What's new in v0.5.4
- SSRF DNS rebinding fix —
safe_fetchnow patchessocket.getaddrinfofor the entire duration of each HTTP request so a DNS rebinding attack cannot swap a public IP (returned during validation) for a private one during the actual connection. DNS lookup failures now also raise an error instead of silently skipping the IP check. - yt-dlp SSRF bypass fix —
download_audionow runsvalidate_urlbefore handing the URL to yt-dlp, blocking private IPs and disallowed schemes on the video/audio ingest path.