v3.4.2
Security
- Fixed two warnings from GitHub's automated security scanner about how the app checked image URL. The old check could theoretically be tricked by a cleverly crafted web address that just contained the right domain name somewhere in it, rather than actually being from that domain.
- Added protection against a malicious or unsafe image link being used to make Home Assistant contact internal network addresses or cloud infrastructure it shouldn't have access to.
- Tightened up how downloaded image file names are generated, closing a minor edge case where an unusual URL could produce an unexpected file name.
None of this changes how the integration looks or behaves for normal use; box art, hero images, and avatars still download and cache exactly as before. These are backend safety improvements only.