✨ New Features

EPG Historical Data

• The EPG output now supports a "Days back" parameter, letting third-party players that request past program schedules receive the data they need. (Closes #1154)
• A Days forward and Days back control is now available in the EPG URL builder on the Channels page.
• Per-user defaults for both values can be configured in the User Settings modal and are applied automatically when no URL parameter is present.

Plugin Hub

• Administrators can now browse, install, and update plugins directly from their source repositories via a new Plugin Hub page in Settings. (Closes #393) — Thanks @sethwv:
  • Install plugins directly from the hub with SHA256 integrity verification.
  • Update managed plugins when a newer version is available, with version compatibility checks enforced at install time.
  • Browse available plugins with name, description, version, author, and icon.
  • Plugins installed from a repo are tracked as "managed" — source, version, prerelease status, and deprecation state are all visible in the UI.
  • Add plugin repositories by manifest URL. The official Dispatcharr Plugins repository is pre-configured; third-party repos are supported with an optional GPG public key.
  • Manifest signatures are verified via GPG, with signature status displayed per-repo.
  • Preview a repository URL before adding it — validates the manifest and reports plugin count and signature status without saving anything.
  • Configure an automatic manifest refresh interval (or disable it entirely). Refreshes run as a background task.

🔄 Changes & Improvements

Performance

• M3U playlist generation, EPG generation, and XC live stream listing are now significantly faster on large deployments by fetching related data in a single database query instead of one per channel. On deployments with ~2,000 channels, XC live stream response time drops from ~2.5–4 s to ~250–450 ms. (Closes #1127) — Thanks @xBOBxSAGETx
• EPG generation performance improved further with additional query optimizations across EPG channel, grid, and XC EPG endpoints, reducing overall EPG generation time by about %15 on large deployments.
• M3U playlist generation with the direct=true option no longer issues a separate database query per channel for stream data.
• XC live stream listing no longer performs a database lookup for each channel that has no group assigned — that lookup now happens at most once per request regardless of how many ungrouped channels are present.

M3U Parsing

• The M3U parser has been rewritten to handle complex and non-standard M3U files more reliably. Entries with extra directive lines between the stream info and URL are now parsed correctly instead of being corrupted or silently dropped.
• Added support for the #EXTGRP directive. When a stream has no group-title attribute, the group name from an #EXTGRP line is used as the fallback. (Closes #1088)
• Stream names now use the display title from the #EXTINF line as the primary name, falling back to tvg-name. Providers that put the human-readable title after the comma will now show the correct name. (Fixes #1081)
• Added accumulation of #EXTVLCOPT directives per entry, stored in the stream's custom properties for future use and API access.
• Parsing is approximately 10% faster on large M3U files.

User Settings Modal

• The User Settings modal has been redesigned with a tabbed layout. Settings are now grouped into Account, Permissions, EPG Defaults, and API & XC tabs, replacing the previous two-column layout.

EPG Improvements

• The EPG response cache now correctly shares entries between semantically equivalent requests (e.g., a user default of 7 days forward and an explicit ?days=7 URL parameter now hit the same cache entry).
• EPG scanning now automatically removes stale EPG entries that are no longer present in the upstream source — as long as they aren't mapped to any channel. This prevents unbounded database growth over time.
• Improved BOM handling when importing EPG source files: the XML declaration is now located reliably regardless of leading BOM markers, whitespace, or other encoding preambles.

URL Builder Popovers

• The HDHR, M3U, and EPG URL builder popovers in the Channels table now open with a brief description of their purpose. Toggle switches have been updated with a proper label and description layout, and alignment has been corrected to match standard form conventions.

All-in-One (AIO) Container

• AIO containers now connect to the internal PostgreSQL instance via a Unix domain socket instead of TCP, improving local connection speed and reliability. Existing configurations pointing to localhost or 127.0.0.1 are migrated automatically. — Thanks @JCBird1012

Output Bitrate Tracking

• The output bitrate statistic is now smoothed and written to the database at most once every 30 seconds instead of on every FFmpeg stats tick (~twice per second). This significantly reduces database write pressure. Short-lived streams that stop before a stable reading is established no longer overwrite previously accurate measurements.

Floating Video Player

• The native video controls (timeline, play/pause, volume) are now hidden by default when a live stream starts and only appear on hover.

API & Swagger UI

• The Swagger UI authorization dialog now includes an ApiKeyAuth entry alongside the existing JWT entry, with descriptive text referencing the relevant endpoints for both authentication methods.
• Several API schema definitions have been corrected: the EPG import endpoint now documents its request body; the bulk logo delete endpoint now shows the delete_files field; the batch EPG assignment endpoint correctly marks the EPG link field as nullable; and the integrations subscription endpoint now has a documented request body.

