feat(container): update image rommapp/romm to v4.4.1

[spicerabot]

This PR contains the following updates:

Package	Update	Change
rommapp/romm	minor	4.3.2 -> 4.4.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

rommapp/romm (rommapp/romm)

v4.4.1

Compare Source

[!CAUTION]
This release patches two high (CVE-2025-65027 and CVE-2025-65097) and one moderate (CVE-2025-65096) severity vulnerabilities. An attacker who already has an account (with any role) on the instance can, with a special crafted link, gain full administrative control, create a new admin account, or escalate their own privileges. All previous versions are affected, and all server owners should update to this version as soon as possible.

As a precaution, users may be kicked out of their logged-in session when first accessing the app, editing a game or running a scan, which will regenerate session and CSRF cookies. This should only happen once.

Private or single-user instances are not at risk. Server owners should treat any links to RomM from users as suspicious. Further details will be published in 14 days to give server owners time to upgrade.

Minor changes

• [ROMM-2650] Add FPKGi support for PS4/PS5 by @​gantoine in #​2663
• Use internal SHA1 hash if CHD file is v5 by @​sftwninja in #​2678
• Add French translations for Metadata Sources page by @​tvdu29 in #​2684
• Add translations for ROM management dialogs by @​tvdu29 in #​2686
• Add Czech locale by @​Slabak007 in #​2693

Fixes

• remove ge on tinfoil releaseDate and let field_validator fix it by @​gantoine in #​2630
• [ROMM-2628] Fix desirialize job func_name by @​gantoine in #​2637
• [HOTFIX] Fix importing media from gamelist.xml by @​gantoine in #​2636
• [ROMM-2639][ROMM-2627] Stop running scans during migration by @​gantoine in #​2644
• [ROMM-2645] Wrap items in feeds with double quotes by @​gantoine in #​2647
• [ROMM-2648] Encode filename of download URLs in feeds endpoints by @​gantoine in #​2649
• [ROMM-2654] Fix manually uploading manual by @​gantoine in #​2661
• [HOTFIX] Set all v-avatar to text to remove flat background color by @​gantoine in #​2662
• [ROMM-2657] Safe access env vars with defaults by @​gantoine in #​2664
• [HOTFIX] _mask_sensitive_values should check for null values by @​gantoine in #​2670
• [ROMM-2669] Reset url_cover and url_manual to rom value if unchanged by @​gantoine in #​2671
• [HOTFIX] Fix flashpoint match by UUID by @​gantoine in #​2681
• [ROMM-2679] Stop force to string url_manual by @​gantoine in #​2682
• Fix multipart strings by @​gantoine in #​2688
• Fix CSRF failure on first admin signup by @​gantoine in #​2691

Other changes

• Bump fastapi, starlette and fastapi-pagination by @​gantoine in #​2634
• Corrects the indentation level of the "media" list in config.example.yml by @​LouiseRipley in #​2643
• Bump js-yaml from 4.1.0 to 4.1.1 in /frontend by @​dependabot[bot] in #​2659
• Add github action to update HLTB API url by @​gantoine in #​2683
• Implement CSRF middleware directly in repo by @​gantoine in #​2687

New Contributors

• @​LouiseRipley made their first contribution in #​2643
• @​sftwninja made their first contribution in #​2678
• @​tvdu29 made their first contribution in #​2684
• @​Slabak007 made their first contribution in #​2693
• @​github-actions[bot] made their first contribution in #​2689

Full Changelog: rommapp/romm@4.4.0...4.4.1

v4.4.0

Compare Source

Highlights

[!WARNING]

• The Tinfoil feed endpoint has been updated from /tinfoil/feed to /feeds/tinfoil, update your Tinfoil config accordingly.
• A manual Scheduled LaunchBox metadata update must be run once before Launchbox can be used as a metadata source.

