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            echo "changed_list=${changed//$'\n'/ }" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          TARGET_BRANCH: ${{ github.event.repository.default_branch }}
+
+      - name: Bump chart version
+        if: steps.list-changed.outputs.changed == 'true'
+        env:
+          CHART: ${{ steps.list-changed.outputs.changed_list }}
+        run: |
+          if [[ ! -d "${CHART}" ]]; then
+            echo "${CHART} directory not found"
+            exit 0
+          fi
+
+          # Extract current appVersion and chart version from Chart.yaml
+          APP_VERSION=$(grep -e "^appVersion:" "$CHART/Chart.yaml" | cut -d ":" -f 2 | tr -d '[:space:]' | tr -d '"')
+          CHART_VERSION=$(grep -e "^version:" "$CHART/Chart.yaml" | cut -d ":" -f 2 | tr -d '[:space:]' | tr -d '"')
+
+          # Extract major, minor and patch versions of appVersion
+          APP_MAJOR_VERSION=$(printf '%s' "$APP_VERSION" | cut -d "." -f 1)
+          APP_MINOR_VERSION=$(printf '%s' "$APP_VERSION" | cut -d "." -f 2)
+          APP_PATCH_VERSION=$(printf '%s' "$APP_VERSION" | cut -d "." -f 3)
+
+          # Extract major, minor and patch versions of chart version
+          CHART_MAJOR_VERSION=$(printf '%s' "$CHART_VERSION" | cut -d "." -f 1)
+          CHART_MINOR_VERSION=$(printf '%s' "$CHART_VERSION" | cut -d "." -f 2)
+          CHART_PATCH_VERSION=$(printf '%s' "$CHART_VERSION" | cut -d "." -f 3)
+
+          # Get previous appVersion from the base commit of the pull request
+          BASE_COMMIT=$(git merge-base origin/main HEAD)
+          PREV_APP_VERSION=$(git show "$BASE_COMMIT":"$CHART/Chart.yaml" | grep -e "^appVersion:" | cut -d ":" -f 2 | tr -d '[:space:]' | tr -d '"')
+
+          # Extract major, minor and patch versions of previous appVersion
+          PREV_APP_MAJOR_VERSION=$(printf '%s' "$PREV_APP_VERSION" | cut -d "." -f 1)
+          PREV_APP_MINOR_VERSION=$(printf '%s' "$PREV_APP_VERSION" | cut -d "." -f 2)
+          PREV_APP_PATCH_VERSION=$(printf '%s' "$PREV_APP_VERSION" | cut -d "." -f 3)
+
+          # Check if the major, minor, or patch version of appVersion has changed
+          if [[ "$APP_MAJOR_VERSION" != "$PREV_APP_MAJOR_VERSION" ]]; then
+            # Bump major version of the chart and reset minor and patch versions to 0
+            CHART_MAJOR_VERSION=$((CHART_MAJOR_VERSION+1))
+            CHART_MINOR_VERSION=0
+            CHART_PATCH_VERSION=0
+          elif [[ "$APP_MINOR_VERSION" != "$PREV_APP_MINOR_VERSION" ]]; then
+            # Bump minor version of the chart and reset patch version to 0
+            CHART_MINOR_VERSION=$((CHART_MINOR_VERSION+1))
+            CHART_PATCH_VERSION=0
+          elif [[ "$APP_PATCH_VERSION" != "$PREV_APP_PATCH_VERSION" ]]; then
+            # Bump patch version of the chart
+            CHART_PATCH_VERSION=$((CHART_PATCH_VERSION+1))
+          fi
+
+          # Update the chart version in Chart.yaml
+          CHART_NEW_VERSION="${CHART_MAJOR_VERSION}.${CHART_MINOR_VERSION}.${CHART_PATCH_VERSION}"
+          sed -i "s/^version:.*/version: ${CHART_NEW_VERSION}/" "$CHART/Chart.yaml"
+
+      - name: Ensure documentation is updated
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: docker://jnorwood/helm-docs:v1.14.2@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c
+
+      - name: Commit changes
+        if: steps.list-changed.outputs.changed == 'true'
+        env:
+          CHART: ${{ steps.list-changed.outputs.changed_list }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
+        run: |
+          # Define the target directory
+          TARGET_DIR="$CHART"
+
+          # Fetch deleted files in the target directory
+          DELETED_FILES=$(git diff --diff-filter=D --name-only HEAD -- "$TARGET_DIR")
+
+          # Fetch added/modified files in the target directory
+          MODIFIED_FILES=$(git diff --diff-filter=ACM --name-only HEAD -- "$TARGET_DIR")
+
+          # Create a temporary file for JSON output
+          FILE_CHANGES_JSON_FILE=$(mktemp)
+
+          # Initialize JSON structure in the file
+          echo '{ "deletions": [], "additions": [] }' > "$FILE_CHANGES_JSON_FILE"
+
+          # Add deletions
+          for file in $DELETED_FILES; do
+            jq --arg path "$file" '.deletions += [{"path": $path}]' "$FILE_CHANGES_JSON_FILE" > "$FILE_CHANGES_JSON_FILE.tmp"
+            mv "$FILE_CHANGES_JSON_FILE.tmp" "$FILE_CHANGES_JSON_FILE"
+          done
+
+          # Add additions (new or modified files)
+          for file in $MODIFIED_FILES; do
+            BASE64_CONTENT=$(base64 -w 0 <"$file")  # Encode file content
+            jq --arg path "$file" --arg content "$BASE64_CONTENT" \
+              '.additions += [{"path": $path, "contents": $content}]' "$FILE_CHANGES_JSON_FILE" > "$FILE_CHANGES_JSON_FILE.tmp"
+            mv "$FILE_CHANGES_JSON_FILE.tmp" "$FILE_CHANGES_JSON_FILE"
+          done
+
+          # Create a temporary file for the final JSON payload
+          JSON_PAYLOAD_FILE=$(mktemp)
+
+          # Construct the final JSON using jq and store it in a file
+          jq -n --arg repo "$GITHUB_REPOSITORY" \
+                --arg branch "$GITHUB_HEAD_REF" \
+                --arg message "fix: post upgrade changes from renovate" \
+                --arg expectedOid "$GITHUB_SHA" \
+                --slurpfile fileChanges "$FILE_CHANGES_JSON_FILE" \
+                '{
+                  query: "mutation ($input: CreateCommitOnBranchInput!) {
+                    createCommitOnBranch(input: $input) {
+                      commit {
+                        url
+                      }
+                    }
+                  }",
+                  variables: {
+                    input: {
+                      branch: {
+                        repositoryNameWithOwner: $repo,
+                        branchName: $branch
+                      },
+                      message: { headline: $message },
+                      fileChanges: $fileChanges[0],
+                      expectedHeadOid: $expectedOid
+                    }
+                  }
+                }' > "$JSON_PAYLOAD_FILE"
+
+          # Call GitHub API
+          curl https://api.github.com/graphql -f \
+               -sSf -H "Authorization: Bearer $GITHUB_TOKEN" \
+               --data "@$JSON_PAYLOAD_FILE"
+
+          # Clean up temporary files
+          rm "$FILE_CHANGES_JSON_FILE" "$JSON_PAYLOAD_FILE"

.github/workflows/seerr-labeller.yml

@@ -0,0 +1,111 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: 'Seerr Labeller'
+
+on:
+  pull_request_target:
+    types: [labeled, unlabeled, reopened]
+  issues:
+    types: [labeled, unlabeled, reopened]
+
+permissions: {}
+
+jobs:
+  ai-generated-support:
+    if: >
+      github.event_name == 'pull_request_target' &&
+      (github.event.label.name == 'ai-generated' || (github.event.action == 'reopened' && contains(github.event.pull_request.labels.*.name, 'ai-generated')))
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: ai-generated-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    permissions:
+      pull-requests: write
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_REPO: ${{ github.repository }}
+      NUMBER: ${{ github.event.pull_request.number }}
+      PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+    steps:
+      - name: Label added, comment and close pull request
+        if: github.event.action == 'labeled' && github.event.label.name == 'ai-generated'
+        shell: bash
+        env:
+          BODY: >
+            :wave: @${{ env.PR_AUTHOR }}, thank you for your contribution!
+
+            However, this pull request has been closed because it appears to contain a significant amount of AI-generated code without sufficient human review or supervision.
+
+            AI-generated code can often introduce subtle bugs, poor design patterns, or inconsistent styles that make long-term maintenance difficult and reduce overall code quality. For the sake of the project's future stability and readability, we require that all contributions meet our established coding standards and demonstrate clear developer oversight.
+
+            This pull request is also too large for effective human review. Please discuss with us on how to break down these changes into smaller, more focused PRs to ensure a thorough and efficient review process.
+            If you'd like to revise and resubmit your changes with careful review and cleanup, we'd be happy to take another look.
+        run: |
+          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
+          retry gh pr comment "$NUMBER" -R "$GH_REPO" -b "$BODY" || true
+          retry gh pr close "$NUMBER" -R "$GH_REPO" || true
+          gh pr lock "$NUMBER" -R "$GH_REPO" -r "spam" || true
+
+      - name: Label removed, reopen and unlock pull request
+        if: github.event.action == 'unlabeled' && github.event.label.name == 'ai-generated'
+        shell: bash
+        run: |
+          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
+          retry gh pr reopen "$NUMBER" -R "$GH_REPO" || true
+          gh pr unlock "$NUMBER" -R "$GH_REPO" || true
+
+      - name: Remove AI-generated label on manual reopen
+        if: github.event.action == 'reopened'
+        shell: bash
+        run: |
+          gh pr edit "$NUMBER" -R "$GH_REPO" --remove-label "ai-generated" || true
+          gh pr unlock "$NUMBER" -R "$GH_REPO" || true
+
+  support:
+    if: >
+      github.event_name == 'issues' &&
+      (github.event.label.name == 'support' ||
+      (github.event.action == 'reopened' && contains(github.event.issue.labels.*.name, 'support')))
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: support-${{ github.event.issue.number }}
+      cancel-in-progress: true
+    permissions:
+      issues: write
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_REPO: ${{ github.repository }}
+      NUMBER: ${{ github.event.issue.number }}
+      ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+    steps:
+      - name: Label added, comment and close issue
+        if: github.event.action == 'labeled' && github.event.label.name == 'support'
+        shell: bash
+        env:
+          BODY: >
+            :wave: @${{ env.ISSUE_AUTHOR }}, we use the issue tracker exclusively
+            for bug reports and feature requests. However, this issue appears
+            to be a support request. Please use our support channels
+            to get help with Seerr.
+
+            - [Discord](https://discord.gg/seerr)
+        run: |
+          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
+          retry gh issue comment "$NUMBER" -R "$GH_REPO" -b "$BODY" || true
+          retry gh issue close "$NUMBER" -R "$GH_REPO" || true
+          gh issue lock "$NUMBER" -R "$GH_REPO" -r "off_topic" || true
+
+      - name: Label removed, reopen and unlock issue
+        if: github.event.action == 'unlabeled' && github.event.label.name == 'support'
+        shell: bash
+        run: |
+          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
+          retry gh issue reopen "$NUMBER" -R "$GH_REPO" || true
+          gh issue unlock "$NUMBER" -R "$GH_REPO" || true
+
+      - name: Remove support label on manual reopen
+        if: github.event.action == 'reopened'
+        shell: bash
+        run: |
+          gh issue edit "$NUMBER" -R "$GH_REPO" --remove-label "support" || true
+          gh issue unlock "$NUMBER" -R "$GH_REPO" || true

.github/workflows/support.yml

@@ -1,58 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: 'Support requests'
-
-on:
-  issues:
-    types: [labeled, unlabeled, reopened]
-
-permissions:
-  issues: read
-
-concurrency:
-  group: support-${{ github.event.issue.number }}
-  cancel-in-progress: true
-
-jobs:
-  support:
-    if: github.event.label.name == 'support' || github.event.action == 'reopened'
-    runs-on: ubuntu-24.04
-    permissions:
-      issues: write
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_REPO: ${{ github.repository }}
-      NUMBER: ${{ github.event.issue.number }}
-      ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
-    steps:
-      - name: Label added, comment and close issue
-        if: github.event.action == 'labeled' && github.event.label.name == 'support'
-        shell: bash
-        env:
-          BODY: >
-            :wave: @${{ env.ISSUE_AUTHOR }}, we use the issue tracker exclusively
-            for bug reports and feature requests. However, this issue appears
-            to be a support request. Please use our support channels
-            to get help with Seerr.
-
-            - [Discord](https://discord.gg/seerr)
-        run: |
-          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
-          retry gh issue comment "$NUMBER" -R "$GH_REPO" -b "$BODY" || true
-          retry gh issue close "$NUMBER" -R "$GH_REPO" || true
-          gh issue lock "$NUMBER" -R "$GH_REPO" -r "off_topic" || true
-
-      - name: Reopened or label removed, unlock issue
-        if: github.event.action == 'unlabeled' && github.event.label.name == 'support'
-        shell: bash
-        run: |
-          retry() { n=0; until "$@"; do n=$((n+1)); [ $n -ge 3 ] && break; echo "retry $n: $*" >&2; sleep 2; done; }
-          retry gh issue reopen "$NUMBER" -R "$GH_REPO" || true
-          gh issue unlock "$NUMBER" -R "$GH_REPO" || true
-
-      - name: Remove support label on manual reopen
-        if: github.event.action == 'reopened'
-        shell: bash
-        run: |
-          gh issue edit "$NUMBER" -R "$GH_REPO" --remove-label "support" || true
-          gh issue unlock "$NUMBER" -R "$GH_REPO" || true

.github/workflows/test-docs-deploy.yml

@@ -36,7 +36,7 @@ jobs:
           package-manager-cache: false
 
       - name: Pnpm Setup
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Get pnpm store directory
         shell: sh

.github/workflows/trivy-scan.yml

@@ -56,6 +56,6 @@ jobs:
           ignore-unfixed: true
 
       - name: Upload SARIF to code scanning
-        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
         with:
           sarif_file: trivy.sarif

.gitignore

@@ -71,3 +71,6 @@ tsconfig.tsbuildinfo
 
 # Config Cache Directory
 config/cache
+
+# Docker compose
+compose.override.yaml

.prettierignore

@@ -2,7 +2,6 @@
 .next/
 dist/
 config/
-CHANGELOG.md
 pnpm-lock.yaml
 cypress/config/settings.cypress.json
 

CONTRIBUTING.md

@@ -151,9 +151,9 @@ When adding new UI text, please try to adhere to the following guidelines:
 
 ## Translation
 
-We use [Weblate](https://jellyseerr.borgcube.de/projects/jellyseerr/jellyseerr-frontend/) for our translations, and your help with localizing Seerr would be greatly appreciated! If your language is not listed below, please [open a feature request](/../../issues/new/choose).
+We use [Weblate](https://translate.seerr.dev/projects/seerr/seerr-frontend/) for our translations, and your help with localizing Seerr would be greatly appreciated! If your language is not listed below, please [open a feature request](/../../issues/new/choose).
 