Frontend Refactoring

• Multiple form components have been refactored to improve maintainability, with business logic extracted into dedicated utility modules each covered by unit tests. Mantine compound component references have been updated to current conventions. — Thanks @nick4810

Dependency Updates

• djangorestframework 3.16.1 → 3.17.1
• requests 2.33.0 → 2.33.1
• gevent 25.9.1 → 26.4.0
• rapidfuzz 3.14.3 → 3.14.5

🐛 Bug Fixes

TV Guide & EPG

• Fixed "Record One" in the TV Guide always scheduling the recording on the first channel matching the program's EPG ID, rather than the channel the user actually clicked. When multiple channels share the same EPG source, the intended channel was silently ignored. (Fixes #1140) — Thanks @fezster

Streaming & VOD Proxy

• Fixed live stream hiccups caused by nginx silently buffering TS proxy data to disk instead of streaming it directly to the client.
• Fixed race conditions in the VOD proxy that caused connection limit counters to go permanently negative, allowing more simultaneous connections than the configured profile limit. (Closes #1125) — Thanks @firestaerter3
• Fixed a connection leak in the VOD proxy where upstream provider connections were not properly closed when a stream ended due to an error before the first data chunk was sent.
• Fixed manual stream selection from the Stats page not enforcing M3U profile connection limits in multi-worker deployments. The connection counter was not updated after a manual stream switch, causing subsequent capacity checks to report incorrect values and bypass the full-profile guard.
• Fixed automatic stream rotation not updating connection limit counters, the same class of issue as the manual stream switch bug above.
• Fixed stream switch state in Redis occasionally reflecting a URL that wasn't actually in use. State is now only written after a switch is confirmed to succeed.

Stats Page

• Fixed the Active Stream dropdown on the Stats page not updating when a stream switch occurs.

Channels

• Fixed bulk channel edit returning a 500 error when the request body included a streams list. (Fixes #883)

M3U & File Uploads

• Fixed uploading a local M3U file with no expiration date set causing a validation error from the API.

Logo Management

• Fixed the logo cache hanging indefinitely when fetching from a slow or dripping remote server. Downloads now enforce a 10-second total deadline and a 5 MB size cap. Also fixed a race condition where a slow or failed download could result in two simultaneous fetch attempts for the same URL.

User Management

• Fixed the XC Password field in the User modal being editable by standard users even though any changes would be silently discarded on save. The field and its generate button are now disabled with an explanatory message for non-admin users.

Docker & Container Shutdown

• Fixed docker stop resulting in a forced kill (exit 137 / SIGKILL). All child processes — including uWSGI workers, Celery, Daphne, and Redis — are now gracefully stopped in order, and the shutdown wait adapts to how quickly they exit rather than using a fixed delay. — Thanks @Shokkstokk for the initial fix!

🔒 Security

• Hardened global API permissions: All API endpoints now require admin access by default. Endpoints that legitimately require lower permission levels (standard user read access, public streaming) have been explicitly annotated. Streaming proxy endpoints remain accessible without authentication, with access controlled by per-stream-type network allow-lists.
• Fixed missing network access checks in the VOD proxy: VOD streaming endpoints were not enforcing the STREAMS network policy, unlike the equivalent live stream proxy endpoints. This has been corrected.
• **Fixed path traversal vulnerabili...

✨ New Features

User Stream Limits

• Administrators can now set a maximum number of concurrent streams per user account, giving greater control over how resources are shared across users. (Closes #544)
• Each user account has a new Stream Limit field (0 = unlimited), configurable in Settings → Users.
• Global enforcement behavior is configurable in Settings → User Limits:
  • Terminate on Limit Exceeded: automatically end an existing stream to make room when a user's limit is reached, rather than rejecting the new connection.
  • Terminate Oldest / Newest: choose which existing stream to free when a slot is needed.
  • Prioritize Single-Client Channels: prefer freeing streams on channels only that user is watching.
  • Ignore Same-Channel Connections: count multiple connections to the same live channel as one stream toward the limit.

Username Display on Stats Page

• The Stats page now shows the username of each connected user alongside their connection details. (Closes #766, Closes #586)
  • For live channel connections, a User column appears between IP Address and Connected.
  • For VOD connections, the username is shown inline next to the IP address.
• Live channel previews started from the web UI now appear on the Stats page with the correct username rather than as an unknown user.
• Webhook and script integrations receive the connected username in client_connect and client_disconnect system events.

TLS/mTLS Support for Redis & PostgreSQL (Modular Deployments)

• Modular deployments now support encrypted connections to Redis and PostgreSQL, including mutual TLS (mTLS) with client certificate authentication. (Closes #950) — Thanks @CodeBormen
• Configured via environment variables in the docker compose file. A read-only Connection Security panel is available in System Settings to view the current TLS configuration.
• Startup validation catches missing certificate paths and configuration conflicts before the application starts.

Status Filter for M3U Group & VOD Category Modals

• The M3U Group Filter and VOD Category Filter modals now include an All / Enabled / Disabled filter alongside the existing text search. (Closes #312)
• The "Select Visible" / "Deselect Visible" buttons respect the active filter, so bulk actions only apply to the currently visible subset.

Donate Button & Version Copy

• A donate button (heart icon) has been added to the sidebar footer, linking to the project's Open Collective page. Visible in both expanded and collapsed sidebar states; hovering shows a "Support Dispatcharr" tooltip.
• The version string in the sidebar footer is now clickable — click it to copy the version to your clipboard.

🔄 Changes & Improvements

M3U Profile URL Rewriting: Simple Mode

• The M3U Profile form for Xtream Codes accounts now offers a Simple / Advanced mode toggle for credential-based URL rewriting.
• In Simple mode, enter just a new username and password — the search and replace patterns are built automatically from the account's current credentials.
• Advanced mode continues to expose the full regex fields for custom patterns.
• Existing profiles are automatically detected as Simple if their search pattern matches the account's current credentials.