Alternative boxart

Spice up your collection with 3D, physical, and mixed media boxart, courtesy of Screenscraper! Start by configuring which media assets to download in your config.yml file:

scan:
  media:
    - box2d
    - box3d
    - physical
    - miximage
    - screenshot
    - manual
    - bezel

Available media types:

• box2d - Normal cover art (always enabled)
• box3d - 3D box art
• miximage - Mixed image of multiple media
• physical - Disc, cartridge, etc.
• screenshot - Screenshot (enabled by default)
• title_screen - Title screen
• marquee - Custom marquee
• logo - Transparent logo
• fanart - User uploaded artwork
• bezel - Bezel displayed around the EmulatorJS window
• manual - Manual in PDF format (enabled by default)
• video - Gameplay video (warning: large file size)

Restart the container.
Now on the scan page, select Screenscraper as the metadata source, Update metadata as the scan type, and click the Scan button. The media assets will be downloaded and stored alongside existing resources for covers and screenshots. Then under User Interface (/user-interface), change the Boxart style to 3D, Physical, or Mix Image as desired.

2D Box
3D Box
Physical
Mix Image

#​2598

ES-DE gamelist.xml

EmulationStation, and it's modern successor ES-DE, use a custom XML format to store game metadata. RomM can parse this format and import the assets as cover art and screenshots. You'll need to store the gamelist.xml file and any related assets under the platform folder, and select ES-DE in the "Metadata sources" dropdown on the scan page:

library/
  └─ roms/
    └─ gba/
      ├─ game_1.gba
      ├─ game_2.gba
      ├─ gamelist.xml
      ├─ 3dboxes/
      │  ├─ game_1.png
      │  └─ game_2.png
      ├─ covers/
      ├─ screenshots/
      └─ etc...

Here's an example of the content in a typical gamelist.xml file, though the parser supports more fields not listed:

<?xml version="1.0"?>
<gameList>
	<game>
		<path>./Advance Wars (J) (Rev 1).zip</path>
		<name>Advance Wars</name>
		<desc>The battle lines have been drawn, and an elite group of sly strategists is massing troops at your borders. You'll have to command ground, air and naval forces if you hope to survive the coming wars, and it won't be easy. With 114 maps to battle on and both the Single-Pak and Multi-Pak link modes, Advance Wars brings turn-based strategy to a depth never before seen on a handheld!</desc>
		<rating>0.8</rating>
		<releasedate>20020111T000000</releasedate>
		<developer>Intelligent Games</developer>
		<publisher>Nintendo</publisher>
		<genre>Strategy</genre>
		<players>1-4</players>
		<video>./videos/Advance Wars (J) (Rev 1).mp4</video>
		<box3d>./3dboxes/Advance Wars (J) (Rev 1).png</box3d>
		<backcover>./backcovers/Advance Wars (J) (Rev 1).png</backcover>
		<cover>./covers/Advance Wars (J) (Rev 1).png</cover>
		<fanart>./fanart/Advance Wars (J) (Rev 1).jpg</fanart>
		<manual>./manuals/Advance Wars (J) (Rev 1).pdf</manual>
		<marquee>./marquees/Advance Wars (J) (Rev 1).png</marquee>
		<miximage>./miximages/Advance Wars (J) (Rev 1).png</miximage>
		<physicalmedia>./physicalmedia/Advance Wars (J) (Rev 1).png</physicalmedia>
		<screenshot>./screenshots/Advance Wars (J) (Rev 1).png</screenshot>
		<title_screen>./titlescreens/Advance Wars (J) (Rev 1).png</title_screen>
		<thumbnail>./covers/Advance Wars (J) (Rev 1).png</thumbnail>
	</game>
</gameList>

#​2563

Task status page

We've added a new section on the /administration page for monitoring background tasks. This section displays real-time task status, execution statistics for successful tasks, and error messages for failed tasks. #​2502

Multi-threaded library scanning

Multiple games under the same platform can now be scanned in parallel, significantly reducing the time required to scan large libraries. Simply increase the SCAN_WORKERS environment variable to the number of games to scan in parallel. Note that parallel scanning is limited by the power of your CPU and the maximum permitted connections to selected metadata providers. #​2566

Manually edit metadata

The game's edit window now allows you to directly edit metadata IDs and JSON values. Changing a metadata ID will prompt the server to refresh metadata from that specific source, using the new ID. The JSON values can also be edited directly, and will be saved as raw metadata; for example, you can update youtube_video_id to use gameplay videos instead of trailers. Note: an UPDATE or COMPLETE scan of a game will override any manual changes made to metadata IDs or JSON values. #​2578