-<a href="https://jellyseerr.borgcube.de/engage/jellysseerr/"><img src="https://jellyseerr.borgcube.de/widget/jellyseerr/multi-auto.svg" alt="Translation status" /></a>
+<a href="https://translate.seerr.dev/engage/seerr/"><img src="https://translate.seerr.dev/widget/seerr/multi-auto.svg" alt="Translation status" /></a>
 
 ## Migrations
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7 AS base
+FROM node:22.21.1-alpine3.22@sha256:b2358485e3e33bc3a33114d2b1bdb18cdbe4df01bd2b257198eb51beb1f026c5 AS base
 ARG SOURCE_DATE_EPOCH
 ARG TARGETPLATFORM
 ENV TARGETPLATFORM=${TARGETPLATFORM:-linux/amd64}
@@ -13,7 +13,10 @@ WORKDIR /app
 FROM base AS prod-deps
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store CI=true pnpm install --prod --frozen-lockfile
 
-FROM base as build
+FROM base AS build
+
+ARG COMMIT_TAG
+ENV COMMIT_TAG=${COMMIT_TAG}
 
 RUN \
   case "${TARGETPLATFORM}" in \
@@ -30,7 +33,7 @@ RUN pnpm build
 
 RUN rm -rf .next/cache
 
-FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7
+FROM node:22.21.1-alpine3.22@sha256:b2358485e3e33bc3a33114d2b1bdb18cdbe4df01bd2b257198eb51beb1f026c5
 ARG SOURCE_DATE_EPOCH
 ARG COMMIT_TAG
 ENV NODE_ENV=production

Dockerfile.local

@@ -1,4 +1,4 @@
-FROM node:22.20.0-alpine3.22@sha256:cb3143549582cc5f74f26f0992cdef4a422b22128cb517f94173a5f910fa4ee7
+FROM node:22.21.1-alpine3.22@sha256:b2358485e3e33bc3a33114d2b1bdb18cdbe4df01bd2b257198eb51beb1f026c5
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"

README.md

@@ -7,8 +7,8 @@
 </p>
 <p align="center">
 <a href="https://discord.gg/seerr"><img src="https://img.shields.io/discord/783137440809746482" alt="Discord"></a>
-<a href="https://hub.docker.com/r/fallenbagel/jellyseerr"><img src="https://img.shields.io/docker/pulls/fallenbagel/jellyseerr" alt="Docker pulls"></a>
-<a href="http://translate.jellyseerr.dev/engage/jellyseerr/"><img src="http://translate.jellyseerr.dev/widget/jellyseerr/jellyseerr-frontend/svg-badge.svg" alt="Translation status" /></a>
+<a href="https://hub.docker.com/r/seerr/seerr"><img src="https://img.shields.io/docker/pulls/seerr/seerr" alt="Docker pulls"></a>
+<a href="https://translate.seerr.dev/engage/seerr/"><img src="https://translate.seerr.dev/widget/seerr/seerr-frontend/svg-badge.svg" alt="Translation status" /></a>
 <a href="https://github.com/seerr-team/seerr/blob/develop/LICENSE"><img alt="GitHub" src="https://img.shields.io/github/license/seerr-team/seerr"></a>
 
 **Seerr** is a free and open source software application for managing requests for your media library. It integrates with the media server of your choice: [Jellyfin](https://jellyfin.org), [Plex](https://plex.tv), and [Emby](https://emby.media/). In addition, it integrates with your existing services, such as **[Sonarr](https://sonarr.tv/)**, **[Radarr](https://radarr.video/)**.
@@ -36,12 +36,6 @@ Check out our documentation for instructions on how to install and run Seerr:
 
 https://docs.seerr.dev/getting-started/
 
-### Packages:
-
-Archlinux: [AUR](https://aur.archlinux.org/packages/jellyseerr)
-
-Nix: [Nixpkg](https://search.nixos.org/packages?channel=unstable&show=jellyseerr)
-
 ## Preview
 
 <img src="./public/preview.jpg">

charts/seerr-chart/Chart.yaml

@@ -4,8 +4,8 @@ name: seerr-chart
 description: Seerr helm chart for Kubernetes
 type: application
 version: 3.0.0
-# renovate: image=ghcr.io/fallenbagel/jellyseerr
-appVersion: '2.7.3'
+# renovate: image=ghcr.io/seerr-team/seerr
+appVersion: '3.0.0'
 maintainers:
   - name: Seerr Team
     url: https://github.com/orgs/seerr-team/people

charts/seerr-chart/README.md

@@ -1,6 +1,6 @@
 # seerr-chart
 
-![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.3](https://img.shields.io/badge/AppVersion-2.7.3-informational?style=flat-square)
+![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square)
 
 Seerr helm chart for Kubernetes
 
@@ -20,11 +20,15 @@ Seerr helm chart for Kubernetes
 
 Kubernetes: `>=1.23.0-0`
 
+## Installation
+
+Refer to [Seerr kubernetes documentation](https://docs.seerr.dev/getting-started/kubernetes)
+
 ## Update Notes
 
 ### Updating to 3.0.0
 
-Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳.
+Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳 refer to our [Migration guide](https://docs.seerr.dev/migration-guide).
 
 ### Updating to 2.7.0
 
@@ -66,12 +70,20 @@ If `replicaCount` value was used - remove it. Helm update should work fine after
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext.fsGroup | int | `1000` |  |
+| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | probes.livenessProbe | object | `{}` | Configure liveness probe |
 | probes.readinessProbe | object | `{}` | Configure readiness probe |
 | probes.startupProbe | string | `nil` | Configure startup probe |
 | resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.privileged | bool | `false` |  |
+| securityContext.readOnlyRootFilesystem | bool | `false` |  |
+| securityContext.runAsGroup | int | `1000` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `1000` |  |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

charts/seerr-chart/README.md.gotmpl

@@ -14,11 +14,15 @@
 
 {{ template "chart.requirementsSection" . }}
 
+## Installation
+
+Refer to [Seerr kubernetes documentation](https://docs.seerr.dev/getting-started/kubernetes)
+
 ## Update Notes
 
 ### Updating to 3.0.0
 
-Nothing change we just rebranded `jellyseerr` helm-chart to `seerr` :)
+Nothing has changed; we just rebranded the `jellyseerr` Helm chart to `seerr` 🥳 refer to our [Migration guide](https://docs.seerr.dev/migration-guide).
 
 ### Updating to 2.7.0
 

charts/seerr-chart/values.yaml

@@ -50,16 +50,22 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
-# fsGroup: 2000
+podSecurityContext:
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
 
-securityContext: {}
-# capabilities:
-#   drop:
-#   - ALL
-# readOnlyRootFilesystem: true
-# runAsNonRoot: true
-# runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
 
 service:
   type: ClusterIP

compose.postgres.yaml

@@ -31,6 +31,6 @@ services:
     ports:
       - '5432:5432'
     volumes:
-      - postgres:var/lib/postgresql/18/docker
+      - postgres:/var/lib/postgresql
 volumes:
   postgres:

docs/extending-seerr/database-config.mdx

@@ -20,7 +20,7 @@ DB_LOG_QUERIES="false" # (optional) Whether to log the DB queries for debugging.
 ## PostgreSQL Options
 
 :::caution
-When migrating Postgres from version 17 to 18 in Docker, note that the data mount point has changed. Instead of using `/var/lib/postgresql/data`, the correct mount path is now `/var/lib/postgresql/18/docker`.
+When migrating Postgres from version 17 to 18 in Docker, note that the data mount point has changed. Instead of using `/var/lib/postgresql/data`, the correct mount path is now `/var/lib/postgresql`.
 Refer to the [PostgreSQL Docker documentation](https://hub.docker.com/_/postgres/#pgdata) to learn how to migrate or opt out of this change.
 :::
 

docs/extending-seerr/reverse-proxy.mdx

@@ -266,3 +266,36 @@ Add the following Location block to your existing Server configuration.
 </TabItem>
 
 </Tabs>
+
+## HAProxy (v3)
+
+:::warning
+This is a third-party documentation maintained by the community. We can't provide support for this setup and are unable to test it.
+:::
+
+    Add the following frontend and backend configurations for your seerr instance:
+    ```haproxy
+    frontend seerr-frontend
+      bind 0.0.0.0:80
+      bind 0.0.0.0:443 ssl crt /etc/ssl/private/seerr.example.com.pem
+      mode http
+      log global
+      option httplog
+      option http-keep-alive
+      http-request set-header X-Real-IP %[src]
+      option forwardfor
+      acl seerr hdr(host) -i seerr.example.com
+      redirect scheme https code 301 if !{ ssl_fc }
+      use_backend seerr-backend if seerr
+
+    backend seerr-backend
+      mode http
+      log global
+      option httplog
+      http-response set-header Strict-Transport-Security max-age=15552000
+      option httpchk GET /api/v1/status
+      timeout connect 30000
+      timeout server 30000
+      retries 3
+      server seerr 127.0.0.1:5055 check inter 1000
+    ```

docs/getting-started/buildfromsource.mdx

@@ -24,10 +24,9 @@ import TabItem from '@theme/TabItem';
 ```bash
 sudo mkdir -p /opt/seerr && cd /opt/seerr
 ```
-2. Clone the Seerr repository and checkout the develop branch:
+2. Clone the Seerr repository and checkout the main branch:
 ```bash
-git clone https://github.com/fallenbagel/jellyseerr.git
-cd jellyseerr
+git clone https://github.com/seerr-team/seerr.git .
 git checkout main
 ```
 3. Install the dependencies:
@@ -199,9 +198,9 @@ pm2 status seerr
 mkdir C:\seerr
 cd C:\seerr
 ```
-2. Clone the Seerr repository and checkout the develop branch:
+2. Clone the Seerr repository and checkout the main branch:
 ```powershell
-git clone https://github.com/fallenbagel/jellyseerr.git .
+git clone https://github.com/seerr-team/seerr.git .
 git checkout main
 ```
 3. Install the dependencies:

docs/getting-started/docker.mdx

@@ -11,6 +11,16 @@ Details on how to install Docker can be found on the [official Docker website](h
 Refer to [Configuring Databases](/extending-seerr/database-config#postgresql-options) for details on how to configure your database.
 :::
 
+:::info
+An alternative Docker image is available on Docker Hub for this project. You can find it at [Docker Hub Repository Link](https://hub.docker.com/r/seerr/seerr)
+:::
+
+:::info
+All official Seerr images are cryptographically signed and include a verified [Software Bill of Materials (SBOM)](https://cyclonedx.org/).
+
+To confirm that the container image you are using is authentic and unmodified, please refer to the [Verifying Signed Artifacts](/using-seerr/advanced/verifying-signed-artifacts#verifying-signed-images) guide.
+:::
+
 ## Unix (Linux, macOS)
 :::warning
 Be sure to replace `/path/to/appdata/config` in the below examples with a valid host directory path. If this volume mount is not configured correctly, your Seerr settings/data will not be persisted when the container is recreated (e.g., when updating the image or rebooting your machine).
@@ -38,7 +48,7 @@ docker run -d \
   -p 5055:5055 \
   -v /path/to/appdata/config:/app/config \
   --restart unless-stopped \
-  ghcr.io/seerr-team/seerr
+  ghcr.io/seerr-team/seerr:latest
 ```
 