M3U Max Streams Column

• The Max Streams column in the M3U accounts table now shows the combined total across all active profiles for that account. (Closes #816)
• When multiple active profiles are present, the column displays their summed total (or ∞ if any profile is unlimited), with a hover tooltip listing each profile's individual limit by name.
• Toggling a profile's active state immediately updates the total without requiring a page reload.
• The Max Streams field in the M3U account form has been changed from a text input to a number input with increment/decrement controls.

Network Access Settings

• Leaving a Network Access settings field blank no longer shows a validation error. The default CIDR range is saved automatically and a "Defaults Restored" warning lists which fields were reset. (Closes #726)

XtreamCodes VOD Streaming

• XtreamCodes VOD requests (/movie/ and /series/) are now handled directly by the proxy rather than redirecting clients to a separate URL. The original XC path is preserved throughout the stream.

Dependency Updates

• requests 2.32.5 → 2.33.0 (security patch; see Security section)
• celery 5.6.2 → 5.6.3
• torch 2.10.0+cpu → 2.11.0+cpu
• sentence-transformers 5.2.3 → 5.3.0
• yt-dlp 2026.3.13 → 2026.3.17

Docker Base Image Cleanup

• Removed outdated system Python packages from the Docker base image that were pulling stale library versions into the system Python environment despite the application running entirely in its own managed virtual environment.

🐛 Bug Fixes

M3U Profile URL Rewriting

• Fixed URL rewrite patterns that matched correctly in the frontend live preview but failed silently on the backend. Patterns using JavaScript/PCRE-style named capture groups or variable-length lookbehinds now work correctly end-to-end. (Fixes #1005)
• Fixed a preview bug where a pattern error would display the search pattern itself as the preview output instead of the original URL.

Web UI Stream Preview

• Fixed stream previews in the web UI that were ignoring all player configuration, resulting in the logged-in user not being identified on the Stats page, latency settings having no effect, and worker offloading being disabled.
• Eliminated audible stuttering on live stream previews caused by unintended playback-rate adjustments.

EPG: HTML Named Entities Preserved

• Fixed EPG channel names, program titles, and metadata losing accented and special characters when loading from providers who use HTML named entities in their XMLTV files. Affected providers include many French and other European sources — characters were previously silently dropped (e.g. "Chaîne Télé" appeared as "Chane Tl"). (Closes #1095) — Thanks @CodeBormen for the research on this one!

Duplicate Recordings on EPG Refresh

• Fixed duplicate recordings being created for series rules whenever an EPG source refreshes. (Fixes #940) — Thanks @CodeBormen
  • Deduplication now uses stable program identifiers that survive EPG refreshes, rather than internal IDs that change on every refresh.
  • Pre/post recording offset settings no longer cause the duplicate guard to miss already-scheduled recordings.
  • Concurrent EPG refreshes for multiple sources are now serialized during series rule evaluation, preventing races that could schedule the same episode more than once.

EPG Refresh Interrupted on Large Sources

• Fixed EPG refresh tasks being killed partway through on large EPG sources, leaving the guide data in a partial state with no error logged. Large source refreshes now have a 4-hour ceiling rather than a stricter timeout that could be reached during normal operation.

🔒 Security

• Updated requests 2.32.5 → 2.33.0, resolving CVE-2026-25645 (moderate): insecure temp file reuse in a utility function.
• Updated frontend npm dependencies to resolve 4 audit vulnerabilities (2 moderate, 2 high):
  • brace-expansion 5.0.2 → 5.0.5 — resolves moderate zero-step sequence causing process hang and memory exhaustion (GHSA-f886-m6hf-6m8v)
  • flatted 3.4.1 → 3.4.2 — resolves high Prototype Pollution via parse() (GHSA-rf6f-7fwh-wjgh)
  • picomatch 4.0.3 → 4.0.4 — resolves high method injection in POSIX character classes (GHSA-3v7f-55p6-f55p) and a ReDoS vulnerability via extglob quantifiers (GHSA-c2c7-rcm5-vvqj)
  • yaml 1.10.2 → 1.10.3 — resolves moderate stack overflow via deeply nested YAML collections (GHSA-48c2-rrv3-qjmp)

🐛 Bug Fixes

Docker / Container

• Docker container initialization fixes for PUID/PGID handling — Thanks @CodeBormen:
  • Missing /data/backups directory: Backups were failing on existing installations because /data/backups was missing from the init script's ownership migration list, causing it to be skipped and left with incorrect permissions.
  • Crash on upgrade with external mounts: When data directories are hosted on NFS, SMB/CIFS, or FUSE mounts, a chown failure would abort container startup entirely under set -e, breaking setups that worked fine on the previous image with no configuration changes. The init script now tolerates these failures gracefully — affected directories are collected and reported in a single consolidated warning with remediation steps, and the container continues to start normally.
  • Upgrading users running as UID 102: The PUID/PGID auto-detect introduced in v0.21.0 read ownership from /data/db, which held UID 102 (the internal PostgreSQL system user) in pre-v0.21.0 images. This caused host-side file access (SSH, WinSCP, etc.) to break, existing data files to become unwritable, and comskip to fail on recordings created before the upgrade. PUID/PGID now default to 1000 — matching the UID Django ran as in all previous releases — when not explicitly set.

