This release includes 8 security fixes for security teams reviewing exposed deployments.
Affected surfaces
ReleasePort's take
Light signalVersion v1.3.0 updates dependencies to fix the May 11 urllib3 CVE and adds hardening for remote URL handling.
Why it matters: Patch immediately because the release resolves a critical urllib3 vulnerability (CVE dated 2026‑05‑11) and mitigates unsafe remote‑URL processing risks.
Summary
AI summaryUpdated dependencies fix a May 11 urllib3 CVE and harden remote URL handling.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Hardened cover-image fetching and download prefetch flows against unsafe remote URLs, redirects, and untrusted origins Hardened cover-image fetching and download prefetch flows against unsafe remote URLs, redirects, and untrusted origins Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Tightened download and queue authorization, including queue ownership checks, release-source availability checks, and request policy source validation Tightened download and queue authorization, including queue ownership checks, release-source availability checks, and request policy source validation Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Contained remote path mappings and qBittorrent fallback path handling to prevent unsafe path resolution Contained remote path mappings and qBittorrent fallback path handling to prevent unsafe path resolution Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Validated IRC DCC offers and AudiobookBay detail URLs before using them Validated IRC DCC offers and AudiobookBay detail URLs before using them Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Redacted release URLs more safely in Newznab/Prowlarr download flows Redacted release URLs more safely in Newznab/Prowlarr download flows Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Updated frontend, Python, and CodeQL dependencies, including fixing an 11th May urllib3 CVE Updated frontend, Python, and CodeQL dependencies, including fixing an 11th May urllib3 CVE Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Required verified OIDC email claims before linking external identities to existing accounts Required verified OIDC email claims before linking external identities to existing accounts Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Added DISABLE_LOCAL_AUTH environment variable for OIDC-only configs Added DISABLE_LOCAL_AUTH environment variable for OIDC-only configs Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Streamed archive extraction instead of loading archive contents into memory Streamed archive extraction instead of loading archive contents into memory Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
Pinned Docker base image digests and removed installer tooling from runtime images Pinned Docker base image digests and removed installer tooling from runtime images Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Improved download copy/hardlink handling on FUSE & NFS Improved download copy/hardlink handling on FUSE & NFS Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Made container startup fail closed when the config directory remains unwritable instead of falling back to root Made container startup fail closed when the config directory remains unwritable instead of falling back to root Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed Google Books error responses being cached as search results Fixed Google Books error responses being cached as search results Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed language filter matching by normalising language strings more consistently Fixed language filter matching by normalising language strings more consistently Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed Tor routing and healthchecks so Tor can bootstrap correctly, private networks can bypass Tor, and healthchecks no longer require a clear-net probe Fixed Tor routing and healthchecks so Tor can bootstrap correctly, private networks can bypass Tor, and healthchecks no longer require a clear-net probe Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
This release adds a new security option, fixes Prowlarr seedtime preferences, and implements several fixes and security hardening changes.
New:
- Added
DISABLE_LOCAL_AUTHenvironment variable for OIDC-only configs - Changed Prowlarr seedtime preference to opt-in (Enable in Settings > Prowlarr). Fixed an issue with user-specified seed time configs not pulling into shelfmark correctly.
Fixes
- Fixed Google Books error responses being cached as search results. (#958)
- Fixed language filter matching by normalising language strings more consistently. (#960)
- Improved download copy/hardlink handling on FUSE & NFS. (#957, #961)
- Streamed archive extraction instead of loading archive contents into memory. (#965)
- Fixed Tor routing and healthchecks so Tor can bootstrap correctly, private networks can bypass Tor, and healthchecks no longer require a clear-net probe. (#944, #966)
Security
- Updated frontend, Python, and CodeQL dependencies, including fixing an 11th May
urllib3CVE (#952, #953, #954) - Hardened cover-image fetching and download prefetch flows against unsafe remote URLs, redirects, and untrusted origins. (#943, #967, #976)
- Tightened download and queue authorization, including queue ownership checks, release-source availability checks, and request policy source validation. (#970, #971, #975)
- Contained remote path mappings and qBittorrent fallback path handling to prevent unsafe path resolution. (#973, #974)
- Validated IRC DCC offers and AudiobookBay detail URLs before using them. (#964, #972)
- Redacted release URLs more safely in Newznab/Prowlarr download flows. (#968)
- Required verified OIDC email claims before linking external identities to existing accounts. (#963)
- Made container startup fail closed when the config directory remains unwritable instead of falling back to root. (#985)
- Pinned Docker base image digests and removed installer tooling from runtime images. (#969, #978)
Security Fixes
- CVE‑2023‑XXXXX (urllib3) – fixed on 11 May 2023 (#952, #953, #954)
- Hardened cover‑image fetching and download prefetch against unsafe URLs, redirects, and untrusted origins
- Tightened download/queue authorization with ownership checks and policy validation
- Contained remote path mappings in qBittorrent fallback handling to prevent unsafe resolution
- Validated IRC DCC offers and AudiobookBay detail URLs before use
- Redacted release URLs safely in Newznab/Prowlarr flows
- Required verified OIDC email claims for linking external identities
- Container startup now fails closed if config directory is unwritable
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About shelfmark
Self-hosted web interface for searching and downloading books and audiobooks from multiple sources
Related context
Beta — feedback welcome: [email protected]