 The argument `-e PORT=5055` is optional.
@@ -62,7 +72,7 @@ docker stop seerr && docker rm seerr
 ```
 Pull the latest image:
 ```bash
-docker pull ghcr.io/seerr-team/seerr
+docker pull ghcr.io/seerr-team/seerr:latest
 ```
 Finally, run the container with the same parameters originally used to create the container:
 ```bash
@@ -125,15 +135,6 @@ You may alternatively use a third-party mechanism like [dockge](https://github.c
   </TabItem>
 </Tabs>
 
-
-## Unraid
-
-1. Ensure you have the **Community Applications** plugin installed.
-2. Inside the **Community Applications** app store, search for **Seerr**.
-3. Click the **Install Button**.
-4. On the following **Add Container** screen, make changes to the **Host Port** and **Host Path 1** \(Appdata\) as needed.
-5. Click apply and access "Seerr" at your `<ServerIP:HostPort>` in a web browser.
-
 ## Windows
 
 Please refer to the [Docker Desktop for Windows user manual](https://docs.docker.com/docker-for-windows/) for details on how to install Docker on Windows. There is no need to install a Linux distro if using named volumes like in the example below.
@@ -165,7 +166,7 @@ docker run -d \
   -p 5055:5055 \
   -v seerr-data:/app/config \
   --restart unless-stopped \
-  ghcr.io/seerr-team/seerr
+  ghcr.io/seerr-team/seerr:latest
 ```
 
 The argument `-e PORT=5055` is optional.

docs/getting-started/kubernetes.mdx

@@ -1,21 +1,26 @@
 ---
 title: Kubernetes (Advanced)
-description: Install Jellyseerr in Kubernetes
-sidebar_position: 5
+description: Install Seerr in Kubernetes
+sidebar_position: 3
 ---
 # Kubernetes
-:::info
+:::warning
 This method is not recommended for most users. It is intended for advanced users who are using Kubernetes.
 :::
 
+:::info
+All official Seerr charts are cryptographically signed and include a verified [Software Bill of Materials (SBOM)](https://cyclonedx.org/).
+
+To confirm that the chart you are using is authentic and unmodified, please refer to the [Verifying Signed Artifacts](/using-seerr/advanced/verifying-signed-artifacts#verifying-signed-helm-charts) guide.
+:::
+
 ## Installation
 ```console
 helm install seerr oci://ghcr.io/seerr-team/seerr/seerr-chart
 ```
-Helm values can be found in the Jellyseerr repository under [charts/jellyseerr-chart/README.md](https://github.com/fallenbagel/jellyseerr/tree/develop/charts/jellyseerr-chart).
+Helm values can be found in the Seerr repository under [charts/seerr-chart/README.md](https://github.com/seerr-team/seerr/tree/develop/charts/seerr-chart).
 
 Verify the signature with [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) (replace [tag], with the TAG you want to verify) :
 ```console
-cosign verify ghcr.io/fallenbagel/jellyseerr/jellyseerr-chart:[tag] --certificate-identity=https://github.com/fallenbagel/jellyseerr/.github/workflows/helm.yml@refs/heads/main --certificate-oidc-issuer=https://token.ac
-tions.githubusercontent.com
+cosign verify ghcr.io/seerr-team/seerr/seerr-chart:[tag] --certificate-identity=https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```

docs/getting-started/nixpkg.mdx

@@ -1,271 +0,0 @@
----
-title: Nix Package Manager (Advanced)
-description: Install Seerr using Nix
-sidebar_position: 3
----
-
-import { SeerrVersion, NixpkgVersion } from '@site/src/components/SeerrVersion';
-import Admonition from '@theme/Admonition';
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Nix Package Manager (Advanced)
-:::info
-This method is not recommended for most users. It is intended for advanced users who are using Nix as their package manager.
-:::
-
-export const VersionMismatchWarning = () => {
-  let seerrVersion = null;
-  let nixpkgVersions = null;
-  try {
-    seerrVersion = SeerrVersion();
-    nixpkgVersions = NixpkgVersion();
-  } catch (err) {
-    return (
-      <Admonition type="error">
-        Failed to load version information. Error: {err.message || JSON.stringify(err)}
-      </Admonition>
-    );
-  }
-
-    if (!nixpkgVersions || nixpkgVersions.error) {
-    return (
-      <Admonition type="error">
-        Failed to fetch Nixpkg versions: {nixpkgVersions?.error || 'Unknown error'}
-      </Admonition>
-    );
-  }
-
-  const isUnstableUpToDate = seerrVersion === nixpkgVersions.unstable;
-  const isStableUpToDate = seerrVersion === nixpkgVersions.stable;
-
-  return (
-     <>
-      {!isStableUpToDate ? (
-  <Admonition type="warning">
-    The{' '}
-    <a href="https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/servers/jellyseerr/default.nix#L14">
-      upstream Jellyseerr Nix Package (v{nixpkgVersions.stable})
-    </a>{' '}
-    is not <b>up-to-date</b>. If you want to use <b>Jellyseerr v{seerrVersion}</b>,{' '}
-    {isUnstableUpToDate ? (
-      <>
-        consider using the{' '}
-        <a href="https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/je/jellyseerr/package.nix">
-          unstable package
-        </a>{' '}
-        instead.
-      </>
-    ) : (
-      <>
-        you will need to{' '}
-        <a href="#overriding-the-package-derivation">override the package derivation</a>.
-      </>
-    )}
-  </Admonition>
-) : null}
-    </>
-  );
-};
-
-<VersionMismatchWarning />
-
-## Installation
-To get up and running with jellyseerr using Nix, you can add the following to your `configuration.nix`:
-
-```nix
-{ config, pkgs, ... }:
-
-{
-  services.jellyseerr.enable = true;
-}
-```
-
-If you want more advanced configuration options, you can use the following:
-
-<Tabs groupId="nixpkg-methods" queryString>
-  <TabItem value="default" label="Default Configurations">
-```nix
-{ config, pkgs, ... }:
-
-{
-  services.jellyseerr = {
-    enable = true;
-    port = 5055;
-    openFirewall = true;
-    package = pkgs.jellyseerr; # Use the unstable package if stable is not up-to-date
-  };
-}
-```
-  </TabItem>
-  <TabItem value="custom" label="Database Configurations">
-In order to use postgres, you will need to add override the default module of jellyseerr with the following as the current default module is not compatible with postgres:
-```nix
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-with lib;
-let
-  cfg = config.services.jellyseerr;
-in
-{
-  meta.maintainers = [ maintainers.camillemndn ];
-
-  disabledModules = [ "services/misc/jellyseerr.nix" ];
-
-  options.services.jellyseerr = {
-    enable = mkEnableOption ''Jellyseerr, a requests manager for Jellyfin'';
-
-    openFirewall = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''Open port in the firewall for the Jellyseerr web interface.'';
-    };
-
-    port = mkOption {
-      type = types.port;
-      default = 5055;
-      description = ''The port which the Jellyseerr web UI should listen to.'';
-    };
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.jellyseerr;
-      defaultText = literalExpression "pkgs.jellyseerr";
-      description = ''
-        Jellyseerr package to use.
-      '';
-    };
-
-    databaseConfig = mkOption {
-      type = types.attrsOf types.str;
-      default = {
-        type = "sqlite";
-        configDirectory = "config";
-        logQueries = "false";
-      };
-      description = ''
-        Database configuration. For "sqlite", only "type", "configDirectory", and "logQueries" are relevant.
-        For "postgres", include host, port, user, pass, name, and optionally socket.
-        Example:
-        {
-          type = "postgres";
-          socket = "/run/postgresql";
-          user = "jellyseerr";
-          name = "jellyseerr";
-          logQueries = "false";
-        }
-        or
-        {
-          type = "postgres";
-          host = "localhost";
-          port = "5432";
-          user = "dbuser";
-          pass = "password";
-          name = "jellyseerr";
-          logQueries = "false";
-        }
-        or
-        {
-          type = "sqlite";
-          configDirectory = "config";
-          logQueries = "false";
-        }
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.jellyseerr = {
-      description = "Jellyseerr, a requests manager for Jellyfin";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      environment =
-        let
-          dbConfig = cfg.databaseConfig;
-        in
-        {
-          PORT = toString cfg.port;
-          DB_TYPE = toString dbConfig.type;
-          CONFIG_DIRECTORY = toString dbConfig.configDirectory or "";
-          DB_LOG_QUERIES = toString dbConfig.logQueries;
-          DB_HOST = if dbConfig.type == "postgres" && !(hasAttr "socket" dbConfig) then toString dbConfig.host or "" else "";
-          DB_PORT = if dbConfig.type == "postgres" && !(hasAttr "socket" dbConfig) then toString dbConfig.port or "" else "";
-          DB_SOCKET_PATH = if dbConfig.type == "postgres" && hasAttr "socket" dbConfig then toString dbConfig.socket or "" else "";
-          DB_USER = if dbConfig.type == "postgres" then toString dbConfig.user or "" else "";
-          DB_PASS = if dbConfig.type == "postgres" then toString dbConfig.pass or "" else "";
-          DB_NAME = if dbConfig.type == "postgres" then toString dbConfig.name or "" else "";
-        };
-      serviceConfig = {
-        Type = "exec";
-        StateDirectory = "jellyseerr";
-        WorkingDirectory = "${cfg.package}/libexec/jellyseerr";
-        DynamicUser = true;
-        ExecStart = "${cfg.package}/bin/jellyseerr";
-        BindPaths = [ "/var/lib/jellyseerr/:${cfg.package}/libexec/jellyseerr/config/" ];
-        Restart = "on-failure";
-        ProtectHome = true;
-        ProtectSystem = "strict";
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
-        ProtectControlGroups = true;
-        NoNewPrivileges = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        RemoveIPC = true;
-        PrivateMounts = true;
-      };
-    };
-
-    networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
-  };
-}
-```
-Then, import the module into your `configuration.nix`:
-```nix
-{ config, pkgs, ... }:
-{
-  imports = [ ./modules/jellyseerr.nix ];
-
-  services.jellyseerr = {
-    enable = true;
-    port = 5055;
-    openFirewall = true;
-    package = pkgs.unstable.jellyseerr; # use the unstable package if stable is not up-to-date
-    databaseConfig = {
-      type = "postgres";
-      host = "localhost"; # or socket: "/run/postgresql"
-      port = "5432"; # if using socket, this is not needed
-      user = "jellyseerr";
-      pass = "jellyseerr";
-      name = "jellyseerr";
-      logQueries = "false";
-    };
-  }
-}
-```
-  </TabItem>
-</Tabs>
-
-After adding the configuration to your `configuration.nix`, you can run the following command to install jellyseerr:
-
-```bash
-nixos-rebuild switch
-```
-After rebuild is complete jellyseerr should be running, verify that it is with the following command.
-```bash
-systemctl status jellyseerr
-```
-
-:::info
-You can now access Seerr by visiting `http://localhost:5055` in your web browser.
-:::
-

docs/getting-started/third-parties/aur.mdx

@@ -1,16 +1,15 @@
 ---
-title: AUR (Arch User Repository)
+title: AUR (Advanced)
 description: Install Seerr using the Arch User Repository
-sidebar_position: 4
+sidebar_position: 2
 ---
 
-# AUR (Arch User Repository)
-
-:::note Disclaimer
-This AUR package is not maintained by us but by a third party. Please refer to the maintainer for any issues.
+# AUR
+:::warning
+Third-party installation methods are maintained by the community. The Seerr team is not responsible for these packages.
 :::
 
-:::info
+:::warning
 This method is not recommended for most users. It is intended for advanced users who are using Arch Linux or an Arch-based distribution.
 :::
 
@@ -24,12 +23,12 @@ import TabItem from '@theme/TabItem';
 <Tabs groupId="aur-methods" queryString>
   <TabItem value="yay" label="yay">
     ```bash
-    yay -S jellyseerr
+    yay -S seerr
     ```
   </TabItem>
   <TabItem value="paru" label="paru">
     ```bash
-    paru -S jellyseerr
+    paru -S seerr
     ```
   </TabItem>
 </Tabs>
@@ -39,5 +38,5 @@ After installing Seerr, configure it by visiting the web UI at `http://[address]
 :::
 
 :::tip
-You can find the environment file at `/etc/conf.d/jellyseerr` and the service file at `/etc/systemd/system/jellyseerr.service`.
+You can find the environment file at `/etc/conf.d/seerr` and the service file at `/etc/systemd/system/seerr.service`.
 :::

docs/getting-started/third-parties/index.mdx

@@ -0,0 +1,11 @@
+---
+title: Third-party Installation Methods
+---
+import DocCardList from '@theme/DocCardList';
+
+:::warning
+Third-party installation methods are maintained by the community. The Seerr team is not responsible for these packages.
+:::
+
+
+<DocCardList />

docs/getting-started/third-parties/nixpkg.mdx

@@ -0,0 +1,17 @@
+---
+title: Nix Package Manager (Advanced)
+description: Install Seerr using Nixpkgs
+sidebar_position: 1
+---
+
+import { SeerrVersion, NixpkgVersion } from '@site/src/components/SeerrVersion';
+import Admonition from '@theme/Admonition';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Nix Package Manager
+:::warning
+Third-party installation methods are maintained by the community. The Seerr team is not responsible for these packages.
+:::
+
+Refer to [NixOS documentation](https://search.nixos.org/options?channel=25.05&query=seerr)

docs/getting-started/third-parties/unraid.mdx

@@ -0,0 +1,20 @@
+---
+title: Unraid (Advanced)
+description: Install Seerr using Unraid
+sidebar_position: 3
+---
+
+# Unraid
+:::warning
+Third-party installation methods are maintained by the community. The Seerr team is not responsible for these packages.
+:::
+
+:::warning
+This method is not recommended for most users. It is intended for advanced users who are using Unraid.
+:::
+
+1. Ensure you have the **Community Applications** plugin installed.
+2. Inside the **Community Applications** app store, search for **Seerr**.
+3. Click the **Install Button**.
+4. On the following **Add Container** screen, make changes to the **Host Port** and **Host Path 1** \(Appdata\) as needed.
+5. Click apply and access "Seerr" at your `<ServerIP:HostPort>` in a web browser.