✨ New Features

TV Guide Program Enhancements

• TV Guide program cards now display richer metadata — Thanks @CodeBormen: (Closes #1065)
  • Season/episode badges (e.g. S12E06) on program cards
  • Episode subtitles shown below the program title; falls back to the short description when unavailable
  • Status badges: LIVE, NEW, PREMIERE, and FINALE on both cards and the detail modal
  • Program detail modal: Click any program to view full details — poster, season/episode, subtitle, duration, categories, cast/credits, content rating, ratings, air dates, video quality, and links to IMDb and TMDB
  • Real-time progress bars on currently-airing programs
  • Channel name tooltip when hovering the channel logo column

DVR Enhancements

• Major DVR improvements across recording management, reliability, and metadata — Thanks @CodeBormen:
  • Stop Recording: New Stop button ends a recording early while keeping the partial file for playback (distinct from Cancel). (Closes #454)
  • Extend Recording: Extend in-progress recordings by 15, 30, or 60 minutes without interrupting the stream.
  • Inline metadata editing: Edit title and description directly in the recording details modal.
  • Refresh artwork button: Manually re-fetch poster art from the recording card.
  • Multi-source poster resolution: Artwork now queries EPG, VOD, TMDB, OMDb, TVMaze, and iTunes.
  • Series rules for currently-airing episodes: Series rules now capture currently-airing episodes in addition to future ones. (Closes #473)
  • Search and filter controls added to the recordings list.
  • Automatic crash recovery: Recordings stuck in "recording" status are automatically recovered when the worker restarts.

Account Expiration Tracking for M3U Profiles

• M3U account profiles now track and alert on subscription expiration dates:
  • New Expiration column in the M3U accounts table shows the nearest expiration date per account, color-coded: red = expired, orange = expiring soon, white = OK. Hover for per-profile details.
  • For Xtream Codes accounts, expiration dates are automatically synced from the provider. Non-XC accounts support manual date entry.
  • Notifications are raised when an account is expiring within 7 days or has already expired, and are automatically cleared when the date is updated or removed.

Configurable Sidebar Navigation

• The sidebar can now be customized per user — Thanks @jcasimir:
  • Reorder nav items via drag-and-drop in Settings → UI Settings → Navigation.
  • Hide individual nav items using the eye toggle.
  • A "Reset to Default" button restores the default order.
  • Changes take effect immediately without a page reload.

Floating Video Player Improvements

• Title display: The channel, stream, or VOD title is now shown in the player header bar.
• Persistent state: Size, position, volume, and mute state are saved across sessions and restored on next open.

New Client Buffer Setting

• New Client Buffer setting in Settings → Proxy: new clients joining an active channel are buffered a configurable number of seconds behind live. Defaults to 5 seconds. Set to 0 for no buffer.

Channel Table Has Stale Streams Filter

• New Has Stale Streams filter in the channel table highlights and filters channels containing stale streams (shown with an orange tint). — Thanks @JCBird1012

Next Highest Channel Numbering Mode

• A new Next Highest option is now available when creating channels from the Streams table (both bulk and single-stream). Selecting it assigns channel numbers starting one above the current highest existing channel number. (Closes #1000) — Thanks @JCBird1012

Column Sorting Enhancements

• Sort icons added to the Group and EPG columns in the Channels table, and the Group column in the Streams table. Click to cycle through ascending/descending/unsorted. (Closes #854) — Thanks @CodeBormen

🔄 Changes & Improvements

Dependency Updates

• Django upgraded from 5.2.11 → 6.0.3 (see Security section)
• django-celery-beat updated to ≥2.9.0

EPG

• The EPG source dropdown when assigning a channel now only lists enabled (active) EPGs, sorted alphabetically.
• EPG output no longer includes already-ended programs when no days parameter is specified.

Channels Page Layout

• Default Channels page splitter ratio changed from 50/50 to 60/40 (channels/streams) so all channel action buttons are visible without scrolling on 1080p displays.

Frontend Refactoring

• Various frontend components refactored for better maintainability and consistency. — Thanks @nick4810

🐛 Bug Fixes

DVR

• Fixed duplicate recordings being created for sessions scheduled more than one hour out. (Fixes #940, #641) — Thanks @CodeBormen
• Fixed recordings failing to resume after transient network drops; recordings now reconnect automatically.
• Fixed recordings stuck in "recording" status after a worker restart not being recovered. (Fixes #619, #624)
• Fixed output file collisions when multiple recordings targeted the same filename.
• Fixed deleting a completed recording incorrectly terminating an active stream on that channel.
• Fixed recording card logos not displaying.
• Fixed poster artwork lookup producing incorrect results for channels with special characters in their name.
• Fixed the series modal incorrectly showing "No upcoming episodes".
• Fixed series rule deletion leaving orphaned recordings and stale Guide indicators. (Fixes #1041)
• Fixed series rules dropping scheduled recordings for users in UTC-negative timezones after 4 pm local time. (Fixes #1042)
• Fixed the recording detail modal crashing on load in production builds.
• Fixed the description field losing focus immediately when opened in the recording detail modal.
• Fixed comskip causing post-processing to fail on recordings with no commercials.
• Fixed season/episode badges overlapping on recording cards.
• Fixed the series rule modal showing a blank state instead of a delete option when the parent rule no longer exists.
• Fixed series rule creation returning a 500 error when stored rule data was corrupted. (Fixes #1059) — Thanks @CodeBormen

TS Proxy & Streaming

• Fixed clients getting stuck indefinitely when a stream fails to recover during failover. (Fixes #1103) — Thanks @cmcpherson274 & @CodeBormen
• Fixed ghost clients and channels stuck in the initializing state. (Fixes #695, #669) — Thanks @CodeBormen
• Fixed connection slot leaks that could cause stream limits to be exceeded. (Fixes #947) — Thanks @CodeBormen & @patchy8736
• Fixed streams dying after 30–200 seconds in multi-worker deployments. (Fixes #992, #980) — Thanks @PFalko
• Fixed audio sync issues on the client side when streams switch between sources. (Fixes #1102) — Thanks @cmcpherson274
• Fixed client lag recovery jumping clients too far forward in the buffer unnecessarily.

