Update ghcr.io/seerr-team/seerr Docker tag to v3.2.0

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/seerr-team/seerr	minor	v3.1.0 → v3.2.0

---

Release Notes

seerr-team/seerr (ghcr.io/seerr-team/seerr)

v3.2.0

Compare Source

3.2.0 - 2026-04-15

🚀 Features

• (blocklist) Add support for collections (#​1841) - (993ae4c)
• (discover) Handle errors gracefully when content is available (#​1542) - (7920970)
• (i18n) Add Estonian language support (#​2611) - (56b79ff)
• (i18n) Add Luxembourgish language support (#​2671) - (dccdc95)
• (i18n) Add Vietnamese language support (#​2670) - (40edaea)
• (jellyfin) Allow Jellyfin Guids with dashes for import-from-jellyfin endpoint (#​2340) - (3557745)
• (notifications) Add ntfy markdown formatting (#​2602) - (77f2c13)
• (notifications) Webhook custom headers (#​2230) - (3152f72)
• (notifications) Add priority setting for ntfy agent (#​2306) - (61e0377)
• (person) Add tmdb- and imdb link on person detail page (#​2136) - (fb2ee7c)
• (quota) Added support for unlimited quota days (#​2797) - (6d8b2b7)
• (requests) Mark requests as failed when Radarr/Sonarr unreachable (#​2171) - (c23117e)
• (settings) Add blocklist region and language options (#​1802) - (ff469cb)
• (settings) Add help tooltips for services setup (#​2662) - (f5115da)
• (sonarr) Add monitorNewItems option to sonarr settings & modal (#​2071) - (5c34c91)
• (trending) Add filter options (#​2137) - (4ce0db1)
• (ui) Add loading state to request approve/decline buttons (#​2815) - (bd8f2d4)
• (userlist) Add sortable columns to User List (#​1615) - (eaf397a)
• (webhook) Add imdbid to webhook notification (#​2658) - (2432e8d)
• Sort quality profiles ASC in request and service configuration (#​1805) - (25e376c)
• Add trailing whitespace warning on login username field (#​2040) (#​2177) - (636dcb9)

🐛 Bug Fixes

• (auth) Resolve Plex OAuth client ID mismatch (#​2746) - (15b3109)
• (email) Correctly classify final MIME header in PGP email encryption (#​2618) - (9ec3d58)
• (email) Preserve newlines in PGP key textarea fields (#​2617) - (835e917)
• (emby) Use static version in auth header for emby only (#​2821) - (fe2c041)
• (entities) Replace MySQL-only onUpdate with @​UpdateDateColumn (#​2823) - (0b8f872)
• (generate-password) Await setPassword to fix race condition (#​2845) - (061121c)
• (issues) Update issue timestamp when adding comments (#​2616) - (a16d046)
• (jellyfin-scanner) Add TheMovieDb provider fallback for Jellyfin scanner (#​2605) - (10f23f0)
• (login) Resolve stuck transition when switching login forms (#​2779) - (735ec47)
• (media) Exclude null mediaAddedAt entries (#​2607) - (001f6b1)
• (migration) Repair postgres blocklist id sequence (#​2686) - (f40323c)
• (movie,tv) Respect display language for trailers (#​2674) - (90d407d)
• (open-api) Add missing mediaType query parameter to blocklist and watchlist (#​2722) - (c7185d4)
• (override-rules) Remove users from useEffect dependency array (#​2771) - (be57997)
• (overseerr-merge) Sanitise corrupt quota values during overseerr migration (#​2863) - (43eff25)
• (plex) Set 4K Plex URLs whenever ratingKey4k is set (#​2635) - (1548948)
• (proxy) Add path validation guardrail to imageproxy (#​2531) - (e086081)
• (region-selector) Prevent empty region reporting during sync (#​2636) - (fbfcb43)
• (request) Record modifiedBy on retry and add route tests (#​2824) - (20ccd4b)
• (request) Correct delete permission check and await movie save (#​2742) - (6aeab38)
• (requests) Mark requests as completed when media is already available (#​2462) - (d25d0ca)
• (settings) Persist new settings defaults to disk on startup (#​2884) - (66130be)
• (settings) Serialize settings writes and prevent partial overwrites (#​2696) - (6c52a2f)
• (settings) Remove beta info banner (#​2615) - (fece753)
• (setup) Fix Plex login not proceeding after authentication (#​2596) - (1dc5154)
• (watchlist-sync) Handle empty watchlists on PostgreSQL (#​2718) - (865396f)
• Improve local login UX (#​2849) - (aef2481)
• Await missing repository saves (#​2760) - (1bb638e)
• Helm chart liveness and readiness probe (#​2755) - (4434c45)
• Disambiguate tmdb ids by media type across lookups (#​2577) - (0be1896)
• Anchor streaming service filter check icon to each provider card (#​2634) - (94ccd47)