PS3/PSVita/PSP PKGi and Kekatsu DS feeds

Added support for PKGi and Kekatsu feed formats, enabling direct integration with popular game download tools:

• PKGi PS3 (/feeds/pkgi/ps3/{content_type}): Supports games, DLC, demos, updates, patches, mods, translations, and prototypes
  • PKGi PSP (/feeds/pkgi/psp/{content_type}): Supporting the same content types
  • PKGi PS Vita (/feeds/pkgi/psvita/{content_type}): Supporting the same content types
• Kekatsu DS (/feeds/kekatsu/{platform_slug}): Supporting Nintendo DS, GBA, and other compatible platforms with box art metadata

#​2572

ScummVM metadata

Metadata for ScummVM games stored under a scummvm folder can now be fetched exclusively from IGDB, using a special keyword search. #​2576

Screenscraper hash matching

The scanner will attempt to match games against Screenscraper's hash database, using the pre-calculated hashes for the largest, top-level ROM file. If no match is found, it will fall back to the existing file name matching logic. #​2616

#​2616

Minor changes

• [ROMM-2546] Suborder consoles by generation by @​gantoine in #​2571
• [ROMM-2531] Allow scanning without metadata providers by @​gantoine in #​2573
• [ROMM-2491] Add shuffle button in navbar by @​gantoine in #​2574
• [ROMM-2289] Display smart collection filter rules in sidebar by @​gantoine in #​2584
• [ROMM-2159] Remember game sort order on reload by @​gantoine in #​2585
• [ROMM-2147] Clarify language around scan types by @​gantoine in #​2586

[!NOTE]
New environment variables

• SCAN_WORKERS: Number of parallel worker processes for scanning games
• TASK_RESULT_TTL: How long to keep task results in Valkey (in seconds)
• SEVEN_ZIP_TIMEOUT: imeout for 7-Zip operations (in seconds)

Fixes

• [ROMM-2555] Validate release date for tinfoil feed by @​gantoine in #​2557
• [ROMM-2554] Remove htlb from manual search by @​gantoine in #​2558
• [ROMM-2551] Fix error message on rom delete by @​gantoine in #​2559
• [ROMM-2552] Rom hashes should only include top-level nested files by @​gantoine in #​2567
• [ROMM-2548] Fix text readablility of new version alert by @​gantoine in #​2568
• [ROMM-2547] Flashpoint scrape by flashpoint-XXX tag by @​gantoine in #​2569
• [ROMM-2338] Consistent pending job fetch in watcher by @​gantoine in #​2582
• [ROMM-2146] Open rows in new tab with right click by @​gantoine in #​2587
• [HOTFIX] Fix fetching saves/states for rom or platform by @​gantoine in #​2594
• Fix type error when role claim is null by @​Tarow in #​2570
• Separate checks for readable/writable config.yml by @​gantoine in #​2588
• Multi-threaded scan fixes by @​gantoine in #​2583
• Keep next param on redirect to login by @​gantoine in #​2611
• Improve scan page performance on large lists by @​gantoine in #​2610
• Fix hash scanning multi-file roms by @​gantoine in #​2618

Behind-the-scenes

• [ROMM-2414] Refactor data loading in console mode by @​gantoine in #​2581
• Explicit favorites collection in model by @​gantoine in #​2564
• Update community apps in readme by @​gantoine in #​2575
• Bump dockerfile baselayer image tags by @​gantoine in #​2577
• Bump vite from 6.3.6 to 6.4.1 in /frontend by @​dependabot[bot] in #​2580

[!NOTE]
API changes:

• The /config endpoint now distinguishes between CONFIG_FILE_MOUNTED and CONFIG_FILE_WRITABLE
• The favourite filter for roms has been renamed to favorite
• MetadataSource.LB was renamed to MetadataSource.LAUNCHBOX
• New fields: CollectionSchema.is_favorite, RomSchema.gamelist_id, RomSchema.gamelist_id, TaskInfo.type
• Removed fields: SearchRomSchema.hltb_id, SearchRomSchema.hltb_url_cover

New Contributors

• @​Tarow made their first contribution in #​2570

Full Changelog: rommapp/romm@4.3.2...4.4.0

Bonus

Here's a little treat for reading all of the release notes 🍬

Nov-09-2025.22-13-441.mp4

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.