M3U & EPG

• Fixed memory leak during M3U/XC refresh causing 20–80 MB growth per refresh cycle. (Fixes #1012, #1053) — Thanks @CodeBormen
• Fixed a crash when providers send invalid values for adult content flags. (Fixes #1061) — Thanks @JCBird1012
• Fixed M3U attributes (e.g. tvg-logo) being silently dropped when values contained = characters. (Fixes #1055) — Thanks @JCBird1012
• Fixed XC stream refresh crashing when a provider returns streams with a null or empty name; affected streams are assigned a fallback name.
• Fixed 504 Gateway Timeout when saving M3U group settings on slower hardware (e.g. Synology NAS). (Fixes #745) — Thanks @nickgerrer
• Fixed EPG parsing dropping entire batches of programmes when a title exceeded 255 characters. (Fixes #1039)
• Fixed currently-airing programs missing from EPG output immediately after a refresh.
• Fixed table flickering and instability during M3U imports. — Thanks @marcinolek

Docker & System

• Fixed container startup failure when PUID/PGID is set due to database folder ownership conflicts. Existing installations are migrated automatically on first startup. (Fixes #1078) — Thanks @CodeBormen
• Fixed uWSGI segfaults on ARM64/Python 3.13 in dev and debug configurations. — Thanks @jcasimir
• Fixed spurious timezone-related warnings emitted during startup and record creation.
• Fixed several modular mode deployment issues — Thanks @CodeBormen:
  • DVR recordings failed when DISPATCHARR_PORT was set to a non-default value.
  • Environment variables (e.g. REDIS_HOST) were not available during the Redis readiness check.
  • Environment variable changes after a container restart could be silently ignored.
  • Celery worker could hang indefinitely on startup if the web container was slow to start.
  • db and redis containers now wait for actual health-check readiness before starting dependent services.
  • Added host.docker.internal resolution support for Linux hosts.
  • Modular mode Redis flush now preserves Celery queue data. (Fixes #1045)
• Fixed debian_install.sh failures in non-UTF8 environments (e.g. minimal...

🐛 Bug Fixes

Channel Table & UI

• Fixed EPG filter regression in channel table (introduced in v0.20.0 channel store refactor): The EPG filter dropdown was showing all EPG sources regardless of whether they had any channels assigned, and the "No EPG" option was never displayed. Only EPG sources with at least one channel assigned now appear as filter options, and "No EPG" correctly appears when at least one channel has no EPG assigned. (Fixes #1044)
• Fixed stale stream rows missing hover effect in both the main streams table and the channel-streams sub-table. Stale rows now display consistent hover behavior and background colors across all stream tables.
• Fixed channel table onboarding message incorrectly appearing when filters returned zero results instead of only when no channels exist at all. (Fixes #1031)

TV Guide

• Fixed TV Guide losing scroll position when a filter temporarily yields no results (e.g. switching between channel groups or typing a search query that matches nothing). The guide now preserves and restores the user's scroll position across filter transitions instead of resetting to the beginning. First load still scrolls to the current time as before.

Installation & Setup

• Fixed several debian_install.sh regressions after the uv migration on clean/minimal Debian installs. - Thanks @marcinolek

🔒 Security

• Updated frontend npm dependencies to resolve 2 high-severity vulnerabilities:
  • High: Updated minimatch to ≥10.2.3, resolving ReDoS via combinatorial backtracking with multiple non-adjacent GLOBSTAR segments (GHSA-7r86-cg39-jmmj)
  • High: Updated rollup to ≥4.58.1, resolving Arbitrary File Write via Path Traversal (GHSA-mw96-cpmx-2vgc)

🐛 Bug Fixes

Authentication & Login

• Fixed a regression introduced in v0.20.0 where the login button was permanently rendered as disabled ("Logging you in...") immediately on page load after a session expired, preventing users from logging back in; LoginForm checked if (user) to detect an already-authenticated reload, but the Zustand auth store initializes user as a truthy empty object ({ username: '', email: '', user_level: '' }), so the loading state was set on every mount before any credentials were entered (Fixes #1029)

✨ New Features

API Key Authentication

• Added support for API key-based authentication as an alternative to JWT tokens
• Users can generate and revoke their own personal API key from their profile page, enabling programmatic access for scripts, automations, and third-party integrations without exposing account credentials
• Keys authenticate via the Authorization: ApiKey <key> header or the X-API-Key: <key> header
• Admin users can additionally generate and revoke keys on behalf of any user

Event-Driven Integrations (Webhooks & Scripts)