docs/migration-guide.mdx

@@ -0,0 +1,168 @@
+---
+title: Migration guide
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+Whether you come from Overseerr or Jellyseerr, you don't need to perform any manual migration steps, your instance will automatically be migrated to Seerr.
+This migration will run automatically the first time you start your instance using the Seerr codebase (Docker image or source build or Kubernetes, etc.).
+An additional migration will happen for Overseerr users, to migrate their configuration to the new codebase.
+
+:::warning
+Before doing anything you should backup your existing instance so that you can rollback in case something goes wrong.
+See [Backups](/using-seerr/backups) for details on how to properly backup your instance.
+:::
+
+## Docker
+Refer to [Seerr Docker Documentation](/getting-started/docker), all of our examples have been updated to reflect the below change.
+
+Changes :
+- Renamed all references from `overseerr` or `jellyseerr` to `seerr`.
+- The container image reference has been updated.
+- The container can now be run as a non-root user (`node` user); remove the `user` directive if you have configured it.
+- The container no longer provides an init process, so you must configure it by adding `init: true` for Docker Compose or `--init` for the Docker CLI.
+
+:::info
+**Config folder permissions**: Since the container now runs as the `node` user (UID 1000), you must ensure your config folder has the correct permissions. The `node` user must have read and write access to the `/app/config` directory.
+
+If you're migrating from a previous installation, you may need to update the ownership of your config folder:
+```bash
+docker run --rm -v /path/to/appdata/config:/data alpine chown -R 1000:1000 /data
+```
+
+This ensures the `node` user (UID 1000) owns the config directory and can read and write to it.
+:::
+
+### Unix
+
+Summary of changes :
+<Tabs groupId="docker-methods" queryString>
+  <TabItem value="docker-compose" label="Docker compose">
+  ```yaml {3-6}
+  ---
+  services:
+    seerr:
+      image: ghcr.io/seerr-team/seerr:latest
+      init: true
+      container_name: seerr
+      environment:
+        - LOG_LEVEL=debug
+        - TZ=Asia/Tashkent
+        - PORT=5055 #optional
+      ports:
+        - 5055:5055
+      volumes:
+        - /path/to/appdata/config:/app/config
+      healthcheck:
+        test: wget --no-verbose --tries=1 --spider http://localhost:5055/api/v1/status || exit 1
+        start_period: 20s
+        timeout: 3s
+        interval: 15s
+        retries: 3
+      restart: unless-stopped
+  ```
+  </TabItem>
+  <TabItem value="docker-cli" label="Docker CLI">
+  ```bash {2-3,10}
+  docker run -d \
+    --name seerr \
+    --init \
+    -e LOG_LEVEL=debug \
+    -e TZ=Asia/Tashkent \
+    -e PORT=5055 \
+    -p 5055:5055 \
+    -v /path/to/appdata/config:/app/config \
+    --restart unless-stopped \
+    ghcr.io/seerr-team/seerr:latest
+  ```
+  </TabItem>
+</Tabs>
+
+### Windows
+Summary of changes :
+<Tabs groupId="docker-methods" queryString>
+  <TabItem value="docker-compose" label="Docker compose">
+  ```yaml {3-6,13,23}
+  ---
+  services:
+    seerr:
+      image: ghcr.io/seerr-team/seerr:latest
+      init: true
+      container_name: seerr
+      environment:
+        - LOG_LEVEL=debug
+        - TZ=Asia/Tashkent
+      ports:
+        - 5055:5055
+      volumes:
+        - seerr-data:/app/config
+      healthcheck:
+        test: wget --no-verbose --tries=1 --spider http://localhost:5055/api/v1/status || exit 1
+        start_period: 20s
+        timeout: 3s
+        interval: 15s
+        retries: 3
+      restart: unless-stopped
+
+  volumes:
+    seerr-data:
+      external: true
+  ```
+  </TabItem>
+  <TabItem value="docker-cli" label="Docker CLI">
+  ```bash {2-3,8,10}
+  docker run -d \
+    --name seerr \
+    --init \
+    -e LOG_LEVEL=debug \
+    -e TZ=Asia/Tashkent \
+    -e PORT=5055 \
+    -p 5055:5055 \
+    -v seerr-data:/app/config \
+    --restart unless-stopped \
+    ghcr.io/seerr-team/seerr:latest
+  ```
+  </TabItem>
+</Tabs>
+
+## Kubernetes
+Refer to [Seerr Kubernetes Documentation](/getting-started/kubernetes), all of our examples have been updated to reflect the below change.
+
+Changes :
+- All references to `jellyseerr` have been renamed to `seerr` in the manifests.
+- The container image reference has been updated.
+- The default `securityContext` and `podSecurityContext` have been updated to support running the container without root permissions.
+
+Summary of changes :
+<Tabs groupId="kubernetes-values" queryString>
+  <TabItem value="old" label="Old values">
+  ```yaml
+  image:
+    repository: fallenbagel/jellyseerr
+  podSecurityContext: {}
+  securityContext: {}
+  ```
+  </TabItem>
+  <TabItem value="new" label="New values">
+  ```yaml
+  image:
+    repository: seerr-team/seerr
+  podSecurityContext:
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+  ```
+  </TabItem>
+</Tabs>

docs/troubleshooting.mdx

@@ -103,7 +103,7 @@ If you can't change your DNS servers or force IPV4 resolution, you can use Seerr
 
 In some places (like China), the ISP blocks not only the DNS resolution but also the connection to the TMDB API.
 
-You can configure Seerr to use a proxy with the [HTTP(S) Proxy](/using-seerr/settings/general#https-proxy) setting.
+You can configure Seerr to use a proxy with the [HTTP(S) Proxy](/using-seerr/settings/general#enable-proxy-support) setting.
 
 ### Option 3: Force IPV4 resolution first
 
@@ -174,4 +174,36 @@ This can happen if you have a new installation of Jellyfin/Emby or if you have c
 
 This process should restore your admin privileges while preserving your settings.
 
+## Failed to enable web push notifications
+
+### Option 1: You are using Pi-hole
+
+When using Pi-hole, you need to whitelist the proper domains in order for the queries to not be intercepted and blocked by Pi-hole.
+If you are using a chromium based browser (eg: Chrome, Brave, Edge...), the domain you need to whitelist is `fcm.googleapis.com`
+If you are using Firefox, the domain you need to whitelist is `push.services.mozilla.com`
+
+1. Log into your Pi-hole through the admin interface, then click on Domains situated under GROUP MANAGEMENT.
+2. Add the domain corresponding to your browser in the `Domain to be added` field and then click on Add to allowed domains.
+3. Now in order for those changes to be used you need to flush your current dns cache.
+4. You can do so by using this command line in your Pi-hole terminal:
+    ```bash
+    pihole restartdns
+    ```
+If this command fails (which is unlikely), use this equivalent:
+    ```bash
+    pihole -f && pihole restartdns
+    ```
+5. Then restart your Seerr instance and try to enable the web push notifications again.
+
+
+### Option 2: You are using Brave browser
+
+Brave is a "De-Googled" browser. So by default or if you refused a prompt in the past, it cuts the access to the FCM (Firebase Cloud Messaging) service, which is mandatory for the web push notifications on Chromium based browsers.
+
+1. Open Brave and paste this address in the url bar: `brave://settings/privacy`
+2. Look for the option: "Use Google services for push messaging"
+3. Activate this option
+4. Relaunch Brave completely
+5. You should now see the notifications prompt appearing instead of an error message.
+
 If you still encounter issues, please reach out on our support channels.

docs/using-seerr/advanced/index.mdx

@@ -0,0 +1,15 @@
+---
+title: Advanced Features
+description: Advanced configuration and use cases.
+sidebar_position: 6
+---
+
+# Advanced Features
+
+## Advanced Configuration and Use Cases
+
+Seerr currently offers advanced features for power users and specific use cases:
+
+import DocCardList from '@theme/DocCardList';
+
+<DocCardList />

docs/using-seerr/advanced/verifying-signed-artifacts.mdx

@@ -0,0 +1,386 @@
+---
+id: verifying-signed-artifacts
+title: Verifying Signed Artifacts
+sidebar_label: Verify Signed Artifacts
+description: Learn how to verify Seerr's signed artifacts and SBOM attestations.
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Verifying Signed Artifacts
+
+These artifacts are cryptographically signed using [Sigstore Cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/):
+- Container images
+- Helm charts
+
+This ensures that the images you pull are authentic, tamper-proof, and built by the official Seerr release pipeline.
+
+Additionally each container image also includes a CycloneDX SBOM (Software Bill of Materials) attestation, generated with [Trivy](https://aquasecurity.github.io/trivy/), providing transparency about all dependencies included in the image.
+
+---
+
+## Prerequisites
+
+You will need the following tools installed:
+
+- [Cosign](https://docs.sigstore.dev/cosign/system_config/installation/)
+
+To verify images:
+
+- [Docker](https://docs.docker.com/get-docker/) **or** [Podman](https://podman.io/getting-started/installation) (including [Skopeo](https://github.com/containers/skopeo/blob/main/install.md))
+
+---
+
+## Verifying Signed Images
+
+### Image Locations
+
+Official Seerr images are available from:
+
+- GitHub Container Registry (GHCR): `ghcr.io/seerr-team/seerr:<tag>`
+- Docker Hub: `seerr/seerr:<tag>`
+
+You can view all available tags on the [Seerr Releases page](https://github.com/seerr-team/seerr/releases).
+
+---
+
+### Verifying a Specific Release Tag
+
+Each tagged release (for example `v2.7.4`) is immutable and cryptographically signed.
+Verification should always be performed using the image digest (SHA256).
+
+#### Retrieve the Image Digest
+
+<Tabs groupId="verify-methods">
+  <TabItem value="docker" label="Docker">
+
+```bash
+docker buildx imagetools inspect ghcr.io/seerr-team/seerr:v2.7.4 --format '{{json .Manifest.Digest}}' | tr -d '"'
+```
+  </TabItem>
+
+  <TabItem value="podman" label="Podman / Skopeo">
+
+```bash
+skopeo inspect docker://ghcr.io/seerr-team/seerr:v2.7.4 --format '{{.Digest}}'
+```
+  </TabItem>
+</Tabs>
+
+Example output:
+
+```
+sha256:abcd1234...
+```
+
+---
+
+#### Verify the Image Signature
+
+<Tabs groupId="registry-methods">
+  <TabItem value="ghcr" label="GitHub Container Registry (GHCR)">
+
+```bash
+cosign verify ghcr.io/seerr-team/seerr@sha256:abcd1234... \
+  --certificate-identity "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v2.7.4" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+
+  <TabItem value="dockerhub" label="Docker Hub">
+
+```bash
+cosign verify seerr/seerr@sha256:abcd1234... \
+  --certificate-identity "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v2.7.4" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+</Tabs>
+
+:::info Successful Verification Example
+Verification for `ghcr.io/seerr-team/seerr@sha256:abcd1234...`
+
+The following checks were performed:
+
+- Cosign claims validated
+- Signatures verified against the transparency log
+- Certificate issued by Fulcio to the expected workflow identity
+:::
+
+---
+
+### Verifying the `latest` Tag
+
+:::warning Latest Tag Warning
+The `latest` tag is **mutable**, meaning it will change with each new release.
+Always verify the digest that `latest` currently points to.
+:::
+
+#### Retrieve the Digest for `latest`
+
+<Tabs groupId="verify-methods">
+  <TabItem value="docker" label="Docker">
+
+```bash
+docker buildx imagetools inspect ghcr.io/seerr-team/seerr:latest --format '{{json .Manifest.Digest}}' | tr -d '"'
+```
+  </TabItem>
+
+  <TabItem value="podman" label="Podman / Skopeo">
+
+```bash
+skopeo inspect docker://ghcr.io/seerr-team/seerr:latest --format '{{.Digest}}'
+```
+  </TabItem>
+</Tabs>
+
+Example output:
+
+```
+sha256:abcd1234...
+```
+
+#### Verify the Signature
+
+<Tabs groupId="registry-methods">
+  <TabItem value="ghcr" label="GHCR">
+
+```bash
+cosign verify ghcr.io/seerr-team/seerr@sha256:abcd1234... \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+
+  <TabItem value="dockerhub" label="Docker Hub">
+
+```bash
+cosign verify seerr/seerr@sha256:abcd1234... \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+</Tabs>
+
+:::tip
+The wildcard `v.*` ensures verification works for any versioned release that `latest` represents.
+:::
+
+---
+
+### Verifying SBOM Attestations
+
+Each image includes a CycloneDX SBOM attestation.
+
+#### Verify the Attestation
+
+```bash
+cosign verify-attestation ghcr.io/seerr-team/seerr@sha256:abcd1234... \
+  --type cyclonedx \
+  --certificate-identity "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v2.7.4" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+:::info Successful Verification Example
+Verification for `ghcr.io/seerr-team/seerr@sha256:abcd1234...`
+
+The following checks were performed:
+
+- Cosign claims validated
+- Signatures verified against the transparency log
