Miniflux - Package Updates

Package Updates

[1.6.7]

• Update v2 to 2.2.13
• Full Changelog
• UI: Added a "Back to top" link for easier navigation.
• Integrations: Added support for Wallabag tags.
• Added support for LinkTaco service to save articles.
• API: Fixed issue where removed entries could still be returned. It was generating an error when fetching entries.
• Icons: Improved handling of relative icon URLs within subfolders.
• Timezone: Ensured only current IANA time zones are used. This avoids issues with Debian Trixie where deprecated time zones have been removed.

Package Updates

[1.6.8]

• Update v2 to 2.2.14
• Full Changelog
• Go Client: Allow passing a custom http.Client and add context support to API methods.
• UI: Redirect users back to the original page after logging in.
• Template: Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed default-src to 'none' for stronger security.
• Integrations: Added tags option for the Karakeep integration.
• Integrations: Added new Archive.org integration.
• Rewrite Rules: Added remove_img_blur_params rule.
• Rewrite Rules: Added add_image_title rule for explainxkcd.com.
• Fixed CSS layout overflow when external links are too long.
• Fixed JSON Feed parser to fallback to external_url when url is missing.
• Updated scraper rule for Dark Reading.

Package Updates

[1.6.9]

• Update v2 to 2.2.15
• Full Changelog
• New configuration option to disable the Miniflux API
• Added option to save entries to a specific Linkwarden collection
• YouTube subscription improvements:
• Allow feed entries with <i> and <small> tags
• URL Cleaner: Remove additional trackers from URLs
• YouTube embeds: Avoid Error 153 (video player configuration error) in various scenarios
• API: fetchContent endpoint now properly rewrites media URLs when using the media proxy
• Security: Only relative paths are now allowed for the redirectURL parameter

Package Updates

[1.6.10]

• Update v2 to 2.2.16
• Full Changelog
• Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level.
• Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level.
• Add the TRUSTED_REVERSE_PROXY_NETWORKS configuration option to prevent spoofing of HTTP headers such as X-Forwarded-For, X-Forwarded-Proto, and X-Real-Ip. This option must be configured when AUTH_PROXY_HEADER is enabled.
• Stop logging generated Google Reader API tokens, even when debug mode is enabled.
• Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface.
• Avoid indexing the content of removed entries, significantly reducing database index size after cleanup.
• Add a new API endpoint to import entries into an existing feed.
• Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization.
• Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers.
• Add smooth page transitions for a more polished navigation experience.

Package Updates

[1.6.12]

• Update v2 to 2.2.18
• Full Changelog
• To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default.
• FETCHER_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access feeds hosted on a local network.
• INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access third-party integration services hosted on a local network.
• Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content.
• Add ignore_entry_updates feed option to skip updating existing entries during scheduled polling.
• Add Arabic (ar_SA) translation.
• Add Galician (gl_ES) translation.
• Update Polish translation.
• Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API).
• Simplify parts of the Google Reader code and reduce allocations in several hot paths.

Package Updates

[1.6.13]

• Update v2 to 2.2.19
• Full Changelog
• Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages.
• Verify OIDC ID token signatures and claims.
• Prevent OAuth identity overwrite when already linked.
• Clear PKCE verifier and CSRF state after use.
• Validate HTTP status from Google userinfo endpoint.
• Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication.
• Use constant-time comparison for token validation.
• Fix potential DoS when truncating large untrusted input in templates.
• Reject oversized favicons.