For installation and more information, visit the README.
What's Changed
Security
- Path traversal prevention – Static file, font, and image endpoints now validate and sanitize requested file paths to block directory traversal attacks ( etc.).
- Enhanced traversal hardening – Refactored static file serving to use
os.path.basename, further simplifying and strengthening the protection layer.
Bug Fixes
- Stale album artwork – The server now tracks the active artwork file on disk and forces client-side cache invalidation via a timestamp query parameter, preventing old artwork from persisting across track changes.
- Build script – Fixed
build.shto explicitly invoke the virtual environment's Python interpreter (.venv/bin/python) sopy2appbuilds work correctly without a globally installedpythonalias.