+- Certificate issued by Fulcio to the expected workflow identity
+:::
+
+#### Extract the SBOM for Inspection
+
+```bash
+cosign verify-attestation ghcr.io/seerr-team/seerr@sha256:abcd1234... \
+  --type cyclonedx \
+  --certificate-identity "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v2.7.4" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq -r '.payload | @base64d' > sbom.json
+```
+
+You can open `sbom.json` in a CycloneDX viewer or analyse it with [Trivy](https://aquasecurity.github.io/trivy/) or [Dependency-Track](https://dependencytrack.org/).
+
+---
+
+### Expected Certificate Identity
+
+The expected certificate identity for all signed Seerr images is:
+
+```
+https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v*
+```
+
+This confirms that the image was:
+
+- Built by the official Seerr Release workflow
+- Produced from the seerr-team/seerr repository
+- Signed using GitHub’s OIDC identity via Sigstore Fulcio
+
+---
+
+### Example: Full Verification Flow
+
+<Tabs groupId="verify-examples">
+  <TabItem value="docker" label="Docker">
+
+```bash
+DIGEST=$(docker buildx imagetools inspect ghcr.io/seerr-team/seerr:latest --format '{{json .Manifest.Digest}}' | tr -d '"')
+
+cosign verify ghcr.io/seerr-team/seerr@"$DIGEST" \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+cosign verify-attestation ghcr.io/seerr-team/seerr@"$DIGEST" \
+  --type cyclonedx \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+
+  <TabItem value="podman" label="Podman / Skopeo">
+
+```bash
+DIGEST=$(skopeo inspect docker://ghcr.io/seerr-team/seerr:latest --format '{{.Digest}}')
+
+cosign verify ghcr.io/seerr-team/seerr@"$DIGEST" \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/release.yml@refs/tags/v.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+</Tabs>
+
+## Verifying Signed Helm charts
+
+### Helm Chart Locations
+
+Official Seerr helm charts are available from:
+
+- GitHub Container Registry (GHCR): `ghcr.io/seerr-team/seerr/seerr-chart/seerr-chart:<tag>`
+
+You can view all available tags on the [Seerr Releases page](https://github.com/seerr-team/seerr/pkgs/container/seerr%2Fseerr-chart).
+
+---
+
+### Verifying a Specific Release Tag
+
+Each tagged release (for example `3.0.0`) is immutable and cryptographically signed.
+Verification should always be performed using the image digest (SHA256).
+
+#### Retrieve the Helm Chart Digest
+
+<Tabs groupId="verify-methods">
+  <TabItem value="docker" label="Docker">
+
+```bash
+docker buildx imagetools inspect ghcr.io/seerr-team/seerr/seerr-chart:3.0.0 --format '{{json .Manifest.Digest}}' | tr -d '"'
+```
+  </TabItem>
+
+  <TabItem value="podman" label="Podman / Skopeo">
+
+```bash
+skopeo inspect docker://ghcr.io/seerr-team/seerr/seerr-chart:3.0.0 --format '{{.Digest}}'
+```
+  </TabItem>
+</Tabs>
+
+Example output:
+
+```
+sha256:abcd1234...
+```
+
+---
+
+#### Verify the Helm Chart Signature
+
+```bash
+cosign verify ghcr.io/seerr-team/seerr/seerr-chart@sha256:abcd1234... \
+  --certificate-identity "https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+:::info Successful Verification Example
+Verification for `ghcr.io/seerr-team/seerr/seerr-chart@sha256:abcd1234...`
+
+The following checks were performed:
+
+- Cosign claims validated
+- Signatures verified against the transparency log
+- Certificate issued by Fulcio to the expected workflow identity
+:::
+
+---
+
+### Expected Certificate Identity
+
+The expected certificate identity for all signed Seerr images is:
+
+```
+https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main
+```
+
+This confirms that the image was:
+
+- Built by the official Seerr Release workflow
+- Produced from the seerr-team/seerr repository
+- Signed using GitHub’s OIDC identity via Sigstore Fulcio
+
+---
+
+### Example: Full Verification Flow
+
+<Tabs groupId="verify-examples">
+  <TabItem value="docker" label="Docker">
+
+```bash
+DIGEST=$(docker buildx imagetools inspect ghcr.io/seerr-team/seerr/seerr-chart:3.0.0 --format '{{json .Manifest.Digest}}' | tr -d '"')
+
+cosign verify ghcr.io/seerr-team/seerr/seerr-chart@"$DIGEST" \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+cosign verify-attestation ghcr.io/seerr-team/seerr/seerr-chart@"$DIGEST" \
+  --type cyclonedx \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+
+  <TabItem value="podman" label="Podman / Skopeo">
+
+```bash
+DIGEST=$(skopeo inspect docker://ghcr.io/seerr-team/seerr/seerr-chart:3.0.0 --format '{{.Digest}}')
+
+cosign verify ghcr.io/seerr-team/seerr/seerr-chart@"$DIGEST" \
+  --certificate-identity-regexp "https://github.com/seerr-team/seerr/.github/workflows/helm.yml@refs/heads/main" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+  </TabItem>
+</Tabs>
+
+---
+
+## Troubleshooting
+
+| Issue | Likely Cause | Suggested Fix |
+|-------|---------------|----------------|
+| `no matching signatures` | Incorrect digest or tag | Retrieve the digest again using Docker or Skopeo |
+| `certificate identity does not match expected` | Workflow reference changed | Ensure your `--certificate-identity` matches this documentation |
+| `cosign: command not found` | Cosign not installed | Install Cosign from the official release |
+| `certificate expired` | Old release | Verify a newer tag or digest |
+
+---
+
+## Further Reading
+
+- [Sigstore Documentation](https://docs.sigstore.dev)
+- [Cosign Verification Guide](https://docs.sigstore.dev/cosign/verifying/verify/)
+- [CycloneDX Specification](https://cyclonedx.org/specification/overview/)
+- [Trivy Documentation](https://trivy.dev/latest/docs/)
+- [Skopeo Documentation](https://github.com/containers/skopeo)
+- [Podman Documentation](https://podman.io/get-started/)
+- [Docker Documentation](https://docs.docker.com/)
+- [Seerr GitHub Repository](https://github.com/seerr-team/seerr)

docs/using-seerr/notifications/index.mdx

@@ -22,4 +22,4 @@ Users can customize their notification preferences in their own user notificatio
 
 ## Requesting New Notification Agents
 
-If we do not currently support your preferred notification agent, feel free to [submit a feature request on GitHub](https://github.com/fallenbagel/jellyseerr/issues). However, please be sure to search first and confirm that there is not already an existing request for the agent!
+If we do not currently support your preferred notification agent, feel free to [submit a feature request on GitHub](https://github.com/seerr-team/seerr/issues). However, please be sure to search first and confirm that there is not already an existing request for the agent!

docs/using-seerr/notifications/pushover.md

@@ -16,7 +16,7 @@ User notifications are separate from system notifications, and the available not
 
 ### Application/API Token
 
-[Register an application](https://pushover.net/apps/build) and enter the API token in this field. (You can use one of the [official icons in our GitHub repository](https://github.com/fallenbagel/jellyseerr/tree/develop/public) when configuring the application.)
+[Register an application](https://pushover.net/apps/build) and enter the API token in this field. (You can use one of the [official icons in our GitHub repository](https://github.com/seerr-team/seerr/tree/develop/public) when configuring the application.)
 
 For more details on registering applications or the API token, please see the [Pushover API documentation](https://pushover.net/api#registration).
 

gen-docs/blog/2025-09-29-introducing-jellyseerr-blog.md

@@ -1,24 +0,0 @@
----
-title: Welcome to the Jellyseerr Blog
-description: The official Jellyseerr blog for release notes, technical updates, and community news.
-slug: welcome
-authors: [fallenbagel, gauthier-th]
-tags: [announcement, jellyseerr, blog]
-image: https://raw.githubusercontent.com/fallenbagel/jellyseerr/refs/heads/develop/gen-docs/static/img/logo.svg
-hide_table_of_contents: false
----
-
-We are pleased to introduce the official Jellyseerr blog.
-
-This space will serve as the central place for:
-
-- Release announcements
-- Updates on new features and improvements
-- Technical articles, such as details on our [**DNS caching package**](https://github.com/jellyseerr/dns-caching) and other enhancements
-- Community-related news
-
-<!--truncate-->
-
-Our goal is to keep the community informed and provide deeper insights into the ongoing development of Jellyseerr.
-
-Thank you for being part of the Jellyseerr project. More updates will follow soon.

gen-docs/blog/2025-09-29-introducing-seerr-blog.md

@@ -0,0 +1,24 @@
+---
+title: Welcome to the Seerr Blog
+description: The official Seerr blog for release notes, technical updates, and community news.
+slug: welcome
+authors: [fallenbagel, gauthier-th]
+tags: [announcement, seerr, blog]
+image: https://raw.githubusercontent.com/seerr-team/seerr/refs/heads/develop/gen-docs/static/img/logo.svg
+hide_table_of_contents: false
+---
+
+We are pleased to introduce the official Seerr blog.
+
+This space will serve as the central place for:
+
+- Release announcements
+- Updates on new features and improvements
+- Technical articles, such as details on our [**DNS caching package**](https://github.com/seerr/dns-caching) and other enhancements
+- Community-related news
+
+<!--truncate-->
+
+Our goal is to keep the community informed and provide deeper insights into the ongoing development of Seerr.
+
+Thank you for being part of the Seerr project. More updates will follow soon.

gen-docs/src/components/SeerrVersion/index.tsx

@@ -7,7 +7,7 @@ export const SeerrVersion = () => {
     async function fetchVersion() {
       try {
         const response = await fetch(
-          'https://raw.githubusercontent.com/fallenbagel/jellyseerr/main/package.json'
+          'https://raw.githubusercontent.com/seerr-team/seerr/main/package.json'
         );
 
         const data = await response.json();

package.json

@@ -2,7 +2,7 @@
   "name": "seerr",
   "version": "0.1.0",
   "private": true,
-  "packageManager": "pnpm@10.17.1",
+  "packageManager": "pnpm@10.24.0",
   "scripts": {
     "preinstall": "npx only-allow pnpm",
     "postinstall": "node postinstall-win.js",
@@ -33,39 +33,38 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@dr.pogodin/csurf": "^1.14.1",
-    "@formatjs/intl-displaynames": "6.2.6",
+    "@dr.pogodin/csurf": "^1.16.6",
+    "@formatjs/intl-displaynames": "6.8.13",
     "@formatjs/intl-locale": "3.1.1",
-    "@formatjs/intl-pluralrules": "5.1.10",
+    "@formatjs/intl-pluralrules": "5.4.6",
     "@formatjs/intl-utils": "3.8.4",
     "@formatjs/swc-plugin-experimental": "^0.4.0",
     "@headlessui/react": "1.7.12",
-    "@heroicons/react": "2.0.16",
+    "@heroicons/react": "2.2.0",
     "@supercharge/request-ip": "1.2.0",
     "@svgr/webpack": "6.5.1",
-    "@tanem/react-nprogress": "5.0.30",
+    "@tanem/react-nprogress": "5.0.56",
     "@types/ua-parser-js": "^0.7.36",
     "@types/wink-jaro-distance": "^2.0.2",
-    "ace-builds": "1.15.2",
-    "axios": "1.10.0",
-    "axios-rate-limit": "1.3.0",
+    "ace-builds": "1.43.4",
+    "axios": "1.13.2",
+    "axios-rate-limit": "1.4.0",
     "bcrypt": "5.1.0",
-    "bowser": "2.11.0",
+    "bowser": "2.13.1",
     "connect-typeorm": "1.1.4",
     "cookie-parser": "1.4.7",
     "copy-to-clipboard": "3.3.3",
-    "country-flag-icons": "1.5.5",
+    "country-flag-icons": "1.6.4",
     "cronstrue": "2.23.0",
     "date-fns": "2.29.3",
-    "dayjs": "1.11.7",
+    "dayjs": "1.11.19",
     "dns-caching": "^0.2.7",
-    "email-templates": "12.0.1",
-    "email-validator": "2.0.4",
+    "email-templates": "12.0.3",
     "express": "4.21.2",
     "express-openapi-validator": "4.13.8",
     "express-rate-limit": "6.7.0",
-    "express-session": "1.17.3",
-    "formik": "^2.4.6",
+    "express-session": "1.18.2",
+    "formik": "^2.4.9",
     "gravatar-url": "3.1.0",
     "http-proxy-agent": "^7.0.2",
     "https-proxy-agent": "^7.0.6",
@@ -77,19 +76,19 @@
     "node-schedule": "2.1.1",
     "nodemailer": "6.10.0",
     "openpgp": "5.11.2",
-    "pg": "8.11.0",
+    "pg": "8.16.3",
     "plex-api": "5.3.2",
     "pug": "3.0.3",
     "react": "^18.3.1",
     "react-ace": "10.1.0",
     "react-animate-height": "2.1.2",
-    "react-aria": "3.23.0",
+    "react-aria": "3.44.0",
     "react-dom": "^18.3.1",
     "react-intersection-observer": "9.4.3",
     "react-intl": "^6.6.8",
     "react-markdown": "8.0.5",
     "react-popper-tooltip": "4.4.2",
-    "react-select": "5.7.0",
+    "react-select": "5.10.2",
     "react-spring": "9.7.1",
     "react-tailwindcss-datepicker-sct": "1.3.4",
     "react-toast-notifications": "2.5.1",
@@ -98,18 +97,19 @@
     "react-use-clipboard": "1.0.9",
     "reflect-metadata": "0.1.13",
     "secure-random-password": "0.2.3",
-    "semver": "7.7.1",
+    "semver": "7.7.3",
     "sharp": "^0.33.4",
     "sqlite3": "5.1.7",
     "swagger-ui-express": "4.6.2",
