Update lscr.io/linuxserver/radarr Docker tag to v6.2.1

[renovate]

This PR contains the following updates:

Package	Update	Change
lscr.io/linuxserver/radarr (source)	minor	6.1.1 → 6.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: YELLOW -- possible breakage, reviewer requested

Quick summary

Minor Radarr version bump (6.1.1 → 6.2.1) with no breaking changes documented in the upstream changelog and confirmed multi-arch support. However, the provenance researcher failed to complete due to token limits, leaving the source correspondence and publisher identity unverified. Manual verification of the image source is required before merge.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
lscr.io/linuxserver/radarr	6.1.1	6.2.1	safe	additive features, bug fixes	failed

Required actions

1. lscr.io/linuxserver/radarr -- the provenance researcher failed to complete (token limit exceeded). Before merge, manually verify that the new image digest sha256:4c490ccd is from the expected LinuxServer publisher and that the source correspondence is intact. (See provenance report.)

Update summary

lscr.io/linuxserver/radarr 6.1.1 → 6.2.1

• Minor Radarr application bump (6.1.1.10360 → 6.2.1.10461) with no breaking changes or database migrations.
• New features: Simkl Anime List integration, PostgreSQL connection string option, qBittorrent API key support.
• Multiple qBittorrent authentication fixes (basic auth, cookie reuse, credential handling).
• Runtime bumps: .NET 8.0.12 → 8.0.27, NLog 5.4.0 → 5.5.1, Npgsql 9.0.3 → 9.0.5, and 30+ other dotnet dependency refreshes.
• SQLite busy timeout increased from 100ms to 1000ms (conservative improvement, no config change required).
• LinuxServer container layer unchanged except for package_versions.txt (no Dockerfile structural changes, no env var renames, no port/path changes).
• Multi-arch support confirmed: both linux/amd64 and linux/arm64 images present in the new manifest index.

Provenance

Provenance researcher failed to complete. The researcher encountered a token limit error and could not verify the image source, publisher identity, or digest correspondence. This is a required signal for a GREEN verdict. Manual verification is needed: confirm that the new image digest sha256:4c490ccd for tag 6.2.1 is published by the LinuxServer project on Docker Hub and that the source repository (the LinuxServer docker-radarr project) matches the expected upstream.

---

Sub-agent reports -- lscr.io/linuxserver/radarr

Breaking-change impact

I now have all the information I need. Let me compile the full impact report.

The key findings from my research:

1. PR: Single-file change — rpi5/radarr/statefulset.yaml image tag 6.1.1@sha256:079e488 → 6.2.1@sha256:4c490ccd
2. Architecture: Docker Hub API confirms sha256:4c490ccd manifest index contains both linux/amd64 and linux/arm64 — cluster's rpi5 arm64 nodes are covered
3. Radarr 6.2.1 changelog: No breaking changes — all additions (Postgres connection string option, Simkl integration, qBittorrent improvements, .NET 8.0.27 bump, SQLite busy timeout bump). No env var renames, no config schema changes, no data migrations
4. linuxserver/docker-radarr: The 6.2.1 tag was published 2026-06-10 (same day as this PR). The master commit is purely package_versions.txt updates (dotnet dependency bumps). No Dockerfile structural changes, no USER changes, no path changes
5. Deployment fingerprint: PUID=2011, PGID=3002, TZ=America/Los_Angeles, port 7878, probes at /ping, PVC at /config, hostPath /data, fsGroup=3002, memory limit 1Gi, VPA-managed
6. Blast radius: Leaf app — radarr itself + backup CronJob + oauth-proxy sidecar. No transitive dependents on radarr's data

---

Impact verdict: lscr.io/linuxserver/radarr 6.1.1 → 6.2.1 (PR #3415)

Verdict

safe_to_merge

This is a minor Radarr application version bump (6.1.1.10360 → 6.2.1.10437) with no breaking changes in the upstream changelog, no structural changes to the linuxserver Docker image, and confirmed multi-arch support (amd64 + arm64) in the new manifest index. All changes are additive features and dependency refreshes. Nothing in the deployment fingerprint intersects any upstream change.

