[1.27.0]
Update navidrome to 0.60.0
Full Changelog
This release introduces a major rewrite of the experimental Plugin System, now with multi-language PDK support, enabling developers to extend Navidrome's functionality using WebAssembly-based plugins written in Go, Rust, Python or JavaScript. Plugins run in a secure sandbox and can provide additional metadata sources, custom integrations, and server-side enhancements. Users can now easily configure plugins directly from the UI through a new JSONForms-based configuration interface.
Additionally, this version includes a pure-Go metadata extractor built on top of the new go-taglib library. This is a significant step toward removing the C++ TagLib dependency, which will simplify cross-platform builds and packaging in future releases. The new extractor is activated by default, but in case of any issues you can revert to the previous implementation by setting Scanner.Extractor="legacy-taglib" configuration option.
The Instant Mix feature generates a playlist of similar songs based on a selected track. By default, it retrieves similar songs from Last.fm (if configured with an API key) or falls back to Deezer. It can also be configured to use external plugins, like AudioMuse-AI for sonic analysis-based similarity recommendations.
Fix potential XSS vulnerability by sanitizing user-supplied data before rendering (GHSA-rh3r-8pxm-hg4w). (d7ec735 by @AlexGustafsson)
Fix potential DoS vulnerability in cover art upscaling by clamping requested square size to original dimensions (GHSA-hrr4-3wgr-68x3). (77367548 by @deluan). Thanks to @yunfachi
Add new WebAssembly-based plugin system with multi-language PDK support (Go, Rust, Python). (#4833 by @deluan)
Add JSONForms-based plugin configuration UI. (#4911 by @deluan)
Add similar songs retrieval functions to plugins API. (#4933 by @deluan)
Add pure-Go metadata extractor (go-taglib) as alternative to FFmpeg-based extraction. (#4902 by @deluan)
