2026-06-01

Security hardening and performance improvements

• TL;DR - Actions on the site should feel MUCH faster.
• Hardened podcast import URL handling to block unsafe feed, image, media, chapter, and transcript URLs, including local/private network targets and unsafe redirects.
• Fixed several import edge cases around verification links, duplicate/concurrent imports, archived imports, bad episode dates, and imports with no queued media assets.
• Optimized analytics queries and chart loading to improve performance, reduce duplicate requests, and make date/time buckets more reliable across timezones.
• Fixed analytics date range handling so imported shows with older episode dates and default analytics views render correctly.
• Reduced Docker image sizes by removing build dependencies from runtime images, trimming copied files, and using PHP-only images.
• Fixed show overview lifetime download counts so archived, deleted, and hidden episodes are no longer included.
• Fixed episode overview transcript status so completed transcripts with unidentified speakers no longer incorrectly show as fully done.
• Fixed proof-of-work reliability issues around challenge refreshes, spoofable IP bypasses, subdomain detection, and test coverage.
• Fixed build warnings for custom fonts by making font assets resolve correctly during the Vite build.
• Fixed a bug where imported shows were not saving the owner email from the RSS feed’s tag.
• Fixed a bug where Inertia JSON responses could sometimes be shown instead of the rendered page by preventing dashboard and main website page variants from being cached.
• Fixed inconsistent visibility filtering so attic/deleting episodes and shows are excluded from public websites, share/player pages, feeds, subscribers, analytics, and scheduled publishing.