Blast radius

• Scope: leaf_app
• Direct usage: 1 manifest — rpi5/radarr/statefulset.yaml
• Transitive dependents: 1 app
  • radarr-backup CronJob (rpi5/radarr/backup.yaml) — reads Radarr's /config PVC and calls the Radarr HTTP API (http://radarr) to trigger backup export; depends on Radarr being up and the API being reachable, but does not depend on any specific Radarr version behavior
• User-facing exposure:
  • Public hostnames affected: none
  • Internal (oauth-gated) hostnames affected: radarr.local, radarr.internal, radarr (Tailscale) — all gated behind oauth-proxy (3-replica Deployment)
  • Cron / scheduled jobs affected: radarr-backup (daily at 22:13 PT) — failure would be delayed-detect
• Failure mode if upgrade goes wrong: hard_down — rolling update would stall if the new container fails readiness at /ping:7878; old replica would continue serving until evicted (StatefulSet with 1 replica means brief unavailability during pod replacement)
• Recovery: trivial_rollback — pin old image tag 6.1.1@sha256:079e488, redeploy; no data written by the new version that the old version cannot read (SQLite schema migrations in this range are backward-compatible minor additions)

Required actions before merge

None.

Findings

F1: Radarr 6.2.1 — no breaking changes in version range

• Severity: informational
• Category: other
• What changed: Radarr 6.2.1.10437 adds: Postgres connection string option, Simkl Anime List integration, qBittorrent API key support and auth cookie reuse, .NET 8.0.27 bump, SQLite busy timeout increased to 1000ms, NLog 5.5.1, Npgsql 9.0.5, and various dotnet dependency refreshes. All changes are additive.
• Why it affects this deployment: It does not. This deployment uses SQLite (no Postgres), does not use qBittorrent, and does not use Simkl. The SQLite busy timeout increase (100ms → 1000ms) is a conservative improvement that reduces lock contention — no impact on existing config.
• Affected dependents: none
• Required action: no action — informational
• Source: Radarr upstream release notes for v6.2.1.10437
• Confidence: documented
• Render-limited: no

F2: linuxserver/docker-radarr image structure — no changes

• Severity: informational
• Category: image_structure
• What changed: The linuxserver 6.2.1 image (sha256:4c490ccd) was published 2026-06-10. The only change in the linuxserver/docker-radarr master branch is package_versions.txt (dotnet dependency version bumps). No Dockerfile changes, no USER changes, no WORKDIR changes, no entrypoint changes, no base image swap.
• Why it affects this deployment: It does not. PUID=2011/PGID=3002/fsGroup=3002 remain valid; /config PVC ownership is unchanged; /ping probe path is unchanged; port 7878 is unchanged.
• Affected dependents: none
• Required action: no action — informational
• Source: LinuxServer docker-radarr repository master branch
• Confidence: documented
• Render-limited: no

F3: Architecture support confirmed for arm64

• Severity: informational
• Category: architecture
• What changed: New image digest sha256:4c490ccd44d31feb49dc4cc542f2148a420fc1ae0c1ba94e59b39ba4bf112716 is a multi-arch OCI index.
• Why it affects this deployment: It does not — both required architectures are present. Docker Hub API response for tag 6.2.1 confirms: linux/amd64 (sha256:d4d5308d…, 92.9 MB) and linux/arm64 (sha256:36a93ff8…, 91.3 MB), both status active, pushed 2026-06-10T07:31.
• Affected dependents: none
• Required action: no action — informational
• Source: Docker Hub registry API for linuxserver/radarr tag 6.2.1
• Confidence: documented
• Render-limited: no

F4: VPA memory cap at 1Gi — no new resource pressure

• Severity: informational
• Category: resources
• What changed: .NET runtime bumped from 8.0.17 → 8.0.27; NLog, Npgsql, and other dotnet deps refreshed.
• Why it affects this deployment: No evidence of increased baseline memory usage in this version range. The VPA (radarr-vpa) caps memory at maxAllowed: 1Gi matching the existing limits.memory: 1Gi. No new sidecars or init containers introduced.
• Affected dependents: none
• Required action: no action — informational
• Source: rpi5/radarr/vpa.yaml, rpi5/radarr/statefulset.yaml
• Confidence: inferred
• Render-limited: no

Deployment fingerprint (summary)

Surface	Value
Image	lscr.io/linuxserver/radarr:6.2.1@sha256:4c490ccd
Container env vars	PUID=2011, PGID=3002, TZ=America/Los_Angeles
Ports	7878/TCP (named http)
Liveness probe	GET :7878/ping, delay 30s, period 30s, timeout 5s, failure 3
Readiness probe	GET :7878/ping, period 10s, timeout 5s, failure 3
Volume mounts	/config (PVC config-radarr-0, RWO, 5Gi), /data (hostPath /data), /etc/ssl/certs/ca-certificates.crt (ConfigMap anshulg-ca)
Security context	fsGroup: 3002 (pod-level); no container-level securityContext
Resources	requests: 250m CPU / 500Mi mem; limits: 1Gi mem; VPA-managed (InPlaceOrRecreate)
Service	radarr:80 → 7878/http (ClusterIP)
Ingress	Traefik IngressRoute (radarr.local, radarr.internal) + Tailscale Ingress; both route to radarr-auth:443 (oauth-proxy)
Mesh	linkerd.io/inject: enabled on pod
Backup	CronJob radarr-backup daily 22:13 PT; reads PVC config-radarr-0, calls http://radarr API
Database	SQLite at /config/radarr.db (no Postgres)

