Audio streaming stack changelog and releases

​

Status API path injection fix and credential hardening

​

Breaking changes

• ICECAST_ADMIN_USER and ICECAST_ADMIN_PASSWORD are now required — The Status API and Analytics services no longer fall back to built-in default credentials. If these variables are not set in your .env file, Icecast admin endpoints will return an error. The installer already generates these values, so existing deployments created with install.sh are unaffected.

​

Security fixes

• Emergency audio path injection — File list, upload, and delete operations for emergency audio now use canonicalized paths restricted to a fixed set of expected filenames (fallback.mp3, fallback.ogg, etc.). Previously, crafted filenames could reference files outside the emergency audio directory.
• Removed built-in Icecast credential defaults — The Status API and Analytics tracker no longer default to admin / changeme for Icecast connections. Credentials must be explicitly configured via ICECAST_ADMIN_USER and ICECAST_ADMIN_PASSWORD.
• Suppressed raw exception text in API responses — Error responses from the Status API container, command, and Icecast handlers no longer leak internal exception details to clients.

​

Updates

• Added top-level permissions: contents: read to the lint and Docker build CI workflows for least-privilege enforcement.

​

Optional status panel and installer reliability

​

New features

• Optional status panel — The status API and its nginx routes are now disabled by default. Set ENABLE_STATUS_PANEL=1 in your .env file to enable it. The installer prompts you during setup. See configuration for details.

​

Bug fixes

• Fixed nginx startup on non-root containers — Resolved permission errors that could prevent nginx from starting by moving temporary file paths to writable locations.
• Fixed Let’s Encrypt certificate name collisions — Certificate issuance now uses a dedicated bootstrap nginx configuration, preventing container name conflicts when requesting new certificates.
• Improved installer container handling — The installer now detects and removes conflicting container names before starting services, preventing failures during updates.

​

Security hardening and installer reliability

​

Breaking changes

• APPWRITE_TEAM_ID is now required when APPWRITE_PROJECT_ID is set. The installer enforces this during setup. If you have an existing deployment with APPWRITE_PROJECT_ID but no APPWRITE_TEAM_ID, add the team ID to your .env file before upgrading.

​

Security fixes

• HTTPS enforcement for operator endpoints — HTTP requests to /api/ and /icecast-admin/ are now redirected to HTTPS with a 308 Permanent Redirect. Public media endpoints (/hls/, /listen/) remain available on HTTP for player compatibility.
• Alert ingestion restricted to internal networks — The /api/alert endpoint is now restricted at the reverse proxy level to private and loopback IP addresses only. External requests receive a 403 Forbidden response.
• Safer status API bind host — The status API no longer binds to all interfaces (0.0.0.0). It defaults to 127.0.0.1 and auto-detects the container IP when running inside Docker. You can override this with the STATUS_PANEL_HOST environment variable. See configuration for details.
• Path traversal protection — Emergency audio file deletion now validates file paths to prevent directory traversal attacks.
• Dashboard CVE fix — Updated Next.js to 16.2.3 to address CVE-2026-23869.

​

Bug fixes

• Improved installer compatibility — The installer scripts now use portable shell syntax, fixing potential failures on systems with strict POSIX shells.

​

Updates

• Replaced Codacy CI workflows with SonarQube Cloud automatic analysis.

​

Security fixes, Codacy integration, and code quality improvements

​

Security fixes

• Dashboard API endpoint allowlist — Dashboard API requests are now restricted to a typed list of approved endpoints, preventing server-side request forgery (SSRF) via free-form path manipulation.
• Status API loopback binding — The local Flask development entrypoint now binds to 127.0.0.1 instead of 0.0.0.0, preventing unintended exposure on all network interfaces.

​

New features

• Codacy coverage reporting — A new GitHub Actions workflow discovers coverage reports and uploads them to Codacy on pull requests and pushes to main. Token setup and supported report locations are documented in the repository README.

​

Code quality

• Removed unused shell variables and cleaned up installer password generation paths.
• Fixed analytics lint and security findings, including webhook server binding annotations and Icecast URL handling.
• Improved dashboard accessibility with explicit button types, stable alert keys, and a decorative SVG fix.
• Pinned third-party GitHub Actions to full commit SHAs for supply-chain security.
• Removed obsolete CodeRabbit configuration in favor of Codacy.
• Updated contributor guidance for GitHub Issues and added AI PR reviewer instructions.

​

CI fixes and ARM64 support

​

Bug fixes

• ARM64 support for Status API — The Status API service now builds and runs on linux/arm64, fixing no matching manifest errors on ARM-based servers.
• Removed deprecated --no-parallel flag — Docker Compose pull commands no longer use the deprecated --no-parallel option, eliminating warnings on newer Docker Compose versions.
• Improved Docker digest verification — Enhanced Docker manifest inspection with retries, better error handling, and normalized digest comparison across registries.

​

Security hardening and dependency updates

​

New features

• CodeRabbit automated code review — Pull requests targeting main now receive automated reviews from CodeRabbit with per-path review instructions tuned to each service’s tooling (Ruff for Python, ESLint for TypeScript, hadolint for Dockerfiles).
• TruffleHog secret scanning — A CI workflow scans every push and pull request for accidentally committed secrets. See security for local usage instructions.
• Non-root containers — The Status API, Nginx, Analytics, and Icecast containers now run as non-root users (UID 1000) by default, reducing the blast radius of container escapes.

