Mopidy 2.2 released

Mopidy 2.2.0, a feature release, is out. It is a quite small release, featuring mostly minor fixes and improvements.

Most notably, this release introduces CSRF protection for both the HTTP and WebSocket RPC interfaces, and improves the file path checking in the M3U backend. The CSRF protection should stop attacks against local Mopidy servers from malicious websites, like what was demonstrated by Josef Gajdusek in #1659.

Since the release of 2.1.0, we’ve closed approximately 21 issues and pull requests through 133 commits by 22 authors.

You can read the full changelog at

The release is already available from Git, PyPI, Homebrew and It has been uploaded to Debian, and will be available in unstable and testing shortly. The package has been marked as outdated in Arch Linux, and will hopefully be updated soon.

Please go upgrade! If you need help, ask here in the forum. If you find any bugs, file them at