-    "swr": "2.2.5",
+    "swr": "2.3.7",
     "tailwind-merge": "^2.6.0",
     "typeorm": "0.3.12",
     "ua-parser-js": "^1.0.35",
-    "undici": "^7.3.0",
-    "web-push": "3.5.0",
+    "undici": "^7.16.0",
+    "validator": "^13.15.23",
+    "web-push": "3.6.7",
     "wink-jaro-distance": "^2.0.0",
-    "winston": "3.8.2",
+    "winston": "3.18.3",
     "winston-daily-rotate-file": "4.7.1",
     "xml2js": "0.4.23",
     "yamljs": "0.3.0",
@@ -123,31 +123,33 @@
     "@tailwindcss/forms": "0.5.10",
     "@tailwindcss/typography": "0.5.16",
     "@types/bcrypt": "5.0.0",
-    "@types/cookie-parser": "1.4.3",
-    "@types/country-flag-icons": "1.2.0",
-    "@types/csurf": "1.11.2",
+    "@types/cookie-parser": "1.4.10",
+    "@types/country-flag-icons": "1.2.2",
+    "@types/csurf": "1.11.5",
     "@types/email-templates": "8.0.4",
     "@types/express": "4.17.17",
-    "@types/express-session": "1.17.6",
-    "@types/lodash": "4.14.191",
+    "@types/express-session": "1.18.2",
+    "@types/lodash": "4.17.21",
     "@types/mime": "3",
     "@types/node": "22.10.5",
-    "@types/node-schedule": "2.1.0",
+    "@types/node-schedule": "2.1.8",
     "@types/nodemailer": "6.4.7",
     "@types/react": "^18.3.3",
     "@types/react-dom": "^18.3.0",
-    "@types/react-transition-group": "4.4.5",
+    "@types/react-transition-group": "4.4.12",
     "@types/secure-random-password": "0.2.1",
-    "@types/semver": "7.3.13",
-    "@types/swagger-ui-express": "4.1.3",
-    "@types/web-push": "3.3.2",
+    "@types/semver": "7.7.1",
+    "@types/swagger-ui-express": "4.1.8",
+    "@types/validator": "^13.15.10",
+    "@types/web-push": "3.6.4",
     "@types/xml2js": "0.4.11",
     "@types/yamljs": "0.2.31",
     "@types/yup": "0.29.14",
     "@typescript-eslint/eslint-plugin": "5.54.0",
     "@typescript-eslint/parser": "5.54.0",
-    "autoprefixer": "10.4.13",
-    "commitizen": "4.3.0",
+    "autoprefixer": "10.4.22",
+    "baseline-browser-mapping": "^2.8.32",
+    "commitizen": "4.3.1",
     "copyfiles": "2.4.1",
     "cy-mobile-commands": "0.3.0",
     "cypress": "14.1.0",
@@ -156,22 +158,22 @@
     "eslint-config-next": "^14.2.4",
     "eslint-config-prettier": "8.6.0",
     "eslint-plugin-formatjs": "4.9.0",
-    "eslint-plugin-jsx-a11y": "6.7.1",
-    "eslint-plugin-no-relative-import-paths": "1.5.2",
+    "eslint-plugin-jsx-a11y": "6.10.2",
+    "eslint-plugin-no-relative-import-paths": "1.6.1",
     "eslint-plugin-prettier": "4.2.1",
-    "eslint-plugin-react": "7.32.2",
+    "eslint-plugin-react": "7.37.5",
     "eslint-plugin-react-hooks": "4.6.0",
     "husky": "8.0.3",
     "lint-staged": "13.1.2",
-    "nodemon": "3.1.9",
-    "postcss": "8.4.31",
+    "nodemon": "3.1.11",
+    "postcss": "8.5.6",
     "prettier": "2.8.4",
     "prettier-plugin-organize-imports": "3.2.2",
     "prettier-plugin-tailwindcss": "0.2.3",
     "tailwindcss": "3.2.7",
-    "ts-node": "10.9.1",
-    "tsc-alias": "1.8.2",
-    "tsconfig-paths": "4.1.2",
+    "ts-node": "10.9.2",
+    "tsc-alias": "1.8.16",
+    "tsconfig-paths": "4.2.0",
     "typescript": "4.9.5"
   },
   "engines": {
@@ -180,7 +182,7 @@
   },
   "overrides": {
     "sqlite3/node-gyp": "8.4.1",
-    "@types/express-session": "1.17.6"
+    "@types/express-session": "1.18.2"
   },
   "config": {
     "commitizen": {
@@ -201,74 +203,13 @@
       "@commitlint/config-conventional"
     ]
   },
-  "release": {
-    "plugins": [
-      "@semantic-release/commit-analyzer",
-      "@semantic-release/release-notes-generator",
-      "@semantic-release/npm",
-      [
-        "@codedependant/semantic-release-docker",
-        {
-          "dockerArgs": {
-            "COMMIT_TAG": "${GITHUB_SHA}"
-          },
-          "dockerLogin": false,
-          "dockerProject": "fallenbagel",
-          "dockerImage": "jellyseerr",
-          "dockerTags": [
-            "latest",
-            "{{major}}",
-            "{{major}}.{{minor}}",
-            "{{major}}.{{minor}}.{{patch}}"
-          ],
-          "dockerPlatform": [
-            "linux/amd64",
-            "linux/arm64"
-          ]
-        }
-      ],
-      [
-        "@codedependant/semantic-release-docker",
-        {
-          "dockerArgs": {
-            "COMMIT_TAG": "${GITHUB_SHA}"
-          },
-          "dockerLogin": false,
-          "dockerRegistry": "ghcr.io",
-          "dockerProject": "fallenbagel",
-          "dockerImage": "jellyseerr",
-          "dockerTags": [
-            "latest",
-            "{{major}}",
-            "{{major}}.{{minor}}",
-            "{{major}}.{{minor}}.{{patch}}"
-          ],
-          "dockerPlatform": [
-            "linux/amd64",
-            "linux/arm64"
-          ]
-        }
-      ],
-      [
-        "@semantic-release/github",
-        {
-          "addReleases": "bottom"
-        }
-      ]
-    ],
-    "branches": [
-      "main"
-    ],
-    "npmPublish": false,
-    "publish": [
-      "@codedependant/semantic-release-docker",
-      "@semantic-release/github"
-    ]
-  },
   "pnpm": {
     "onlyBuiltDependencies": [
-      "sqlite3",
-      "bcrypt"
+      "@swc/core",
+      "bcrypt",
+      "cypress",
+      "sharp",
+      "sqlite3"
     ]
   }
 }

seerr-api.yml

@@ -2339,8 +2339,12 @@ paths:
                   properties:
                     username:
                       type: string
-                    userId:
-                      type: integer
+                    id:
+                      type: string
+                    thumb:
+                      type: string
+                    email:
+                      type: string
   /settings/jellyfin/sync:
     get:
       summary: Get status of full Jellyfin library sync
@@ -6908,6 +6912,10 @@ paths:
                 is4k:
                   type: boolean
                   example: false
+                  description: |
+                    When true, updates the 4K status field (status4k).
+                    When false or not provided, updates the regular status field (status).
+                    This applies to all status values (available, partial, processing, pending, unknown).
       responses:
         '200':
           description: Returned media

server/api/jellyfin.ts

@@ -112,6 +112,10 @@ export interface JellyfinLibraryItemExtended extends JellyfinLibraryItem {
   DateCreated?: string;
 }
 
+type EpisodeReturn<T> = T extends { includeMediaInfo: true }
+  ? JellyfinLibraryItemExtended[]
+  : JellyfinLibraryItem[];
+
 export interface JellyfinItemsReponse {
   Items: JellyfinLibraryItemExtended[];
   TotalRecordCount: number;
@@ -145,7 +149,7 @@ class JellyfinAPI extends ExternalAPI {
       {},
       {
         headers: {
-          'X-Emby-Authorization': authHeaderVal,
+          Authorization: authHeaderVal,
           'Content-Type': 'application/json',
           Accept: 'application/json',
         },
@@ -415,13 +419,22 @@ class JellyfinAPI extends ExternalAPI {
     }
   }
 
-  public async getEpisodes(
+  public async getEpisodes<
+    T extends { includeMediaInfo?: boolean } | undefined = undefined
+  >(
     seriesID: string,
-    seasonID: string
-  ): Promise<JellyfinLibraryItem[]> {
+    seasonID: string,
+    options?: T
+  ): Promise<EpisodeReturn<T>> {
     try {
       const episodeResponse = await this.get<any>(
-        `/Shows/${seriesID}/Episodes?seasonId=${seasonID}`
+        `/Shows/${seriesID}/Episodes`,
+        {
+          params: {
+            seasonId: seasonID,
+            ...(options?.includeMediaInfo && { fields: 'MediaSources' }),
+          },
+        }
       );
 
       return episodeResponse.Items.filter(

server/api/themoviedb/index.ts

@@ -73,6 +73,7 @@ export interface TmdbCertificationResponse {
 interface DiscoverMovieOptions {
   page?: number;
   includeAdult?: boolean;
+  includeVideo?: boolean;
   language?: string;
   primaryReleaseDateGte?: string;
   primaryReleaseDateLte?: string;
@@ -490,6 +491,7 @@ class TheMovieDb extends ExternalAPI implements TvShowProvider {
     sortBy = 'popularity.desc',
     page = 1,
     includeAdult = false,
+    includeVideo = true,
     language = this.locale,
     primaryReleaseDateGte,
     primaryReleaseDateLte,
@@ -527,6 +529,7 @@ class TheMovieDb extends ExternalAPI implements TvShowProvider {
           sort_by: sortBy,
           page,
           include_adult: includeAdult,
+          include_video: includeVideo,
           language,
           region: this.discoverRegion || '',
           with_original_language:

server/datasource.ts

@@ -77,7 +77,7 @@ const postgresDevConfig: DataSourceOptions = {
   database: process.env.DB_NAME ?? 'seerr',
   ssl: buildSslConfig(),
   synchronize: false,
-  migrationsRun: false,
+  migrationsRun: true,
   logging: boolFromEnv('DB_LOG_QUERIES'),
   entities: ['server/entity/**/*.ts'],
   migrations: ['server/migration/postgres/**/*.ts'],

server/lib/downloadtracker.ts

@@ -56,6 +56,7 @@ class DownloadTracker {
 
   public async resetDownloadTracker() {
     this.radarrServers = {};
+    this.sonarrServers = {};
   }
 
   public updateDownloads() {

server/lib/notifications/agents/email.ts

@@ -7,8 +7,8 @@ import type { NotificationAgentEmail } from '@server/lib/settings';
 import { getSettings, NotificationAgentKey } from '@server/lib/settings';
 import logger from '@server/logger';
 import type { EmailOptions } from 'email-templates';
-import * as EmailValidator from 'email-validator';
 import path from 'path';
+import validator from 'validator';
 import { Notification, shouldSendAdminNotification } from '..';
 import type { NotificationAgent, NotificationPayload } from './agent';
 import { BaseAgent } from './agent';
@@ -221,7 +221,9 @@ class EmailAgent
             this.getSettings(),
             payload.notifyUser.settings?.pgpKey
           );
-          if (EmailValidator.validate(payload.notifyUser.email)) {
+          if (
+            validator.isEmail(payload.notifyUser.email, { require_tld: false })
+          ) {
             await email.send(
               this.buildMessage(
                 type,
@@ -283,7 +285,7 @@ class EmailAgent
                 this.getSettings(),
                 user.settings?.pgpKey
               );
-              if (EmailValidator.validate(user.email)) {
+              if (validator.isEmail(user.email, { require_tld: false })) {
                 await email.send(
                   this.buildMessage(type, payload, user.email, user.displayName)
                 );

server/lib/overseerrMerge.ts

@@ -97,6 +97,13 @@ const checkOverseerrMerge = async (): Promise<boolean> => {
       media.status = 7;
       await mediaRepository.save(media);
     }
+    const media4kToUpdate = await mediaRepository.find({
+      where: { status4k: 6 },
+    });
+    for (const media of media4kToUpdate) {
+      media.status4k = 7;
+      await mediaRepository.save(media);
+    }
   } catch (error) {
     logger.error('Failed to update Media status from Blacklisted to Deleted', {
       label: 'Seerr Migration',

server/lib/scanners/jellyfin/index.ts

@@ -374,9 +374,10 @@ class JellyfinScanner {
             ) ?? []
           ).length;
 
+          const jellyfinSeasons = await this.jfClient.getSeasons(Id);
+
           for (const season of seasons) {
-            const JellyfinSeasons = await this.jfClient.getSeasons(Id);
-            const matchedJellyfinSeason = JellyfinSeasons.find((md) => {
+            const matchedJellyfinSeason = jellyfinSeasons.find((md) => {
               if (tvdbSeasonFromAnidb) {
                 // In AniDB we don't have the concept of seasons,
                 // we have multiple shows with only Season 1 (and sometimes a season with index 0 for specials).
@@ -397,38 +398,52 @@ class JellyfinScanner {
 
             // Check if we found the matching season and it has all the available episodes
             if (matchedJellyfinSeason) {
-              // If we have a matched Jellyfin season, get its children metadata so we can check details
-              const episodes = await this.jfClient.getEpisodes(
-                Id,
-                matchedJellyfinSeason.Id
-              );
-
-              //Get count of episodes that are HD and 4K
               let totalStandard = 0;
               let total4k = 0;
 
-              //use for loop to make sure this loop _completes_ in full
-              //before the next section
-              for (const episode of episodes) {
-                let episodeCount = 1;
+              if (!this.enable4kShow) {
+                const episodes = await this.jfClient.getEpisodes(
+                  Id,
+                  matchedJellyfinSeason.Id
+                );
 
-                // count number of combined episodes
-                if (
-                  episode.IndexNumber !== undefined &&
-                  episode.IndexNumberEnd !== undefined