​

Security updates

• Upgraded Nginx base image from alpine to stable-alpine-slim (pinned)
• Upgraded Liquidsoap base image to latest v2.4.x release
• Patched libsndfile, libfreetype6, libpng, openssl-provider-legacy, and dpkg in the Liquidsoap image
• Upgraded Werkzeug from 2.3.8 to 3.1.6, fixing debugger RCE and multipart DoS vulnerabilities
• Upgraded requests from 2.32.2 to 2.33.0, fixing credential leakage via .netrc parsing
• Upgraded gunicorn from 22.0.0 to 23.0.0, fixing HTTP request splitting
• Removed docker-cli from the Status API image in favor of the Python Docker SDK, reducing the attack surface

​

Improved status page and installer reliability

​

New features

• Expanded stream endpoint cards — The root status page now shows cards for all stream formats (MP3 320 kbps, AAC 128 kbps, and others) with SVG icons and improved descriptions.
• Responsive status page layout — The endpoint grid uses a two-column layout on desktop and single-column on mobile.
• SEO protection — The root status page now includes a noindex, nofollow meta tag to prevent search engine indexing.

​

Updates

• The installer now pulls fresh Docker images without cache during updates, ensuring deployments always use the latest images.

​

TypeScript configuration update

​

Updates

• Updated the TypeScript configuration to include additional type definitions for Next.js, improving type checking and editor support in the dashboard project.

​

Branded status page and dashboard improvements

​

New features

• Branded root status page — The Nginx reverse proxy now serves a styled HTML page at the root URL (/) featuring your station name, stream endpoints, and admin contact. The page is generated at container startup from STATION_NAME and STATION_ADMIN_EMAIL environment variables. See configuration for details.
• Dashboard branding — The operator dashboard now displays the Sonicverse brand with gradient text in the header, login form, and a new footer with copyright, license, and documentation links.

​

Updates

• Dashboard layout uses flexbox for consistent vertical alignment across pages.
• TypeScript configuration updated to jsx: react-jsx for React 18+ compatibility.
• Docker build workflow now handles both legacy and new manifest fields when verifying runtime platforms.

​

Docker Hub as primary registry and Code of Conduct

​

New features

• Docker Hub as primary registry — Pre-built container images are now published to Docker Hub as the primary registry (docker.io/sonicverse/...). GHCR remains available as a mirror. The installer and docker-compose.yml pull from Docker Hub by default, which provides faster downloads for most users. See container registries below for image names.
• Code of Conduct — A Code of Conduct now governs community interactions. All contributors and participants are expected to follow these guidelines.
• Blacksmith CI runners — GitHub Actions workflows now run on Blacksmith runners for faster builds, automatic Docker layer caching, and improved observability.

​

Updates

• The docker-compose.yml now references Docker Hub image names (docker.io/sonicverse/audiostreaming-stack-*) instead of GHCR.
• The CI pipeline validates that images published to Docker Hub and GHCR have matching digests across linux/amd64, linux/arm64, and linux/386 platforms. It uses per-platform digest comparison for more robust verification.
• Contributing guidelines now reference the Code of Conduct.

​

Container registries

​

Easier installation and flexible deployment

​

New features

• One-line remote install — You can now install the stack with a single curl | bash command, no need to manually clone the repository first. The installer detects remote execution and handles everything automatically.
• Pre-built container images — Deploy using pre-built images from Docker Hub instead of building locally. This significantly reduces setup time on low-powered servers. See the quickstart for details.
• Minimal deployment mode — The installer now supports a minimal mode that starts only the core streaming services. It skips optional components like analytics and the status API, making it ideal for quick testing or resource-constrained environments.
• Development mode — A new local build mode for contributors who want to build and test container images on their own machine.
• Root-level dependency installer — A single script installs all development dependencies from the project root. Contributors no longer need to enter each service directory individually.

​

Updates

• The installer now displays clearer step-by-step output with dynamic step numbering. This makes it easier to follow progress during setup.
• The .env.example file now includes better descriptions and clearer defaults, so you know exactly which variables a minimal deployment requires. See configuration for details.
• The Status Panel service is now called Status API across the project for consistency. No action is needed if you use the default configuration.
• A community Slack channel is now available for support and collaboration. Look for the invite link in the project README.

​

Initial release

​

Security updates

• Upgraded Debian from bookworm-slim to 13.4-slim
• Upgraded Python from 3.12-slim to 3.15-rc-alpine3.22
• Upgraded urllib3 from 2.0.7 to 2.6.3
• Upgraded Next.js from 15.5.14 to 16.1.5
• Fixed 16 vulnerabilities via Snyk

​

Dependency updates

• Bumped @types/node from 22.19.17 to 25.5.2
• Bumped typescript from 5.9.3 to 6.0.2
• Bumped appwrite from 15.0.0 to 24.1.1
• Bumped docker/setup-buildx-action from 3 to 4
• Bumped docker/build-push-action from 6 to 7
• Bumped docker/metadata-action from 5 to 6
• Bumped docker/setup-qemu-action from 3 to 4
• Bumped astral-sh/ruff-action from 1 to 3