Update selenium requirement from ~=4.31.0 to ~=4.41.0

Updates the requirements on [selenium](https://github.com/SeleniumHQ/Selenium) to permit the latest version. - [Release notes](https://github.com/SeleniumHQ/Selenium/releases) - [Commits](https://github.com/SeleniumHQ/Selenium/compare/selenium-4.31.0...selenium-4.41.0) --- updated-dependencies: - dependency-name: selenium dependency-version: 4.41.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
2026-03-02 09:59:57 +00:00 · 2026-02-27 00:23:21 +00:00
22 changed files with 60 additions and 3178 deletions
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -21,7 +21,7 @@ jobs:
    - name: Build a binary wheel and a source tarball
      run: python3 -m build
    - name: Store the distribution packages
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@v6
      with:
        name: python-package-distributions
        path: dist/
@@ -34,7 +34,7 @@ jobs:
    - build
    steps:
    - name: Download all the dists
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@v7
      with:
        name: python-package-distributions
        path: dist/
@@ -93,7 +93,7 @@ jobs:

    steps:
    - name: Download all the dists
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@v7
      with:
        name: python-package-distributions
        path: dist/
--- a/.github/workflows/test-only.yml
+++ b/.github/workflows/test-only.yml
@@ -52,13 +52,4 @@ jobs:
    uses: ./.github/workflows/test-stack-reusable-workflow.yml
    with:
      python-version: '3.13'
-      skip-pypuppeteer: true
-
-
-  test-application-3-14:
-    #if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-    needs: lint-code
-    uses: ./.github/workflows/test-stack-reusable-workflow.yml
-    with:
-      python-version: '3.14'
-      skip-pypuppeteer: false
+      skip-pypuppeteer: true
--- a/.github/workflows/test-stack-reusable-workflow.yml
+++ b/.github/workflows/test-stack-reusable-workflow.yml
@@ -71,7 +71,7 @@ jobs:
          docker save test-changedetectionio -o /tmp/test-changedetectionio.tar

      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp/test-changedetectionio.tar
@@ -88,7 +88,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -116,7 +116,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -165,14 +165,14 @@ jobs:

      - name: Store test artifacts
        if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: test-cdio-basic-tests-output-py${{ env.PYTHON_VERSION }}
          path: output-logs

      - name: Store CLI test output
        if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: test-cdio-cli-opts-output-py${{ env.PYTHON_VERSION }}
          path: cli-opts-output.txt
@@ -188,7 +188,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -230,7 +230,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -270,7 +270,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -306,7 +306,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -334,7 +334,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -504,7 +504,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -544,7 +544,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -574,7 +574,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -598,7 +598,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -643,7 +643,7 @@ jobs:
      - uses: actions/checkout@v6

      - name: Download Docker image artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v7
        with:
          name: test-changedetectionio-${{ env.PYTHON_VERSION }}
          path: /tmp
@@ -820,7 +820,7 @@ jobs:

      - name: Upload upgrade test logs
        if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v6
        with:
          name: upgrade-test-logs-py${{ env.PYTHON_VERSION }}
          path: /tmp/upgrade-test.log
--- a/changedetectionio/init.py
+++ b/changedetectionio/init.py
@@ -2,7 +2,7 @@

 # Read more https://github.com/dgtlmoon/changedetection.io/wiki
 # Semver means never use .01, or 00. Should be .1.
-__version__ = '0.54.3'
+__version__ = '0.54.1'

 from changedetectionio.strtobool import strtobool
 from json.decoder import JSONDecodeError
--- a/changedetectionio/languages.py
+++ b/changedetectionio/languages.py
@@ -37,7 +37,6 @@ def get_timeago_locale(flask_locale):
        'no': 'nb_NO',      # Norwegian Bokmål
        'hi': 'in_HI',      # Hindi
        'cs': 'en',         # Czech not supported by timeago, fallback to English
-        'uk': 'uk',         # Ukrainian
        'en_GB': 'en',      # British English - timeago uses 'en'
        'en_US': 'en',      # American English - timeago uses 'en'
    }
@@ -68,7 +67,6 @@ LANGUAGE_DATA = {
    'tr': {'flag': 'fi fi-tr fis', 'name': 'Türkçe'},
    'ar': {'flag': 'fi fi-sa fis', 'name': 'العربية'},
    'hi': {'flag': 'fi fi-in fis', 'name': 'हिन्दी'},
-    'uk': {'flag': 'fi fi-ua fis', 'name': 'Українська'},
 }


