diff --git a/Dockerfile b/Dockerfile
index 6d68b526b8..c9db2e8894 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 190e3908d9..8d684a3461 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
diff --git a/README.md b/README.md
index d8ca3a5872..e281c66ee7 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,15 @@ This image can be run with a read-only container filesystem. For details please
 
 ### Caveats
 
-`AUTO_UPDATE` will not be available.
+* `AUTO_UPDATE` will not be available.
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
+### Caveats
+
+* `AUTO_UPDATE` will not be available.
 
 ## Usage
 
@@ -131,6 +139,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-v /config` | Where Jackett should store its config file. |
 | `-v /downloads` | Path to torrent blackhole. |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -294,6 +303,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **12.01.25:** - Rebase to Alpine 3.21.
 * **31.05.24:** - Rebase to Alpine 3.20.
 * **11.03.24:** - Rebase to Alpine 3.19. Deprecate development tag as upstream is publishing nightly stable releases.
 * **11.07.23:** - Rebase to Alpine 3.18.
diff --git a/readme-vars.yml b/readme-vars.yml
index c084f63fa2..0e93ef619f 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -23,11 +23,14 @@ param_ports:
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
-  - {env_var: "AUTO_UPDATE", env_value: "true", desc: "Allow Jackett to update inside of the container (currently recommended by Jackett and enabled by default)"}
+  - {env_var: "AUTO_UPDATE", env_value: "true", desc: "Allow Jackett to update inside of the container."}
   - {env_var: "RUN_OPTS", env_value: "", desc: "Optionally specify additional arguments to be passed."}
 readonly_supported: true
 readonly_message: |
-  `AUTO_UPDATE` will not be available.
+  * `AUTO_UPDATE` will not be available.
+nonroot_supported: true
+nonroot_message: |
+  * `AUTO_UPDATE` will not be available.
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -78,6 +81,7 @@ init_diagram: |
   "jackett:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "12.01.25:", desc: "Rebase to Alpine 3.21."}
   - {date: "31.05.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "11.03.24:", desc: "Rebase to Alpine 3.19. Deprecate development tag as upstream is publishing nightly stable releases."}
   - {date: "11.07.23:", desc: "Rebase to Alpine 3.18."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-jackett-config/run b/root/etc/s6-overlay/s6-rc.d/init-jackett-config/run
index 0084a6a4e6..c342df0b1f 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-jackett-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-jackett-config/run
@@ -1,14 +1,16 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-if [[ "${AUTO_UPDATE}" == "true" ]]; then
-    lsiown -R abc:abc \
-        /app/Jackett
-fi
-
 mkdir -p /run/jackett-temp
 
-# permissions
-lsiown -R abc:abc \
-    /config \
-    /run/jackett-temp
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    if [[ "${AUTO_UPDATE,,}" == "true" ]]; then
+        lsiown -R abc:abc \
+            /app/Jackett
+    fi
+
+    # permissions
+    lsiown -R abc:abc \
+        /config \
+        /run/jackett-temp
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-jackett/run b/root/etc/s6-overlay/s6-rc.d/svc-jackett/run
index f7fbc1e2b7..a175a3ae3e 100755
--- a/root/etc/s6-overlay/s6-rc.d/svc-jackett/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-jackett/run
@@ -1,12 +1,19 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-if [[ "${AUTO_UPDATE}" == "true" ]]; then
+if [[ "${AUTO_UPDATE,,}" == "true" ]] && [[ -z ${LSIO_NON_ROOT_USER} ]]; then
     COMMAND="/app/Jackett/jackett_launcher.sh"
 else
     COMMAND="/app/Jackett/jackett --NoUpdates"
 fi
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9117" \
-        s6-setuidgid abc ${COMMAND} ${RUN_OPTS}
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9117" \
+            s6-setuidgid abc ${COMMAND} ${RUN_OPTS}
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 9117" \
+            ${COMMAND} ${RUN_OPTS}
+fi