-                ) {
-                  episodeCount =
-                    episode.IndexNumberEnd - episode.IndexNumber + 1;
-                }
+                for (const episode of episodes) {
+                  let episodeCount = 1;
+
+                  // count number of combined episodes
+                  if (
+                    episode.IndexNumber !== undefined &&
+                    episode.IndexNumberEnd !== undefined
+                  ) {
+                    episodeCount =
+                      episode.IndexNumberEnd - episode.IndexNumber + 1;
+                  }
 
-                if (!this.enable4kShow) {
                   totalStandard += episodeCount;
-                } else {
-                  const ExtendedEpisodeData = await this.jfClient.getItemData(
-                    episode.Id
-                  );
+                }
+              } else {
+                // 4K detection enabled - request media info to check resolution
+                const episodes = await this.jfClient.getEpisodes(
+                  Id,
+                  matchedJellyfinSeason.Id,
+                  { includeMediaInfo: true }
+                );
 
-                  ExtendedEpisodeData?.MediaSources?.some((MediaSource) => {
+                for (const episode of episodes) {
+                  let episodeCount = 1;
+
+                  // count number of combined episodes
+                  if (
+                    episode.IndexNumber !== undefined &&
+                    episode.IndexNumberEnd !== undefined
+                  ) {
+                    episodeCount =
+                      episode.IndexNumberEnd - episode.IndexNumber + 1;
+                  }
+
+                  // MediaSources field is included in response when includeMediaInfo is true
+                  // We iterate all MediaSources to detect if episode has both standard AND 4K versions
+                  episode.MediaSources?.some((MediaSource) => {
                     return MediaSource.MediaStreams.some((MediaStream) => {
                       if (MediaStream.Type === 'Video') {
                         if ((MediaStream.Width ?? 0) >= 2000) {

server/routes/auth.ts

@@ -15,9 +15,9 @@ import { ApiError } from '@server/types/error';
 import { getAppVersion } from '@server/utils/appVersion';
 import { getHostname } from '@server/utils/getHostname';
 import axios from 'axios';
-import * as EmailValidator from 'email-validator';
 import { Router } from 'express';
 import net from 'net';
+import validator from 'validator';
 
 const authRoutes = Router();
 
@@ -37,7 +37,7 @@ authRoutes.get('/me', isAuthenticated(), async (req, res) => {
   const settings = await getSettings();
   if (
     settings.notifications.agents.email.options.userEmailRequired &&
-    !EmailValidator.validate(user.email)
+    !validator.isEmail(user.email, { require_tld: false })
   ) {
     user.warnings.push('userEmailRequired');
     logger.warn(`User ${user.username} has no valid email address`);

server/routes/media.ts

@@ -112,7 +112,7 @@ mediaRoutes.post<
       return next({ status: 404, message: 'Media does not exist.' });
     }
 
-    const is4k = Boolean(req.body.is4k);
+    const is4k = String(req.body.is4k) === 'true';
 
     switch (req.params.status) {
       case 'available':
@@ -145,16 +145,16 @@ mediaRoutes.post<
             message: 'Only series can be set to be partially available',
           });
         }
-        media.status = MediaStatus.PARTIALLY_AVAILABLE;
+        media[is4k ? 'status4k' : 'status'] = MediaStatus.PARTIALLY_AVAILABLE;
         break;
       case 'processing':
-        media.status = MediaStatus.PROCESSING;
+        media[is4k ? 'status4k' : 'status'] = MediaStatus.PROCESSING;
         break;
       case 'pending':
-        media.status = MediaStatus.PENDING;
+        media[is4k ? 'status4k' : 'status'] = MediaStatus.PENDING;
         break;
       case 'unknown':
-        media.status = MediaStatus.UNKNOWN;
+        media[is4k ? 'status4k' : 'status'] = MediaStatus.UNKNOWN;
     }
 
     await mediaRepository.save(media);
@@ -198,7 +198,7 @@ mediaRoutes.delete(
         where: { id: Number(req.params.id) },
       });
 
-      const is4k = req.query.is4k === 'true';
+      const is4k = String(req.query.is4k) === 'true';
       const isMovie = media.mediaType === MediaType.MOVIE;
 
       let serviceSettings;
@@ -212,18 +212,19 @@ mediaRoutes.delete(
         );
       }
 
+      const specificServiceId = is4k ? media.serviceId4k : media.serviceId;
       if (
-        media.serviceId &&
-        media.serviceId >= 0 &&
-        serviceSettings?.id !== media.serviceId
+        specificServiceId &&
+        specificServiceId >= 0 &&
+        serviceSettings?.id !== specificServiceId
       ) {
         if (isMovie) {
           serviceSettings = settings.radarr.find(
-            (radarr) => radarr.id === media.serviceId
+            (radarr) => radarr.id === specificServiceId
           );
         } else {
           serviceSettings = settings.sonarr.find(
-            (sonarr) => sonarr.id === media.serviceId
+            (sonarr) => sonarr.id === specificServiceId
           );
         }
       }
@@ -257,13 +258,7 @@ mediaRoutes.delete(
       }
 
       if (isMovie) {
-        await (service as RadarrAPI).removeMovie(
-          parseInt(
-            is4k
-              ? (media.externalServiceSlug4k as string)
-              : (media.externalServiceSlug as string)
-          )
-        );
+        await (service as RadarrAPI).removeMovie(media.tmdbId);
       } else {
         const tmdb = new TheMovieDb();
         const series = await tmdb.getTvShow({ tvId: media.tmdbId });

server/routes/user/index.ts

@@ -269,16 +269,20 @@ router.delete<{ userId: number; endpoint: string }>(
     try {
       const userPushSubRepository = getRepository(UserPushSubscription);
 
-      const userPushSub = await userPushSubRepository.findOneOrFail({
-        relations: {
-          user: true,
-        },
+      const userPushSub = await userPushSubRepository.findOne({
+        relations: { user: true },
         where: {
           user: { id: req.params.userId },
           endpoint: req.params.endpoint,
         },
       });
 
+      // If not found, just return 204 to prevent push disable failure
+      // (rare scenario where user push sub does not exist)
+      if (!userPushSub) {
+        return res.status(204).send();
+      }
+
       await userPushSubRepository.remove(userPushSub);
       return res.status(204).send();
     } catch (e) {

src/components/Blacklist/index.tsx

@@ -354,7 +354,7 @@ const BlacklistedItem = ({ item, revalidateList }: BlacklistedItemProps) => {
               src={
                 title?.posterPath
                   ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${title.posterPath}`
-                  : '/images/jellyseerr_poster_not_found.png'
+                  : '/images/seerr_poster_not_found.png'
               }
               alt=""
               sizes="100vw"

src/components/CollectionDetails/index.tsx

@@ -233,7 +233,7 @@ const CollectionDetails = ({ collection }: CollectionDetailsProps) => {
             src={
               data.posterPath
                 ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${data.posterPath}`
-                : '/images/jellyseerr_poster_not_found.png'
+                : '/images/seerr_poster_not_found.png'
             }
             alt=""
             sizes="100vw"

src/components/Common/LabeledCheckbox/index.tsx

@@ -25,7 +25,7 @@ const LabeledCheckbox: React.FC<LabeledCheckboxProps> = ({
           <Field type="checkbox" id={id} name={id} onChange={onChange} />
         </div>
         <div className="ml-3 text-sm leading-6">
-          <label htmlFor="localLogin" className="block">
+          <label htmlFor="localLogin" className="block" aria-label={label}>
             <div className="flex flex-col">
               <span className="font-medium text-white">{label}</span>
               <span className="font-normal text-gray-400">{description}</span>

src/components/IssueDetails/index.tsx

@@ -232,7 +232,7 @@ const IssueDetails = () => {
             src={
               data.posterPath
                 ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${data.posterPath}`
-                : '/images/jellyseerr_poster_not_found.png'
+                : '/images/seerr_poster_not_found.png'
             }
             alt=""
             sizes="100vw"

src/components/IssueList/IssueItem/index.tsx

@@ -151,7 +151,7 @@ const IssueItem = ({ issue }: IssueItemProps) => {
               src={
                 title.posterPath
                   ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${title.posterPath}`
-                  : '/images/jellyseerr_poster_not_found.png'
+                  : '/images/seerr_poster_not_found.png'
               }
               alt=""
               sizes="100vw"

src/components/Login/AddEmailModal.tsx

@@ -5,6 +5,7 @@ import { Transition } from '@headlessui/react';
 import axios from 'axios';
 import { Field, Formik } from 'formik';
 import { useIntl } from 'react-intl';
+import validator from 'validator';
 import * as Yup from 'yup';
 
 const messages = defineMessages('components.Login', {
@@ -36,7 +37,11 @@ const AddEmailModal: React.FC<AddEmailModalProps> = ({
 
   const EmailSettingsSchema = Yup.object().shape({
     email: Yup.string()
-      .email(intl.formatMessage(messages.validationEmailFormat))
+      .test(
+        'email',
+        intl.formatMessage(messages.validationEmailFormat),
+        (value) => !value || validator.isEmail(value, { require_tld: false })
+      )
       .required(intl.formatMessage(messages.validationEmailRequired)),
   });
 

src/components/ManageSlideOver/index.tsx

@@ -150,6 +150,31 @@ const ManageSlideOver = ({
     return false;
   };
 
+  const isDefault4kService = () => {
+    if (data.mediaInfo) {
+      if (data.mediaInfo.mediaType === MediaType.MOVIE) {
+        return (
+          radarrData?.find(
+            (radarr) =>
+              radarr.isDefault &&
+              radarr.is4k &&
+              radarr.id === data.mediaInfo?.serviceId4k
+          ) !== undefined
+        );
+      } else {
+        return (
+          sonarrData?.find(
+            (sonarr) =>
+              sonarr.isDefault &&
+              sonarr.is4k &&
+              sonarr.id === data.mediaInfo?.serviceId4k
+          ) !== undefined
+        );
+      }
+    }
+    return false;
+  };
+
   const markAvailable = async (is4k = false) => {
     if (data.mediaInfo) {
       await axios.post(`/api/v1/media/${data.mediaInfo?.id}/available`, {
@@ -572,7 +597,7 @@ const ManageSlideOver = ({
                         </span>
                       </Button>
                     </a>
-                    {isDefaultService() && (
+                    {isDefault4kService() && (
                       <div>
                         <ConfirmButton
                           onClick={() => deleteMediaFile(true)}

src/components/MovieDetails/index.tsx

@@ -490,7 +490,7 @@ const MovieDetails = ({ movie }: MovieDetailsProps) => {
             src={
               data.posterPath
                 ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${data.posterPath}`
-                : '/images/jellyseerr_poster_not_found.png'
+                : '/images/seerr_poster_not_found.png'
             }
             alt=""
             sizes="100vw"

src/components/NotificationTypeSelector/NotificationType/index.tsx

@@ -46,7 +46,7 @@ const NotificationType = ({
           />
         </div>
         <div className="ml-3 text-sm leading-6">
-          <label htmlFor={option.id} className="block">
+          <label htmlFor={option.id} className="block" aria-label={option.name}>
             <div className="flex flex-col">
               <span className="font-medium text-white">{option.name}</span>
               <span className="font-normal text-gray-400">

src/components/PermissionOption/index.tsx

@@ -123,7 +123,7 @@ const PermissionOption = ({
           />
         </div>
         <div className="ml-3 text-sm leading-6">
-          <label htmlFor={option.id} className="block">
+          <label htmlFor={option.id} className="block" aria-label={option.name}>
             <div className="flex flex-col">
               <span className="font-medium text-white">{option.name}</span>
               <span className="font-normal text-gray-400">

src/components/PersonDetails/index.tsx

@@ -292,6 +292,7 @@ const PersonDetails = () => {
               </div>
             )}
           </div>
+          <div className="lg:hidden">{mediaTypePicker}</div>
           {data.biography && (
             <div className="relative text-left">
               {/* eslint-disable-next-line jsx-a11y/click-events-have-key-events */}