• Added new Integrations feature that enables event-driven execution of custom scripts and webhooks in response to system events (Closes #203)
• Features include:
  • Supported event types: channel lifecycle (start, stop, reconnect, error, failover), stream operations (switch), recording events (start, end), data refreshes (EPG, M3U), and client activity (connect, disconnect)
  • Event data delivery: available as environment variables in scripts (prefixed with DISPATCHARR_), POST payloads for webhooks, and plugin execution payloads
  • Plugin support: plugins can subscribe to events by specifying an events array in their action definitions
  • Connection testing: test endpoint with dummy payloads for validation before going live
  • Custom HTTP headers: webhook connections support configurable key/value header pairs
  • Per-event Jinja2 payload templates: each enabled event can have its own template rendered with the full event payload as context; rendered output is sent as JSON (with Content-Type: application/json set automatically) if valid, or as a raw string body otherwise
  • Tabbed connection form: Settings, Event Triggers, and Payload Templates organized into separate tabs for clarity

Cron Scheduling for M3U and EPG Refreshes

• Added interactive cron expression builder with preset buttons and custom field editors for M3U and EPG refresh scheduling (Closes #165)
• Info popover with common cron examples for easy reference
• Refactored backup scheduling to use shared ScheduleInput component for consistency across all scheduling interfaces

Channel Numbering Modes for Auto Channel Sync

• Added three channel numbering modes when auto-syncing channels from M3U groups (Closes #956, #433):
  • Fixed Start Number (default): Start at a specified number and increment sequentially
  • Use Provider Number: Use channel numbers from the M3U source (tvg-chno), with configurable fallback if provider number is missing
  • Next Available: Auto-assign starting from 1, skipping all used channel numbers
• Each mode includes its own configuration options accessible via the "Channel Numbering Mode" dropdown in auto sync settings

Custom Dummy EPG Subtitle Templates

• Added optional subtitle template field to custom dummy EPG configuration (Closes #942)
• Users can now define subtitle patterns using extracted regex groups and time/date placeholders (e.g., {starttime} - {endtime})

Streamer Account Login Notification

• Streamer accounts attempting to log into the web UI now receive a clear notification explaining they cannot access the UI but their stream URLs still work
• Previously the login button would silently stop with no feedback

Legacy NumPy Support for Modular Docker

• Added entrypoint detection and automatic installation for the Celery container (USE_LEGACY_NUMPY) to support older CPUs - Thanks @patrickjmcd

🔄 Changes & Improvements

TV Guide Performance

• Optimized the TV Guide with horizontal culling for off-screen program rows, rendering only visible programs
• Throttled now-line position updates and improved scroll performance
• Reduces unnecessary DOM work and improves responsiveness with large EPG datasets

Channel Store Optimization

• Refactored frontend channel loading to only fetch channel IDs on initial login (matching the streams store pattern), instead of loading full channel objects upfront
• Full channel data is now fetched lazily as needed
• Dramatically reduces login time and initial page load when large channel libraries are present

Stream Profile Form Rework

• Replaced the plain command text field with a dropdown listing built-in tools (FFmpeg, Streamlink, VLC, yt-dlp) plus a Custom option that reveals a free-text input
• Each built-in now shows its default parameter string as a live example in the Parameters field description, updating as the command selection changes
• Added descriptive help text to all fields to improve clarity

Custom Dummy EPG Form UI Improvements

• Reorganized the form into collapsible accordion sections (Pattern Configuration, Output Templates, Upcoming/Ended Templates, Fallback Templates, EPG Settings) for better organization
• Field descriptions now appear in info icon popovers instead of taking up vertical space, making the form more compact and easier to navigate while keeping help text accessible

XC API Compatibility Improvements

• M3U generation for Xtream Codes API endpoints now uses proper XC-style stream URLs (/live/username/password/channel_id) instead of UUID-based stream endpoints, ensuring full compatibility with XC clients (Fixes #839)
• get_series now includes tmdb_id and imdb_id fields, matching get_vod_streams; clients that use TMDB enrichment (e.g. Chillio) can now resolve clean series titles and poster images - Thanks @firestaerter3

Lightweight Channel Summary API

• Added new /api/channels/summary/ endpoint returning only minimal channel data (id, name, logo) needed for TV Guide and DVR scheduling
• Avoids the overhead of serializing full channel objects for high-frequency UI operations

DVR Scheduling UX

• Channel selector now displays the channel number alongside the channel name when scheduling a recording

Dependency Updates

• Django 5.2.9 → 5.2.11 (security patch; see Security section)
• celery 5.6.0 → 5.6.2
• psutil 7.1.3 → 7.2.2
• torch 2.9.1+cpu → 2.10.0+cpu
• sentence-transformers 5.2.0 → 5.2.3
• ajv 6.12.6 → 6.14.0 (security patch; see Security section)
• minimatch enforced ≥10.2.2 via npm overrides (security patch; see Security section)
• react / react-dom 19.2.3 → 19.2.4
• react-router-dom / react-router 7.12.0 → 7.13.0
• react-hook-form 7.70.0 → 7.71.2
• react-draggable 4.4.6 → 4.5.0
• @tanstack/react-table 8.21.2 → 8.21.3
• video.js 8.23.4 → 8.23.7
• vite 7.3.0 → 7.3.1
• zustand 5.0.9 → 5.0.11
• allotment 1.20.4 → 1.20.5
• prettier 3.7.4 → 3.8.1

