Miniflux - Package Updates

Package Updates

[1.5.2]

• Update v2 to 2.2.5
• Full Changelog
• tests(js): improve .jshintrc (strict comparison, etc...)
• test(sanitizer): add a fuzzer
• refactor(rewriter): use custom title case converter implementation instead of golang.org/x/text/cases.Title()
• refactor(readingtime): replace whatlanggo package with an ad-hoc implementation
• refactor(oauth2): no need to use io.WriteString when sha256 provides a way to obtain a sum in a single call
• refactor(js): simplify a bit keyboard_handler.js
• refactor(js): remove an outdated check for {passive: true}
• refactor(js): minor refactoring of touch_handler.js
• refactor(js): minor improvements in app.js
• refactor(database): add special handling for PostgreSQL-specific migrations
• fix(ui): reading preferences are reset if the form values are incorrect

Package Updates

[1.5.3]

• Update v2 to 2.2.6
• Full Changelog
• test(encoding): add unit tests for CharsetReader function
• refactor(xml): improve the performances of NewXMLDecoder
• refactor(ui): remove superfluous cast
• refactor(request): broaden an error condition when parsing cookies
• refactor(processor): remove superfluous parenthesis
• refactor(opml): don't define receivers on both values and pointer
• refactor(model): simplify a condition

Package Updates

[1.6.0]

• Update base image to 5.0.0

Package Updates

[1.6.1]

• Update v2 to 2.2.7
• Full Changelog
• refactor: combine feed icon handlers to use only externalIconID
• fix(ui): update share feature to correctly select the title element and handle empty titles
• fix(ui): update entry tags display logic to show links based on user authentication
• fix(ui): remove touch-action style to prevent horizontal scrolling issues
• fix(ui): log a warning for an empty client secret
• fix(ui): change labels from "Read / Unread" to "Mark as Read"
• fix(ui): avoid 500 errors and NaN when marking a deleted entry as read
• fix(subscription): add /rss/feed.xml to the list of known feed URLs

Package Updates

[1.6.2]

• Update v2 to 2.2.8
• Full Changelog
• fix(api): hide_globally categories field should be a boolean
• fix(ui): add missing await when calling navigator.share() method
• fix(ui): replace share link with a form button for better accessibility
• feat(telegrambot): replace "Go to website" button with "Go to Miniflux"
• feat(locale): update Polish translation
• feat(locale): update German translation
• feat(locale): update Chinese translation
• feat(config): add SCHEDULER_ROUND_ROBIN_MAX_INTERVAL option
• feat(cli): add -reset-feed-next-check-at argument
• feat(api): add update_content query parameter to /entries/{entryID}/fetch-content endpoint

Package Updates

[1.6.3]

• Update v2 to 2.2.9
• Full Changelog
• fix(webauthn): correct argument in debug log
• fix(sanitizer): MathML tags are not fully supported by golang.org/x/net/html
• fix(migrations): prevent failure at version 45 with long entry URLs
• fix(locale): localize Git commit label in about page
• fix(googlereader): return a 400 instead of 500 for invalid edit requests
• fix(googlereader): handle various item ID formats
• fix(googlereader): avoid panic for inexisting feed or category
• fix(googlereader): /items/contents should accept short form item IDs
• feat(webauthn): prefer creation of a client-side discoverable credential
• feat(urlcleaner): remove the ref parameter from url

Package Updates

[1.6.4]

• Update v2 to 2.2.10
• Full Changelog
• test(sanitizer): add unit test for 0x0 pixel tracker
• fix(readability): do not remove elements within code blocks
• fix(karakeep): correct method name and improve error handling in SaveURL
• fix(filter): skip invalid rules instead of exiting the loop
• feat(ui): display external link in single entry view because the URL was not visible on mobile (no mouse over)
• feat(ui): avoid showing an excessive number of tags
• feat(ui): add user setting to control target="_blank" on links
• feat(sanitizer): validate MathML XML namespace
• feat(sanitizer): consider images of size 0x0 as pixel trackers
• feat(sanitizer): add validation for empty width and height attributes in img tags

Package Updates

[1.6.5]