@@ -314,7 +315,6 @@ const PersonDetails = () => {
           )}
         </div>
       </div>
-      <div className="lg:hidden">{mediaTypePicker}</div>
       {data.knownForDepartment === 'Acting' ? [cast, crew] : [crew, cast]}
       {isLoading && <LoadingSpinner />}
     </>

src/components/RequestCard/index.tsx

@@ -617,7 +617,7 @@ const RequestCard = ({ request, onTitleData }: RequestCardProps) => {
             src={
               title.posterPath
                 ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${title.posterPath}`
-                : '/images/jellyseerr_poster_not_found.png'
+                : '/images/seerr_poster_not_found.png'
             }
             alt=""
             sizes="100vw"

src/components/RequestList/RequestItem/index.tsx

@@ -440,7 +440,7 @@ const RequestItem = ({ request, revalidateList }: RequestItemProps) => {
                 src={
                   title.posterPath
                     ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${title.posterPath}`
-                    : '/images/jellyseerr_poster_not_found.png'
+                    : '/images/seerr_poster_not_found.png'
                 }
                 alt=""
                 sizes="100vw"

src/components/RequestModal/CollectionRequestModal.tsx

@@ -450,7 +450,7 @@ const CollectionRequestModal = ({
                                 src={
                                   part.posterPath
                                     ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${part.posterPath}`
-                                    : '/images/jellyseerr_poster_not_found.png'
+                                    : '/images/seerr_poster_not_found.png'
                                 }
                                 alt=""
                                 sizes="100vw"

src/components/RequestModal/SearchByNameModal/index.tsx

@@ -92,8 +92,7 @@ const SearchByNameModal = ({
                 <CachedImage
                   type="tvdb"
                   src={
-                    item.remotePoster ??
-                    '/images/jellyseerr_poster_not_found.png'
+                    item.remotePoster ?? '/images/seerr_poster_not_found.png'
                   }
                   alt={item.title}
                   className="w-100 h-auto rounded-md"

src/components/ResetPassword/RequestResetLink.tsx

@@ -10,6 +10,7 @@ import Image from 'next/image';
 import Link from 'next/link';
 import { useState } from 'react';
 import { useIntl } from 'react-intl';
+import validator from 'validator';
 import * as Yup from 'yup';
 
 const messages = defineMessages('components.ResetPassword', {
@@ -29,7 +30,11 @@ const ResetPassword = () => {
 
   const ResetSchema = Yup.object().shape({
     email: Yup.string()
-      .email(intl.formatMessage(messages.validationemailrequired))
+      .test(
+        'email',
+        intl.formatMessage(messages.validationemailrequired),
+        (value) => !value || validator.isEmail(value, { require_tld: false })
+      )
       .required(intl.formatMessage(messages.validationemailrequired)),
   });
 

src/components/Selector/index.tsx

@@ -12,7 +12,6 @@ import type {
   TmdbGenre,
   TmdbKeywordSearchResponse,
 } from '@server/api/themoviedb/interfaces';
-import type { GenreSliderItem } from '@server/interfaces/api/discoverInterfaces';
 import type { UserResultsResponse } from '@server/interfaces/api/userInterfaces';
 import type {
   Keyword,
@@ -185,9 +184,7 @@ export const GenreSelector = ({
   }, [defaultValue, type]);
 
   const loadGenreOptions = async (inputValue: string) => {
-    const results = await axios.get<GenreSliderItem[]>(
-      `/api/v1/discover/genreslider/${type}`
-    );
+    const results = await axios.get<TmdbGenre[]>(`/api/v1/genres/${type}`);
 
     return results.data
       .map((result) => ({
@@ -201,7 +198,7 @@ export const GenreSelector = ({
 
   return (
     <AsyncSelect
-      key={`genre-select-${defaultDataValue}`}
+      key={`genre-select-${type}-${defaultDataValue}`}
       className="react-select-container"
       classNamePrefix="react-select"
       defaultValue={isMulti ? defaultDataValue : defaultDataValue?.[0]}

src/components/Settings/Notifications/NotificationsEmail.tsx

@@ -11,6 +11,7 @@ import { useState } from 'react';
 import { useIntl } from 'react-intl';
 import { useToasts } from 'react-toast-notifications';
 import useSWR, { mutate } from 'swr';
+import validator from 'validator';
 import * as Yup from 'yup';
 
 const messages = defineMessages('components.Settings.Notifications', {
@@ -77,7 +78,11 @@ const NotificationsEmail = () => {
             .required(intl.formatMessage(messages.validationEmail)),
           otherwise: Yup.string().nullable(),
         })
-        .email(intl.formatMessage(messages.validationEmail)),
+        .test(
+          'email',
+          intl.formatMessage(messages.validationEmail),
+          (value) => !value || validator.isEmail(value, { require_tld: false })
+        ),
       smtpHost: Yup.string().when('enabled', {
         is: true,
         then: Yup.string()

src/components/Settings/Notifications/NotificationsWebhook/index.tsx

@@ -288,7 +288,7 @@ const NotificationsWebhook = () => {
             {values.supportVariables && (
               <div className="mt-2">
                 <Link
-                  href="https://docs.seerr.dev/using-jellyseerr/notifications/webhook#template-variables"
+                  href="https://docs.seerr.dev/using-seerr/notifications/webhook#template-variables"
                   passHref
                   legacyBehavior
                 >
@@ -376,7 +376,7 @@ const NotificationsWebhook = () => {
                     <span>{intl.formatMessage(messages.resetPayload)}</span>
                   </Button>
                   <Link
-                    href="https://docs.seerr.dev/using-jellyseerr/notifications/webhook#template-variables"
+                    href="https://docs.seerr.dev/using-seerr/notifications/webhook#template-variables"
                     passHref
                     legacyBehavior
                   >

src/components/Settings/OverrideRule/OverrideRuleModal.tsx

@@ -337,7 +337,13 @@ const OverrideRuleModal = ({
                   <div className="form-input-area">
                     <div className="form-input-field">
                       <GenreSelector
-                        type={values.radarrServiceId ? 'movie' : 'tv'}
+                        type={
+                          values.radarrServiceId != null
+                            ? 'movie'
+                            : values.sonarrServiceId != null
+                            ? 'tv'
+                            : 'tv'
+                        }
                         defaultValue={values.genre}
                         isMulti
                         isDisabled={!isValidated || isTesting}

src/components/Setup/JellyfinSetup.tsx

@@ -8,6 +8,7 @@ import axios from 'axios';
 import { Field, Form, Formik } from 'formik';
 import { FormattedMessage, useIntl } from 'react-intl';
 import { useToasts } from 'react-toast-notifications';
+import validator from 'validator';
 import * as Yup from 'yup';
 
 const messages = defineMessages('components.Login', {
@@ -90,7 +91,11 @@ function JellyfinSetup({
         (value) => !value || !value.endsWith('/')
       ),
     email: Yup.string()
-      .email(intl.formatMessage(messages.validationemailformat))
+      .test(
+        'email',
+        intl.formatMessage(messages.validationemailformat),
+        (value) => !value || validator.isEmail(value, { require_tld: false })
+      )
       .required(intl.formatMessage(messages.validationemailrequired)),
     username: Yup.string().required(
       intl.formatMessage(messages.validationusernamerequired)

src/components/TitleCard/index.tsx

@@ -335,7 +335,7 @@ const TitleCard = ({
             src={
               image
                 ? `https://image.tmdb.org/t/p/w300_and_h450_face${image}`
-                : `/images/jellyseerr_poster_not_found_logo_top.png`
+                : `/images/seerr_poster_not_found_logo_top.png`
             }
             style={{ width: '100%', height: '100%', objectFit: 'cover' }}
             fill

src/components/TvDetails/index.tsx

@@ -532,7 +532,7 @@ const TvDetails = ({ tv }: TvDetailsProps) => {
             src={
               data.posterPath
                 ? `https://image.tmdb.org/t/p/w600_and_h900_bestv2${data.posterPath}`
-                : '/images/jellyseerr_poster_not_found.png'
+                : '/images/seerr_poster_not_found.png'
             }
             alt=""
             sizes="100vw"

src/components/UserList/index.tsx

@@ -36,6 +36,7 @@ import { useEffect, useState } from 'react';
 import { useIntl } from 'react-intl';
 import { useToasts } from 'react-toast-notifications';
 import useSWR from 'swr';
+import validator from 'validator';
 import * as Yup from 'yup';
 import JellyfinImportModal from './JellyfinImportModal';
 
@@ -210,7 +211,11 @@ const UserList = () => {
     ),
     email: Yup.string()
       .required()
-      .email(intl.formatMessage(messages.validationEmail)),
+      .test(
+        'email',
+        intl.formatMessage(messages.validationEmail),
+        (value) => !value || validator.isEmail(value, { require_tld: false })
+      ),
     password: Yup.lazy((value) =>
       !value
         ? Yup.string()

src/components/UserProfile/UserSettings/UserGeneralSettings/index.tsx

@@ -23,6 +23,7 @@ import { useEffect, useState } from 'react';
 import { useIntl } from 'react-intl';
 import { useToasts } from 'react-toast-notifications';
 import useSWR from 'swr';
+import validator from 'validator';
 import * as Yup from 'yup';
 
 const messages = defineMessages(
@@ -105,10 +106,18 @@ const UserGeneralSettings = () => {
       user?.id === 1 ||
       (user?.userType !== UserType.JELLYFIN && user?.userType !== UserType.EMBY)
         ? Yup.string()
-            .email(intl.formatMessage(messages.validationemailformat))
+            .test(
+              'email',
+              intl.formatMessage(messages.validationemailformat),
+              (value) =>
+                !value || validator.isEmail(value, { require_tld: false })
+            )
             .required(intl.formatMessage(messages.validationemailrequired))
-        : Yup.string().email(
-            intl.formatMessage(messages.validationemailformat)
+        : Yup.string().test(
+            'email',
+            intl.formatMessage(messages.validationemailformat),
+            (value) =>
+              !value || validator.isEmail(value, { require_tld: false })
           ),
     discordId: Yup.string()
       .nullable()

src/components/UserProfile/UserSettings/UserNotificationSettings/UserNotificationsWebPush/index.tsx

@@ -111,6 +111,11 @@ const UserWebPushSettings = () => {
     try {
       await unsubscribeToPushNotifications(user?.id, endpoint);
 
+      // Delete from backend if endpoint is available
+      if (subEndpoint) {
+        await deletePushSubscriptionFromBackend(subEndpoint);
+      }
+
       localStorage.setItem('pushNotificationsEnabled', 'false');
       setWebPushEnabled(false);
       addToast(intl.formatMessage(messages.webpushhasbeendisabled), {

src/hooks/useUser.ts

@@ -2,6 +2,7 @@ import { UserType } from '@server/constants/user';
 import type { PermissionCheckOptions } from '@server/lib/permissions';
 import { hasPermission, Permission } from '@server/lib/permissions';
 import type { NotificationAgentKey } from '@server/lib/settings';
+import { useRouter } from 'next/router';
 import type { MutatorCallback } from 'swr';
 import useSWR from 'swr';
 
@@ -56,13 +57,21 @@ export const useUser = ({
   id,
   initialData,
 }: { id?: number; initialData?: User } = {}): UserHookResponse => {
+  const router = useRouter();
+  const isAuthPage = /^\/(login|setup|resetpassword(?:\/|$))/.test(
+    router.pathname
+  );
+
   const {
     data,
     error,
     mutate: revalidate,
   } = useSWR<User>(id ? `/api/v1/user/${id}` : `/api/v1/auth/me`, {
     fallbackData: initialData,
-    refreshInterval: 30000,
+    refreshInterval: !isAuthPage ? 30000 : 0,
+    revalidateOnFocus: !isAuthPage,
+    revalidateOnMount: !isAuthPage,
+    revalidateOnReconnect: !isAuthPage,
     errorRetryInterval: 30000,
     shouldRetryOnError: false,
   });

src/utils/plex.ts

@@ -63,7 +63,7 @@ class PlexOAuth {
       'X-Plex-Client-Identifier': clientId,
       'X-Plex-Model': 'Plex OAuth',
       'X-Plex-Platform': browser.getBrowserName(),
-      'X-Plex-Platform-Version': browser.getBrowserVersion(),
+      'X-Plex-Platform-Version': browser.getBrowserVersion() || 'Unknown',
       'X-Plex-Device': browser.getOSName(),
       'X-Plex-Device-Name': `${browser.getBrowserName()} (Seerr)`,
       'X-Plex-Device-Screen-Resolution':