vavallee/bindery v0.20.3 on GitHub

Trusted proxy configuration — BINDERY_TRUSTED_PROXY gates X-Forwarded-For rewriting to a configured proxy IP/CIDR. Without it, forwarded headers are ignored and the direct peer IP is used, preventing XFF spoofing in local-only auth mode (mirrors Sonarr CVE-2026-30975).
File download path validation — the file download endpoint now verifies book.FilePath falls within a configured library root before serving. Paths outside BINDERY_LIBRARY_DIR / BINDERY_AUDIOBOOK_DIR return 403.
CSRF header exemption for API key requests — the X-Requested-With CSRF check now correctly exempts API-key-authenticated requests; only cookie-session requests are required to supply the header.
All fixes from v0.20.1: SSRF validation on Prowlarr URLs, path traversal protection in file renamer, strict backup filename regex, image proxy redirect re-validation, Hardcover token moved to Authorization header, OPDS rate limiting, CI hardening.