📖 Documentation

• (contributing-guide) Fix a typo (#​2807) - (6f9b743)
• (docker) Replace backslashes by backticks in windows docker run commands [skip-ci] (#​2557) - (40e02bb)
• Clarify Docker volume creation instructions on fresh Windows install (#​2861) - (a133930)
• Move network-related docs to a dedicated tab (#​2791) - (5bbdc52)
• Promote Nixpkgs as an official installation method (#​2775) - (05ad60c)
• Fix PM2 start command syntax (#​2713) - (5373da4)

🚜 Refactor

• (imageproxy) Reduce noisy image cache logging (#​2789) - (036d000)
• (notifications) Move event from author to title field in Discord Embed (#​2119) - (a2d1e1b)
• (userlist) Responsive columns and buttons (#​2083) - (dbe1fca)
• (watchlistsync) Log media request creation after success instead of before (#​2790) - (685cb44)
• Rename Error components to ErrorPage (#​2668) - (d5c5f1f)

🧪 Testing

• (user-list) Deflake sorting assertions (#​2766) - (20c2ed8)
• Support server-side unit testing (#​2485) - (8563362)

⚙️ Miscellaneous Tasks

• (actions) Update github actions (#​2683) - (a2154f9)
• (actions) Update github actions (#​2672) - (f047cab)
• (actions) Update github actions (#​2632) - (e25c1a5)
• (create-tag) Correct quote style in commit message for tag preparation (#​2593) - (687f18b)
• (docker) Release alias for major and minor version series (#​2881) - (1cc73a8)
• (i18n) Update translations from Weblate - (e85216a)
• (i18n) Update translations from Weblate - (b1adc79)
• (i18n) Update translations from Weblate (#​2419) - (4bd7c19)
• (pr-validation) Make checklist box detection case-insensitive (#​2802) - (58514ec)
• (pr-validation) Update pull request permissions to write for validation jobs (#​2800) - (986761f)
• (pr-validation) Disable package manager cache in nodejs setup (#​2799) - (67e27d5)
• (release) Prepare v3.2.0 - (e0b2a1c)
• (release) Merge develop into main - (c5800a0)
• Bump minimum required node version to 22.19.0 (#​2873) - (891265f)
• Add PR validation workflow and update contributing guidelines (#​2777) - (772e83d)
• Upgrade to eslint v9 (#​2574) - (36243a0)
• Ignore helm scope in git-cliff (#​2638) - (4d2b658)

New Contributors ❤️

• @​aslafy-z made their first contribution
• @​leereilly made their first contribution
• @​jisef made their first contribution
• @​dougrathbone made their first contribution
• @​bobziroll made their first contribution
• @​v3DJG6GL made their first contribution
• @​Roboroads made their first contribution
• @​costajohnt made their first contribution
• @​tiagodefendi made their first contribution
• @​Jyasapara made their first contribution
• @​Sym-jay made their first contribution
• @​bibi0019 made their first contribution
• @​redondos made their first contribution
• @​bogo22 made their first contribution
• @​jabloink made their first contribution
• @​YakGravity made their first contribution
• @​dj0024javia made their first contribution
• @​Jerra94 made their first contribution
• @​its-wizza made their first contribution
• @​ventiph made their first contribution
• @​RinZ27 made their first contribution

v3.1.1

Compare Source

This update addresses a critical security vulnerability discovered in one of our core dependencies (axios).
This is not the same vulnerability where axios was hijacked.

🛡️ Security

• Patch CVE-2026-40175 - Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - (3ca6422)

🐛 Bug Fixes

• (imageproxy) Type axios instance - (74100e9)

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

ghcr.io/seerr-team/seerr (docker) v3.1.0 -> v3.2.0

Risk: 🟡 Caution

The Deep Dive

Update Scope

Bumps the seerr container image from v3.1.0 to v3.2.0 in kubernetes/seerr/deploy.yaml. The pinned sha256 digest is updated alongside the tag. This jump skips over the v3.1.1 security patch, but v3.2.0 includes it. No Kubernetes manifests, kustomize overlays, ingress, PVC, or env-vars change — only the container image reference.

Performance & Stability

• (imageproxy) Reduce noisy image cache logging — should noticeably reduce log volume from the seerr pod.
• (settings) Serialize settings writes and prevent partial overwrites — addresses a class of corruption where two concurrent settings updates could leave settings.json (on the seerr-config PVC) in a half-written state.
• (settings) Persist new settings defaults to disk on startup — newly-introduced default keys are now written out instead of being recomputed every boot, so subsequent reads are deterministic.