🐛 Bug Fixes

Admin & Permissions

• Fixed admin permission checks inconsistently using is_superuser/is_staff instead of user_level>=10, causing API-created admin accounts to intermittently see the setup page, lose access to backup endpoints, and miss admin-only notifications; manage.py createsuperuser now also correctly sets user_level=10 (Fixes #954) - Thanks @CodeBormen

DVR & Scheduling

• Fixed a bug where scheduling a one-time recording for a future program caused the recording to start immediately instead of at the scheduled time
• Fixed auto channel sync creating duplicate channel numbers across groups; used channel number tracking now persists across all groups in a single sync operation, ensuring globally unique assignments

XtreamCodes API

• Fixed get_live_streams and get_vod_info returning the added field as an integer instead of a string (e.g., "1708300800"), fixing compatibility with XC clients that have strict JSON serializers such as Jellyfin's Xtream Library plugin (Closes #978)
• Fixed credential extraction in get_transformed_credentials() to use negative indices anchored to the known tail structure instead of hardcoded indices that broke when server URLs contained sub-paths (e.g., http://server.com/portal/a/) (Fixes #945) - Thanks @CodeBormen
• Fixed EPG URL construction in M3U forms to normalize server URL to origin before appending xmltv.php endpoint, preventing double slashes and incorrect path placement when server URLs include sub-paths or trailing slashes (Fixes #800) - Thanks @CodeBormen

VOD & Proxy

• Fixed connection counter leak in the VOD proxy where counters were not properly decremented on client disconnect, causing the connection pool to lose track of available connections (Fixes #962, #971, #451, #533) - Thanks @CodeBormen
• Fixed VOD episode UUID regeneration on every refresh: a pre-emptive Episode.objects.delete() ran before batch_process_episodes, defeating update-in-place logic and forcing all episodes to be recreated with new UUIDs; clients with cached episode paths received 500 errors until a full library rescan (Fixes #785, #985, #820) - Thanks @znake-oil
• Fixed VOD stale episode stream cleanup being scoped incorrectly across providers; cleanup is now scoped to the specific M3USeriesRelation that was queried, preventing deletion of episode relations belonging to a different provider version of the same series

Stream Profile Form

• Fixed the User-Agent field not correctly loading from an existing profile when opening the edit modal (Fixes #650)

Channels Table

• Fixed the group dropdown in the channel table now being sorted alphabetically

Modular Docker Deployment

• Fixed modular mode PostgreSQL/Redis connection checks: replaced raw Python socket checks with native tools (pg_isready for PostgreSQL and socket.create_connection for Redis) to prevent indefinite hangs in Docker environments with non-standard networking or DNS configurations; properly supports IPv4 and IPv6 (Fixes #952) - Thanks [@code...

✨ New Features

System Notifications and Update Checks

• Added real-time notifications for system events and alerts with centralized notification center UI component
• Per-user notification management and dismissal capabilities for personalized notification handling
• Automatic update checking on startup and every 24 hours to notify users of available new versions
• Automatic cleanup of expired notifications to maintain system performance

Streams Table Enhancements

• Added column visibility and TVG-ID enhancements - Thanks @CodeBormen:
  • Column visibility toggle menu allowing users to show/hide optional columns (TVG-ID, Stats) with optional columns hidden by default for cleaner default view
  • TVG-ID column with search filtering and sort capability for better stream organization (Closes #866)
• Frontend now automatically refreshes streams and channels after a stream rehash completes, ensuring the UI is always up-to-date following backend merge operations

Frontend Testing Framework

• Added comprehensive unit tests for React hooks and Zustand stores with code refactoring - Thanks @nick4810:
  • useLocalStorage hook tests with localStorage mocking and error handling
  • useSmartLogos hook tests for logo loading and management
  • useTablePreferences hook tests for table settings persistence
  • useAuthStore tests for authentication flow and token management
  • useChannelsStore tests for channel data management
  • useUserAgentsStore tests for user agent CRUD operations
  • useUsersStore tests for user management functionality
  • useVODLogosStore tests for VOD logo operations
  • useVideoStore tests for video player state management
  • useWarningsStore tests for warning suppression functionality
  • Code refactoring for improved readability and maintainability

EPG Auto-Matching Advanced Options

• Added advanced options to strip prefixes, suffixes, and custom text from channel names to assist EPG matching
• Default matching behavior and settings remain unchanged for backward compatibility (Closes #771) - Thanks @CodeBormen

Redis Authentication Support

• Added support for authentication when connecting to external Redis instances for modular deployments (Closes #937) - Thanks @CodeBormen:
  • Supports both password-only authentication (Redis <6) and username + password authentication (Redis 6+ ACL)
  • Configured via REDIS_PASSWORD and REDIS_USER environment variables with URL encoding for special characters

Plugin System Enhancements

• Plugin logos: If a plugin ZIP includes logo.png, it is surfaced in the Plugins UI and shown next to the plugin name
• Plugin manifests (plugin.json) for safe metadata discovery, with legacy warnings and folder-name fallbacks when a manifest is missing
• Plugin stop hooks: Dispatcharr now calls a plugin's optional stop() method (or run("stop") action) when disabling, deleting, or reloading plugins to allow graceful shutdown
• Plugin action buttons can define button_label, button_variant, and button_color (e.g., Stop in red), falling back to "Run" for older plugins
• Plugin card metadata: Plugins can specify author and help_url in plugin.json to show author and documentation link in the UI
• Plugin cards can now be expanded/collapsed by clicking the header or chevron to hide settings and actions