--- a/changedetectionio/processors/base.py
+++ b/changedetectionio/processors/base.py
@@ -1,15 +1,12 @@
-import asyncio
 import re
 import hashlib

 from changedetectionio.browser_steps.browser_steps import browser_steps_get_valid_steps
 from changedetectionio.content_fetchers.base import Fetcher
 from changedetectionio.strtobool import strtobool
-from changedetectionio.validate_url import is_private_hostname
 from copy import deepcopy
 from abc import abstractmethod
 import os
-from urllib.parse import urlparse
 from loguru import logger

 SCREENSHOT_FORMAT_JPEG = 'JPEG'
@@ -98,23 +95,6 @@ class difference_detection_processor():
            self.last_raw_content_checksum = None


-    async def validate_iana_url(self):
-        """Pre-flight SSRF check — runs DNS lookup in executor to avoid blocking the event loop.
-        Covers all fetchers (requests, playwright, puppeteer, plugins) since every fetch goes
-        through call_browser().
-        """
-        if strtobool(os.getenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')):
-            return
-        parsed = urlparse(self.watch.link)
-        if not parsed.hostname:
-            return
-        loop = asyncio.get_running_loop()
-        if await loop.run_in_executor(None, is_private_hostname, parsed.hostname):
-            raise Exception(
-                f"Fetch blocked: '{self.watch.link}' resolves to a private/reserved IP address. "
-                f"Set ALLOW_IANA_RESTRICTED_ADDRESSES=true to allow."
-            )
-
    async def call_browser(self, preferred_proxy_id=None):

        from requests.structures import CaseInsensitiveDict
@@ -128,8 +108,6 @@ class difference_detection_processor():
                    "file:// type access is denied for security reasons."
                )

-        await self.validate_iana_url()
-
        # Requests, playwright, other browser via wss:// etc, fetch_extra_something
        prefer_fetch_backend = self.watch.get('fetch_backend', 'system')

--- a/changedetectionio/tests/conftest.py
+++ b/changedetectionio/tests/conftest.py
@@ -2,7 +2,6 @@
 import psutil
 import time
 from threading import Thread
-import multiprocessing

 import pytest
 import arrow
@@ -192,34 +191,6 @@ def cleanup(datastore_path):
            if os.path.isfile(f):
                os.unlink(f)

-def pytest_configure(config):
-    """Configure pytest environment before tests run.
-
-    CRITICAL: Set multiprocessing start method to 'fork' for Python 3.14+ compatibility.
-
-    Python 3.14 changed the default start method from 'fork' to 'forkserver' on Linux.
-    The forkserver method requires all objects to be picklable, but pytest-flask's
-    LiveServer uses nested functions that can't be pickled.
-
-    Setting 'fork' explicitly:
-    - Maintains compatibility with Python 3.10-3.13 (where 'fork' was already default)
-    - Fixes Python 3.14 pickling errors
-    - Only affects Unix-like systems (Windows uses 'spawn' regardless)
-
-    See: https://github.com/python/cpython/issues/126831
-    See: https://docs.python.org/3/whatsnew/3.14.html
-    """
-    # Only set if not already set (respects existing configuration)
-    if multiprocessing.get_start_method(allow_none=True) is None:
-        try:
-            # 'fork' is available on Unix-like systems (Linux, macOS)
-            # On Windows, this will have no effect as 'spawn' is the only option
-            multiprocessing.set_start_method('fork', force=False)
-            logger.debug("Set multiprocessing start method to 'fork' for Python 3.14+ compatibility")
-        except (ValueError, RuntimeError):
-            # Already set, not available on this platform, or context already created
-            pass
-
 def pytest_addoption(parser):
    """Add custom command-line options for pytest.