Cluster fit

• Architectures required by cluster: amd64, arm64 (rpi5 nodes)
• Architectures supported by new version: linux/amd64 ✅, linux/arm64 ✅ — confirmed via Docker Hub manifest API for digest sha256:4c490ccd
• Kubernetes API versions used in manifest sources: apps/v1 (StatefulSet), v1 (Service, ConfigMap), batch/v1 (CronJob), networking.k8s.io/v1 (Ingress), traefik.io/v1alpha1 (IngressRoute, ServersTransport), autoscaling.k8s.io/v1 (VPA) — all current, none deprecated
• Minimum K8s version stated by dep: not stated (linuxserver image has no K8s version requirement)
• Peer dependency check: No chart dependencies. Linkerd mesh injection active — no known incompatibilities with this image version. cert-manager CSI driver used by oauth-proxy (not radarr itself) — unaffected.

Gaps

• CI test log for 6.2.1.10437 not accessible: The linuxserver CI test page timed out. However, the Docker Hub tag API confirms both amd64 and arm64 images were successfully pushed on 2026-06-10T07:31, which is consistent with CI passing (linuxserver only publishes to the registry after CI passes). Prior CI logs for 6.1.1 confirm the test harness validates container startup and /ping health check for both architectures.
• Radarr 6.2.1 is tagged as pre-release on GitHub: The upstream release is marked prerelease: true on GitHub. The linuxserver image tag 6.2.1 maps to this pre-release build. This is consistent with how Radarr's develop/master branch works — the 6.x.y tags in linuxserver track the develop branch. The prior 6.1.1 tag was also a pre-release in this sense. No additional risk identified, but noted for awareness.
• SQLite schema migration behavior: Cannot inspect the actual migration scripts run on first startup of 6.2.1 against an existing 6.1.1 database. Based on changelog review, no schema migrations are documented for this range. The SQLite busy timeout change is a runtime configuration, not a schema change. Rollback risk is assessed as trivial, but cannot be fully confirmed without inspecting migration source code.

Upstream changelog

I now have all the information needed to produce a comprehensive research output. Let me compile the findings.

---

lscr.io/linuxserver/radarr 6.1.1 → 6.2.1

Summary

• Artifact type: Container image (LinuxServer.io Docker image)
• Input format: SemVer-like version tags (floating, not digest-pinned)
• Resolved references:
  • Old: lscr.io/linuxserver/radarr:6.1.1 → LinuxServer release 6.1.1.10360-ls304 (published 2026-05-31), Radarr upstream v6.1.1.10360
  • New: lscr.io/linuxserver/radarr:6.2.1 → LinuxServer release 6.2.1.10461-ls305 (published 2026-06-10), Radarr upstream v6.2.1.10461
• Versions in range (stable LinuxServer releases):
  • 6.1.1.10360-ls304 (2026-05-31) — last 6.1.1 stable
  • 6.2.1.10461-ls305 (2026-06-10) — first 6.2.1 stable
  • (Intermediate pre-releases on develop/nightly branches: 6.2.0.10390, 6.2.1.10437, 6.2.1.10448, 6.2.1.10461 — all pre-release, not on the latest/stable tag)
• Source repos:
  • LinuxServer Docker wrapper: the linuxserver/docker-radarr project
  • Radarr upstream application: the Radarr/Radarr project
• Primary sources used:
  • LinuxServer GitHub Releases
  • Radarr upstream GitHub Releases for v6.2.1.10461
  • LinuxServer CI test report
  • package_versions.txt diff from the master branch
• Versioning scheme: LinuxServer uses {radarr_version}-ls{N} tags. The 6.1.1 and 6.2.1 floating tags track the latest stable ls build for that Radarr minor version. This is a minor version bump in Radarr's scheme (6.1.x → 6.2.x), not a major version boundary.
• Major version boundary crossed: No (both are Radarr v6.x)
• Confidence: high — full upstream release notes available for all versions in range; LinuxServer CI passes on both AMD64 and ARM64; package_versions.txt diff provides exact container-layer changes.

---

Breaking Changes

None found.