• Update v2 to 2.2.11
• Full Changelog
• TLS support for Unix sockets: Miniflux can now serve TLS over Unix domain sockets using CERT_FILE and KEY_FILE (#fcf86e3).
• RSS fallback: If a feed entry has no URL, Miniflux now uses the enclosure URL as a fallback (#d9de9d1).
• Bearer token for Linkwarden: The Linkwarden integration now uses Bearer token authorization instead of cookies (#1d11623).
• Cookie policy improvement: SameSiteStrictMode is enforced for cookies when OAuth2/OIDC is not used (#135ce1d).
• Readability engine: Avoid removing elements with the content class during readability parsing (#66b269e).
• Fixed an issue with feeds having excessive leading whitespace causing parser buffer issues (#54abd0a).
• Properly preserve UTF-8 when truncating strings for full-text search (#703f113).
• Fixed logic error in enclosure type detection (#50d5cb9).
• Fixed incorrect filter rule parsing of Windows-style newlines (#dc81725).
• Fixed a panic in startAutoCertTLSServer function when using Let's Encrypt automatic certificates (#f7a6b02)

Package Updates

[1.6.6]

• Update v2 to 2.2.12
• Full Changelog
• Keep only metadata of removed entries to reduce database size.
• Removed entry status is now immutable and cannot be changed back to unread or read status.
• SVG favicons are now minified before storing them in the database.
• Added support for resizing WebP images.
• Main menu now includes icons.
• Added Progressive Web App (PWA) shortcuts for quick access to common actions.
• Added direct link to the Apache 2.0 license on the About page.
• Feed-level webhook URLs now take priority when saving entries.
• New option: POLLING_LIMIT_PER_HOST to limit concurrent requests per host.
• Added a rewrite rule to remove useless heading images on Phoronix articles.

Package Updates

[1.6.7]

• Update v2 to 2.2.13
• Full Changelog
• UI: Added a "Back to top" link for easier navigation.
• Integrations: Added support for Wallabag tags.
• Added support for LinkTaco service to save articles.
• API: Fixed issue where removed entries could still be returned. It was generating an error when fetching entries.
• Icons: Improved handling of relative icon URLs within subfolders.
• Timezone: Ensured only current IANA time zones are used. This avoids issues with Debian Trixie where deprecated time zones have been removed.

Package Updates

[1.6.8]

• Update v2 to 2.2.14
• Full Changelog
• Go Client: Allow passing a custom http.Client and add context support to API methods.
• UI: Redirect users back to the original page after logging in.
• Template: Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed default-src to 'none' for stronger security.
• Integrations: Added tags option for the Karakeep integration.
• Integrations: Added new Archive.org integration.
• Rewrite Rules: Added remove_img_blur_params rule.
• Rewrite Rules: Added add_image_title rule for explainxkcd.com.
• Fixed CSS layout overflow when external links are too long.
• Fixed JSON Feed parser to fallback to external_url when url is missing.
• Updated scraper rule for Dark Reading.

Package Updates

[1.6.9]

• Update v2 to 2.2.15
• Full Changelog
• New configuration option to disable the Miniflux API
• Added option to save entries to a specific Linkwarden collection
• YouTube subscription improvements:
• Allow feed entries with <i> and <small> tags
• URL Cleaner: Remove additional trackers from URLs
• YouTube embeds: Avoid Error 153 (video player configuration error) in various scenarios
• API: fetchContent endpoint now properly rewrites media URLs when using the media proxy
• Security: Only relative paths are now allowed for the redirectURL parameter

Package Updates

[1.6.10]

• Update v2 to 2.2.16
• Full Changelog
• Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level.
• Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level.
• Add the TRUSTED_REVERSE_PROXY_NETWORKS configuration option to prevent spoofing of HTTP headers such as X-Forwarded-For, X-Forwarded-Proto, and X-Real-Ip. This option must be configured when AUTH_PROXY_HEADER is enabled.
• Stop logging generated Google Reader API tokens, even when debug mode is enabled.
• Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface.
• Avoid indexing the content of removed entries, significantly reducing database index size after cleanup.
• Add a new API endpoint to import entries into an existing feed.
• Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization.
• Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers.
• Add smooth page transitions for a more polished navigation experience.