--- a/changedetectionio/tests/test_security.py
+++ b/changedetectionio/tests/test_security.py
@@ -34,7 +34,6 @@ def test_favicon(client, live_server, measure_memory_usage, datastore_path):
                                                                            favicon_base_64=SVG_BASE64
                                                                            )

-
    res = client.get(url_for('static_content', group='favicon', filename=uuid))
    assert res.status_code == 200
    assert len(res.data) > 10
@@ -584,16 +583,13 @@ def test_static_directory_traversal(client, live_server, measure_memory_usage, d

 def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memory_usage, datastore_path):
    """
-    SSRF protection: IANA-reserved/private IP addresses are blocked at fetch-time, not add-time.
-
-    Watches targeting private/reserved IPs can be *added* freely; the block happens when the
-    fetcher actually tries to reach the URL (via validate_iana_url() in call_browser()).
+    SSRF protection: IANA-reserved/private IP addresses must be blocked by default.

    Covers:
    1. is_private_hostname() correctly classifies all reserved ranges
-    2. is_safe_valid_url() ALLOWS private-IP URLs at add-time (IANA check moved to fetch-time)
-    3. ALLOW_IANA_RESTRICTED_ADDRESSES has no effect on add-time; it only controls fetch-time
-    4. UI form accepts private-IP URLs at add-time without error
+    2. is_safe_valid_url() rejects private-IP URLs at add-time (env var off)
+    3. is_safe_valid_url() allows private-IP URLs when ALLOW_IANA_RESTRICTED_ADDRESSES=true
+    4. UI form rejects private-IP URLs and shows the standard error message
    5. Requests fetcher blocks fetch-time DNS rebinding (fresh check on every fetch)
    6. Requests fetcher blocks redirects that lead to a private IP (open-redirect bypass)

@@ -605,6 +601,8 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
    from changedetectionio.validate_url import is_safe_valid_url, is_private_hostname

    monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
+    # Clear any URL results cached while the env var was 'true'
+    is_safe_valid_url.cache_clear()

    # ------------------------------------------------------------------
    # 1. is_private_hostname() — unit tests across all reserved ranges
@@ -626,10 +624,9 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
        assert not is_private_hostname(host), f"{host} should be identified as public"

    # ------------------------------------------------------------------
-    # 2. is_safe_valid_url() ALLOWS private-IP URLs at add-time
-    #    IANA check is no longer done here — it moved to fetch-time validate_iana_url()
+    # 2. is_safe_valid_url() blocks private-IP URLs (env var off)
    # ------------------------------------------------------------------
-    private_ip_urls = [
+    blocked_urls = [
        'http://127.0.0.1/',
        'http://10.0.0.1/',
        'http://172.16.0.1/',
@@ -640,24 +637,23 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
        'http://[fc00::1]/',
        'http://[fe80::1]/',
    ]
-    for url in private_ip_urls:
-        assert is_safe_valid_url(url), f"{url} should be allowed by is_safe_valid_url (IANA check is at fetch-time)"
+    for url in blocked_urls:
+        assert not is_safe_valid_url(url), f"{url} should be blocked by is_safe_valid_url"

    # ------------------------------------------------------------------
-    # 3. ALLOW_IANA_RESTRICTED_ADDRESSES does not affect add-time validation
-    #    It only controls fetch-time blocking inside validate_iana_url()
+    # 3. ALLOW_IANA_RESTRICTED_ADDRESSES=true bypasses the block
    # ------------------------------------------------------------------
    monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'true')
+    is_safe_valid_url.cache_clear()
    assert is_safe_valid_url('http://127.0.0.1/'), \
-        "Private IP should be allowed at add-time regardless of ALLOW_IANA_RESTRICTED_ADDRESSES"
+        "Private IP should be allowed when ALLOW_IANA_RESTRICTED_ADDRESSES=true"

+    # Restore the block for the remaining assertions
    monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
-    assert is_safe_valid_url('http://127.0.0.1/'), \
-        "Private IP should be allowed at add-time regardless of ALLOW_IANA_RESTRICTED_ADDRESSES"
+    is_safe_valid_url.cache_clear()