Network Access Reset Button

• Added a "Reset to Defaults" button to the Network Access settings form, matching the functionality in Proxy Settings
• Users can now quickly restore recommended network access settings with one click

🔄 Changes & Improvements

XtreamCodes Performance Optimization

• Reduced API calls during XC refresh by 50% by eliminating redundant authentication step
• Should significantly help reduce rate-limiting errors from XtreamCodes providers

Application Initialization Efficiency

• Refactored app initialization to prevent redundant execution across multiple worker processes
• Created dispatcharr.app_initialization utility module with should_skip_initialization() function that prevents custom initialization tasks (backup scheduler sync, developer notifications sync) from running during management commands, in worker processes, or in development servers
• Significantly reduces startup overhead in multi-worker deployments (e.g., uWSGI with 10 workers now syncs the scheduler once instead of 10 times)
• Applied to both CoreConfig and BackupsConfig apps

M3U/EPG Network Access Security Defaults

• Updated default network access settings for M3U and EPG endpoints to only allow local/private networks by default (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ::1/128, fc00::/7, fe80::/10)
• Improves security by preventing public internet access to these endpoints unless explicitly configured
• Other endpoints (Streams, XC API, UI) remain open by default for compatibility

Modular Deployment Improvements

• Bumped modular Postgres image to version 17 for improved performance and features
• Added compatibility checks (PostgreSQL version and UTF-8 database encoding) when using external databases to prevent migration and encoding issues

Stream Identity Stability

• Added stream_id (provider stream identifier) and stream_chno (provider channel number) fields to Stream model
• For XC accounts, the stream hash now uses the stable stream_id instead of the URL when hashing, ensuring XC streams maintain their identity and channel associations even when account credentials or server URLs change
• Supports both XC num and M3U tvg-chno/channel-number attributes

Swagger/OpenAPI Migration

• Migrated from drf-yasg (OpenAPI 2.0) to drf-spectacular (OpenAPI 3.0) for API documentation
• Provides native Bearer token authentication support in Swagger UI - users can now enter just the JWT token and the "Bearer " prefix is automatically added
• Modern OpenAPI 3.0 specification compliance with better auto-generation of request/response schemas
• Improved documentation accuracy with serializer introspection

Package Management Migration

• Switched to uv for package management (Astral's fast Python package installer) for improved dependency resolution speed and reliability
• Updates to Docker build processes, installation scripts (debian_install.sh), and project configuration (pyproject.toml) to leverage uv's features like virtual environment management and lockfile generation - Thanks @tobimichael96 for getting it started!

Copy to Clipboard Refactoring

• Refactored copyToClipboard utility function to include notification handling internally, eliminating duplicate notification code across the frontend
• Function now accepts optional parameters for customizing success/failure messages while providing consistent behavior across all copy operations

🐛 Bug Fixes

XtreamCodes EPG Logic

• Fixed EPG filtering issues where short EPG requests had no time-based filtering (returning expired programs) and regular EPG requests used start_time__gte (missing the currently playing program)
• Both now correctly use end_time__gt to show programs that haven't ended yet, with short EPG additionally limiting results (Fixes #915)

Automatic Backups Initialization

• Fixed automatic backups not being enabled by default on new installations
• Added backups app to INSTALLED_APPS and implemented automatic scheduler initialization in BackupsConfig.ready()
• Backup scheduler now properly syncs the periodic task on startup, ensuring automatic daily backups are enabled and scheduled immediately on fresh database creation without requiring manual user intervention

Modular Docker Deployment

• Fixed modular Docker Compose deployment and entrypoint/init scripts to properly support DISPATCHARR_ENV=modular, now correctly using external PostgreSQL/Redis services with proper port, version, and encoding validation (Closes #324, Fixes #61, #445, #731) - Thanks @CodeBormen

Stream Rehash and Merge Logic

• Stream rehash/merge logic now guarantees unique stream_hash and always preserves the stream with the best channel ordering and relationships
• Prevents duplicate key errors and ensures the correct stream is retained when merging (Fixes #892)

Admin URL Conflict Resolution

• Updated nginx configuration to only redirect exact /admin and /admin/ paths to login in production
• Prevents interference with stream URLs that use "admin" as a username (e.g., /admin/password/stream_id now properly routes to stream handling instead of being redirected)

EPG Channel ID XML Escaping

• Fixed XML parsing errors in EPG output when channel IDs contain special characters (&, <, >, ") by properly escaping them in XML attributes (Fixes #765) - Thanks @CodeBormen

NumPy Baseline Detection

• Fixed NumPy baseline detection in Docker entrypoint
• Now properly detects when NumPy crashes on import due to CPU baseline incompatibility and installs legacy NumPy version
• Previously, if NumPy failed to import, the script would skip legacy installation assuming it was already compatible

Backup Scheduler Testing

• Fixed test to correctly validate that automatic backups are enabled by default with a retention count of 3, matching the actual scheduler defaults - Thanks @jcasimir

Plugin System Security and Stability

• Hardened plugin loading to avoid executing plugin code unless the plugin is enabled
• Prevented plugin package names from shadowing standard library or installed modules by namespacing plugin imports with safe aliases
• A...

Fixed

• Series Rules API Swagger Documentation: Fixed drf_yasg validation error where TYPE_ARRAY schemas were missing required items parameter, causing module import failure