The Radarr upstream changelog for v6.2.0.10390 through v6.2.1.10461 explicitly states "no database migrations or breaking configuration changes." The LinuxServer wrapper changes are limited to package version bumps (no Dockerfile structural changes, no environment variable changes, no volume/port changes). The CI test report confirms clean startup with no migration errors on a fresh database.

---

Other Notable Changes

Radarr Upstream Application (6.1.1.10360 → 6.2.1.10461)

New features:

• Simkl Anime List integration — new import list source.
• PostgreSQL Connection String option — allows specifying a full Postgres connection string instead of individual fields.
• qBittorrent API key support — supports API key authentication in addition to username/password.

Bug fixes:

• Fixed: Basic auth for qBittorrent
• Fixed: Login with credentials on qBittorrent 5.2
• Fixed: Testing qBittorrent after credentials change would always pass tests
• Reuse authentication cookies for qBittorrent calls
• Fixed: Reduce data transfer when reading video stream from files
• Fixed: Include quality modifier when augmenting quality from media info
• Fixed: Downloading backups when path contains a trailing slash
• Prevent overflow exception for big numbers in SizeSuffix and Fluent.Round

Runtime/dependency bumps:

• .NET runtime: 8.0.12 → 8.0.27
• MailKit/MimeKit: 4.15.1 → 4.16.0
• NLog: 5.4.0 → 5.5.1; NLog.Extensions.Logging: 5.4.0 → 5.5.0; NLog.Layouts.ClefJsonLayout: 1.0.3 → 1.0.5
• Npgsql: 9.0.3 → 9.0.5
• Newtonsoft.Json: 13.0.3 → 13.0.4
• Polly/Polly.Core: 8.6.0 → 8.6.6
• Azure.Core: 1.47.1 → 1.50.0; Azure.Identity: 1.14.2 → 1.17.1
• Microsoft.Identity.Client: 4.73.1 → 4.80.0; Microsoft.IdentityModel.Abstractions: 7.7.1 → 8.14.0
• System.Data.SQLite: 2.0.2 → 2.0.3; SourceGear.sqlite3: 3.50.4.2 → 3.50.4.5
• System.Diagnostics.DiagnosticSource: 6.0.1 → 8.0.1
• System.Text.Json: 8.0.5 → 8.0.6
• Dapper: 2.1.66 → 2.1.79
• Microsoft.Data.SqlClient: 6.1.1 → 6.1.5
• SQLite BusyTimeout bumped to 1000ms

Source: package_versions.txt diff from the LinuxServer docker-radarr master branch

LinuxServer Container Layer

• Only change between 6.1.1.10360-ls304 and 6.2.1.10461-ls305 is the package_versions.txt update (37 additions, 39 deletions) — all dotnet package version bumps listed above. No Alpine OS package changes, no Dockerfile structural changes.
• Alpine base remains 3.23.4-r0; libxml2 is 2.13.9-r1 (same as prior 6.1.1 builds).
• CI: AMD64 PASS, ARM64 PASS.

---

Deprecations Introduced

None found. No deprecation notices in the upstream release notes for this range.

---

Gaps and Caveats

• Floating tag behavior: The 6.1.1 and 6.2.1 tags are floating. The "old" 6.1.1 tag currently resolves to 6.1.1.10360-ls304; this research assumes that is the last stable build under that tag at the time of the update. If the deployment was pinned to an earlier ls build (e.g., ls303 or earlier), the diff would be the same at the Radarr application level but may differ slightly in container packages.
• No UPGRADING.md or migration guide: Radarr does not publish a formal migration guide for minor version bumps. The upstream release notes are the authoritative source and were used directly.
• 6.2.0 was pre-release only: Radarr 6.2.0.10390 was never promoted to the stable (master) branch — it shipped only on develop. The stable tag jumped directly from 6.1.1.10360 to 6.2.1.10461. Users on the stable/latest LinuxServer tag never ran 6.2.0.
• qBittorrent auth changes: Multiple fixes to qBittorrent authentication could affect users with qBittorrent 5.2+ configured. These are fixes/additions, not removals, but users should verify their qBittorrent connection after upgrade if using credential-based auth.

Provenance

RESEARCH_FAILED: provenance researcher could not complete.

Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 212404 tokens > 200000 maximum\"},\"request_id\":\"req_011CbubPS8c7huF7ey5Udpub\"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 212259 tokens > 200000 maximum\"},\"request_id\":\"req_011CbubPV6xC71d7fwTuqbjc\"}","type":"None","param":"None","code":"400"}}\n\nThe categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).