    # ------------------------------------------------------------------
-    # 4. UI form accepts private-IP URLs at add-time
-    #    The watch is created; the SSRF block fires later at fetch-time
+    # 4. UI form rejects private-IP URLs
    # ------------------------------------------------------------------
    for url in ['http://127.0.0.1/', 'http://169.254.169.254/latest/meta-data/']:
        res = client.post(
@@ -665,8 +661,8 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
            data={'url': url, 'tags': ''},
            follow_redirects=True
        )
-        assert b'Watch protocol is not permitted or invalid URL format' not in res.data, \
-            f"UI should accept {url} at add-time (SSRF is blocked at fetch-time)"
+        assert b'Watch protocol is not permitted or invalid URL format' in res.data, \
+            f"UI should reject {url}"

    # ------------------------------------------------------------------
    # 5. Fetch-time DNS-rebinding check in the requests fetcher
@@ -712,35 +708,3 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
                    request_body=None,
                    request_method='GET',
                )
-
-
-def test_unresolvable_hostname_is_allowed(client, live_server, monkeypatch):
-    """
-    Unresolvable hostnames must NOT be blocked at add-time when ALLOW_IANA_RESTRICTED_ADDRESSES=false.
-
-    DNS failure (gaierror) at add-time does not mean the URL resolves to a private IP —
-    the domain may simply be offline or not yet live. Blocking it would be a false positive.
-    The real DNS-rebinding protection happens at fetch-time in call_browser().
-    """
-    from changedetectionio.validate_url import is_safe_valid_url
-
-    monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
-
-    url = 'http://this-host-does-not-exist-xyz987.invalid/some/path'
-
-    # Should pass URL validation despite being unresolvable
-    assert is_safe_valid_url(url), \
-        "Unresolvable hostname should pass is_safe_valid_url — DNS failure is not a private-IP signal"
-
-    # Should be accepted via the UI form and appear in the watch list
-    res = client.post(
-        url_for('ui.ui_views.form_quick_watch_add'),
-        data={'url': url, 'tags': ''},
-        follow_redirects=True
-    )
-    assert b'Watch protocol is not permitted or invalid URL format' not in res.data, \
-        "UI should not reject a URL just because its hostname is unresolvable"
-
-    res = client.get(url_for('watchlist.index'))
-    assert b'this-host-does-not-exist-xyz987.invalid' in res.data, \
-        "Unresolvable hostname watch should appear in the watch overview list"
--- a/changedetectionio/translations/cs/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/cs/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/de/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/de/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/en_GB/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/en_GB/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/en_US/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/en_US/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/fr/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/fr/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/fr/LC_MESSAGES/messages.po
+++ b/changedetectionio/translations/fr/LC_MESSAGES/messages.po
@@ -1978,7 +1978,7 @@ msgstr "Format d'heure invalide. Utilisez HH:MM."

 #: changedetectionio/forms.py
 msgid "Not a valid timezone name"
-msgstr "Nom de fuseau horaire invalide"
+msgstr "Ce n'est pas un nom de fuseau horaire valide"

 #: changedetectionio/forms.py
 msgid "not set"
@@ -2054,7 +2054,9 @@ msgstr "secondes"

 #: changedetectionio/forms.py
 msgid "Notification Body and Title is required when a Notification URL is used"
-msgstr "Le corps et le titre de la notification sont requis lorsqu'une URL de notification est utilisée"
+msgstr ""
+"Le corps et le titre de la notification sont requis lorsqu'une URL de notification est utiliséeLe corps et le titre "
+"de la notification sont requis lorsqu'une URL de notification est utilisée"

 #: changedetectionio/forms.py
 #, python-format
@@ -2183,11 +2185,11 @@ msgstr "Utilisez les paramètres globaux pour le temps entre la vérification et

 #: changedetectionio/forms.py
 msgid "CSS/JSONPath/JQ/XPath Filters"
-msgstr "Filtre CSS/JSONPath/JQ/XPath"
+msgstr "Filtre CSS/xPath"

