immich-kiosk

v0.39.0 Breaking

This release includes 2 breaking changes for platform teams planning a safe upgrade.

Published 1d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

go immich immich-slideshow immichkiosk photos slideshow

Affected surfaces

breaking_upgrade auth

ReleasePort's take

Moderate signal

editorial:auto 1d

The Docker base image has been changed from Alpine to Distroless in this release.

Why it matters: Affects Docker container runtime; operators must review and test images built on the new Distroless base before deployment.

Summary

AI summary

Updates Possible user actions, 🔨 Maintenance, and 🚀 New Features across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Removed shell (bash, etc.) reducing attack surface in Distroless image. Removed shell (bash, etc.) reducing attack surface in Distroless image. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Security	High	Runs as non‑root user by default in Distroless image. Runs as non‑root user by default in Distroless image. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Breaking	High	Moved Docker base image from Alpine to Distroless. Moved Docker base image from Alpine to Distroless. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Medium	Pressing "f" toggles browser fullscreen mode. Pressing "f" toggles browser fullscreen mode. Source: llm_adapter@2026-06-02 Confidence: high	—
Performance	Low	Reduced Docker image size by ~50% with Distroless base. Reduced Docker image size by ~50% with Distroless base. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Performance	Low	Improved startup speed using Distroless base image. Improved startup speed using Distroless base image. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Medium	Updated healthcheck to use built‑in Kiosk command instead of curl. Updated healthcheck to use built‑in Kiosk command instead of curl. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

⚠ Breaking Change: Moved from Alpine to Distroless

With version 0.39.0 the docker base image has moved from Alpine to Distroless.

Why

I've moved Kiosk over to Distroless for size, speed and security. I've always tried to be as friendly to users hardware (and security conscience) as I can and a smaller docker image just makes sense.

Smaller image (around 50% smaller then Alpine)
No shell (bash etc) so it has a smaller attack surface
Faster startups
Runs as nonroot by default

Possible user actions

Healthcheck

With this change the current healthcheck will no longer work as distroless does not include CURL, so I built one into Kiosk.

# OLD
healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
  interval: 30s
  timeout: 5s
  retries: 3
  start_period: 10s

# NEW
healthcheck:
  test: ["CMD", "/kiosk", "--healthcheck"] # 👈 This is the only change to the healthcheck
  interval: 30s
  timeout: 5s
  retries: 3
  start_period: 10s

Offline assets permissions

As Kiosk now runs as nonroot you may get permission errors when using offline mode. View the offline docs for a solution.

Fullscreen keyboard keybind

Pressing "f" will toggle the browser fullscreen mode.

What's Changed

🚀 New Features

keybind for fullscreen by @damongolding in https://github.com/damongolding/immich-kiosk/pull/757
Feature/cache duration by @damongolding in https://github.com/damongolding/immich-kiosk/pull/762

🔨 Maintenance

Chore/remove bun ~slop~ by @damongolding in https://github.com/damongolding/immich-kiosk/pull/752
Chore/distroless by @damongolding in https://github.com/damongolding/immich-kiosk/pull/759
Chore/gofumpt by @damongolding in https://github.com/damongolding/immich-kiosk/pull/760
deps by @damongolding in https://github.com/damongolding/immich-kiosk/pull/767

Full Changelog: https://github.com/damongolding/immich-kiosk/compare/v0.38.1...v0.39.0

Breaking Changes

Base image switched from Alpine to Distroless; healthcheck must use `/kiosk --healthcheck` instead of curl
Container now runs as non‑root by default, causing permission errors in offline mode that require adjustments per the offline docs

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track immich-kiosk

Get notified when new releases ship.

About immich-kiosk

Highly configurable slideshows for displaying Immich assets on browsers and devices.

All releases →