Maintainerr

v3.11.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

docker jellyfin maintainerr maintenance movies plex

+6 more

plex-media-server radarr seerr sonarr tv-series tv-shows

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 13d

v3.11.1 fixes the Jellyfin BoxSet flickering bug where members incorrectly appeared and disappeared in collection groups. Also patches transitive dependency vulnerabilities in dompurify, picomatch, and postcss.

Why it matters: BoxSet flickering fixed; transitive dependency vulnerabilities patched in dompurify, picomatch, postcss. Update on next cycle; no migration required.

Summary

AI summary

Fixed Jellyfin collection add/remove loop that caused BoxSet members to flicker in rule results.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Added environment gate to mitigate TOCTOU vulnerability in release_pr workflow Added environment gate to mitigate TOCTOU vulnerability in release_pr workflow Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Addressed transitive dependency vulnerabilities in dompurify, picomatch, postcss Addressed transitive dependency vulnerabilities in dompurify, picomatch, postcss Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Enhanced custom collection UX with renamed tags, tooltips, and disable warnings Enhanced custom collection UX with renamed tags, tooltips, and disable warnings Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Updated 10 dependencies including vite, @typescript-eslint/eslint-plugin, typeorm Updated 10 dependencies including vite, @typescript-eslint/eslint-plugin, typeorm Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fixed BoxSet members incorrectly appearing and disappearing in Jellyfin collection groups Fixed BoxSet members incorrectly appearing and disappearing in Jellyfin collection groups Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Improved error message for invalid Plex library section IDs Improved error message for invalid Plex library section IDs Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Validates Jellyfin IDs before refresh to prevent errors Validates Jellyfin IDs before refresh to prevent errors Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Highlights

Fixed an issue where Jellyfin libraries with "Group films into collections" enabled caused BoxSet members to incorrectly appear and disappear from rule results (#2870).
Improved error message when a Plex library section ID is invalid, addressing user confusion when libraries are removed and re-added (#2883).
Enhanced custom collection UX by renaming tags, adding tooltips, and providing warnings when disabling the feature (#2882).

Fixes

Validated Jellyfin IDs before refresh to prevent errors (#2853).
Resolved a collection add/remove loop for Jellyfin libraries with "Group films into collections" enabled (#2870).
Improved error message for invalid Plex library section IDs (#2883).
Updated custom collection terminology and added warnings for better user experience (#2882).

Internal

Added explicit token permissions to the Fider move CI job to address a CodeQL warning.
Added an environment gate to mitigate a TOCTOU vulnerability in the release_pr workflow (#2879).
Applied yarn resolutions to address transitive dependency vulnerabilities in dompurify, picomatch, and postcss (#2881).

Dependencies

Updated 10 dependencies, including notable packages: vite, @typescript-eslint/eslint-plugin, and typeorm.

Security Fixes

Added environment gate to mitigate TOCTOU vulnerability in release_pr workflow (#2879)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Maintainerr

Get notified when new releases ship.

About Maintainerr

Looks and smells like Seerr, does the opposite. A library maintenance tool for Plex and Jellyfin.

All releases →

Related context

Related tools

Earlier breaking changes

v3.13.0 Section without an operator is now treated as OR instead of AND; migration not reversible.
v3.13.0 Per-group exclusions now apply only to their own group, not globally.
v3.13.0 Exclusions are now either global or per-group; removing a global exclusion requires re-adding per-group ones.
v3.12.1 Renames `WATCH_HISTORY_CONCURRENCY` to `RULE_EVALUATION_CONCURRENCY` for clarity.
v3.11.0 Overlay reset operations are now gated against concurrent processing runs.