Features & UX

These are all opt-in via in-app settings (stored on the seerr-config PVC, not in this repo) — none take effect automatically:

• (notifications) Webhook custom headers — lets you add arbitrary headers to outbound webhook notifications. Configure under Settings → Notifications → Webhook.
• (notifications) Add ntfy markdown formatting — toggle Markdown rendering on outbound ntfy messages. Configure under Settings → Notifications → ntfy (the in-app navigation path was not independently verified against a running instance, since the ntfy settings UI lives in the seerr-config PVC and is not represented in the repo).
• (notifications) Add priority setting for ntfy agent — adds a per-agent priority field (e.g. default, high, urgent). Configure under Settings → Notifications → ntfy alongside the URL and topic fields (path inferred from the existing ntfy agent layout, not verified from a running instance).
• (blocklist) Add support for collections and (settings) Add blocklist region and language options — broader blocklist controls.
• (quota) Added support for unlimited quota days — set a per-user quota that never resets.
• (sonarr) Add monitorNewItems option to sonarr settings & modal — exposes the Sonarr monitorNewItems field; useful if you want new seasons of an existing series to be auto-monitored.
• (trending) Add filter options, (userlist) Add sortable columns to User List, (person) Add tmdb-/imdb-link on person detail page — UI improvements.
• (webhook) Add imdbid to webhook notification — adds imdbid to the webhook payload. No webhook template files exist in the repo (kubernetes/seerr/ only contains deploy.yaml, service.yaml, ingress.yaml, pvc-config.yaml, kustomization.yaml, namespace.yaml); any custom in-app webhook JSON template lives on the seerr-config PVC and is not visible from the repo. Adding a new field to a JSON payload is backward-compatible for the vast majority of receivers (they ignore unknown keys), so the practical risk for this deployment is negligible unless a downstream receiver is doing strict-schema validation.
• New i18n locales (Estonian, Luxembourgish, Vietnamese).

Security

• Resolved: CVE-2026-40175 / GHSA-fvcv-3m26-pcqx — Unrestricted Cloud Metadata Exfiltration via Header Injection Chain in axios (CVSS 4.8, advisory describes potential CVSS 9.9 in cloud-metadata scenarios). Patched upstream in v3.1.1 and carried into v3.2.0. Practical impact for this deployment is low — seerr runs in Kubernetes on-prem (no AWS IMDS at 169.254.169.254), and exploitation requires a separate prototype-pollution gadget elsewhere in the stack. This PR closes the gap regardless.
• The three previously-disclosed seerr advisories (GHSA-rc4w-7m3r-c2f7, GHSA-f7xw-jcqr-57hp, GHSA-gx3h-3jg5-q65f) were all patched in v3.1.0, so they are not affected by this PR.

Key Fixes

• (auth) Resolve Plex OAuth client ID mismatch — relevant if you sign in via Plex; intermittent OAuth failures should clear up.
• (setup) Fix Plex login not proceeding after authentication — same family of fixes for Plex login flows.
• (plex) Set 4K Plex URLs whenever ratingKey4k is set — corrects deep-links for 4K media.
• (migration) Repair postgres blocklist id sequence — only relevant if the seerr DB is PostgreSQL; the deployment ships seerr with default SQLite-on-PVC unless overridden via env, and no PG env vars are set in deploy.yaml, so this is not applicable here.
• (overseerr-merge) Sanitise corrupt quota values during overseerr migration — only runs when migrating from an Overseerr install; this deployment is already on seerr v3.x, so the migration code path is not re-entered on upgrade.
• (emby) Use static version in auth header for emby only — Emby-only, not used here.
• Helm chart liveness and readiness probe — affects the upstream Helm chart only; this deployment uses hand-rolled raw manifests in deploy.yaml (no probes defined), so the fix doesn't reach this install.

Newer Versions

v3.2.0 is the newest release as of 2026-04-15 (gh release list --repo seerr-team/seerr). No regressions introduced in v3.2.0 have been fixed in a later release.

Hazards & Risks

No breaking config or schema changes that affect this deployment:

• The release notes include Bump minimum required node version to 22.19.0 — this only matters for source/PM2 installs. The Docker image bundles Node, so this does not affect us.
• TypeORM entity change Replace MySQL-only onUpdate with @UpdateDateColumn is a schema-correctness fix; SQLite (the default and what this deployment uses) and PostgreSQL both already supported @UpdateDateColumn. No data migration is required.
• ORM/code-style changes (rename Error → ErrorPage, ESLint v9, server-side test harness) are internal — no impact on runtime config.
• The container is set to strategy: Recreate (deploy.yaml:11-12) with a single replica, so expect a brief outage during the rollout while the new pod attaches the seerr-config PVC.
• After upgrade, the seerr DB on the PVC will be migrated forward by the new image on first boot — back up the PVC (or take a Synology snapshot) before merging if you want a safe rollback path, since downgrading after a TypeORM migration runs is not supported by the project.

Sources

• seerr v3.2.0 release notes
• seerr v3.1.1 release notes (security patch carried into v3.2.0)
• axios CVE-2026-40175 / GHSA-fvcv-3m26-pcqx
• seerr security advisories listing
• Local manifest: kubernetes/seerr/deploy.yaml

---

🟡 Verdict: Caution

Safe to deploy: this is a minor version bump that also closes the v3.1.1 axios CVE, with no breaking config or schema changes affecting this raw-manifest deployment. Labelled renovate:caution (rather than renovate:safe) because of the volume of behavioral changes — Plex OAuth flow, settings-write serialization, and webhook payload additions are worth a quick post-deploy smoke test (load the UI, confirm Plex login still works, and verify any custom webhook receivers still parse the payload). Snapshot the seerr-config PVC beforehand so you have a clean rollback path if the on-disk DB migration surfaces anything unexpected.