 #: changedetectionio/forms.py
 msgid "Remove elements"
-msgstr "Supprimer par élément"
+msgstr "Sélectionner par élément"

 #: changedetectionio/forms.py
 msgid "Extract text"
@@ -2335,7 +2337,7 @@ msgstr "URL du proxy"

 #: changedetectionio/forms.py
 msgid "Proxy URLs must start with http://, https:// or socks5://"
-msgstr "Les URL proxy doivent commencer par http://, https:// ou socks5://"
+msgstr "Les URL proxy doivent commencer par http://, https:// ou chaussettes5://"

 #: changedetectionio/forms.py
 msgid "Browser connection URL"
--- a/changedetectionio/translations/it/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/it/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/ko/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/ko/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/uk/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/uk/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/uk/LC_MESSAGES/messages.po
+++ b/changedetectionio/translations/uk/LC_MESSAGES/messages.po
--- a/changedetectionio/translations/zh/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/zh/LC_MESSAGES/messages.mo
--- a/changedetectionio/translations/zh_Hant_TW/LC_MESSAGES/messages.mo
+++ b/changedetectionio/translations/zh_Hant_TW/LC_MESSAGES/messages.mo
--- a/changedetectionio/validate_url.py
+++ b/changedetectionio/validate_url.py
@@ -61,9 +61,7 @@ def normalize_url_encoding(url):
 def is_private_hostname(hostname):
    """Return True if hostname resolves to an IANA-restricted (private/reserved) IP address.

-    Unresolvable hostnames return False (allow them) — DNS may be temporarily unavailable
-    or the domain not yet live. The actual DNS rebinding attack is mitigated by fetch-time
-    re-validation in requests.py, not by blocking unresolvable domains at add-time.
+    Fails closed: unresolvable hostnames return True (block them).
    Never cached — callers that need fresh DNS resolution (e.g. at fetch time) can call
    this directly without going through the lru_cached is_safe_valid_url().
    """
@@ -71,15 +69,13 @@ def is_private_hostname(hostname):
        for info in socket.getaddrinfo(hostname, None):
            ip = ipaddress.ip_address(info[4][0])
            if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
-                logger.warning(f"Hostname '{hostname} - {ip} - ip.is_private = {ip.is_private}, ip.is_loopback = {ip.is_loopback}, ip.is_link_local = {ip.is_link_local}, ip.is_reserved = {ip.is_reserved}")
                return True
-    except socket.gaierror as e:
-        logger.warning(f"{hostname} error checking {str(e)}")
-        return False
-    logger.info(f"Hostname '{hostname}' is NOT private/IANA restricted.")
+    except socket.gaierror:
+        return True
    return False


+@lru_cache(maxsize=10000)
 def is_safe_valid_url(test_url):
    from changedetectionio import strtobool
    from changedetectionio.jinja2_custom import render as jinja_render
@@ -142,4 +138,12 @@ def is_safe_valid_url(test_url):
        logger.warning(f'URL f"{test_url}" failed validation, aborting.')
        return False

+    # Block IANA-restricted (private/reserved) IP addresses unless explicitly allowed.
+    # This is an add-time check; fetch-time re-validation in requests.py handles DNS rebinding.
+    if not strtobool(os.getenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')):
+        parsed = urlparse(test_url)
+        if parsed.hostname and is_private_hostname(parsed.hostname):
+            logger.warning(f'URL "{test_url}" resolves to a private/reserved IP address, aborting.')
+            return False
+
    return True
--- a/requirements.txt
+++ b/requirements.txt
@@ -28,7 +28,7 @@ requests-file
 chardet>2.3.0

 wtforms~=3.2
-jsonpath-ng~=1.8.0
+jsonpath-ng~=1.7.0

 # Fast JSON serialization for better performance
 orjson~=3.11
@@ -76,7 +76,7 @@ elementpath==5.1.1
 # - Pixelmatch is used as fallback when OpenCV is unavailable
 # - To install manually: pip install opencv-python-headless>=4.8.0.76

-selenium~=4.31.0
+selenium~=4.41.0

 # Templating, so far just in the URLs but in the future can be for the notifications also
 jinja2~=3.1