AverageMarcus/cluster.fun
1
0
Fork 0
Code Issues 1 Pull Requests 3 Releases Activity

Update ghcr.io/miniflux/miniflux Docker tag to v2.3.0 #708

Merged
AverageMarcus merged 1 commits from renovate/ghcr.io-miniflux-miniflux-2.x into master 2026-05-16 04:43:57 +00:00
Conversation 0 Commits 1 Files Changed 1
+1 -1
renovate commented 2026-05-16 03:03:51 +00:00
Collaborator
Copy Link
Copy Source

This PR contains the following updates:

Package Update Change
ghcr.io/miniflux/miniflux (source) minor 2.2.192.3.0

Release Notes

miniflux/v2 (ghcr.io/miniflux/miniflux)

v2.3.0: Miniflux 2.3.0

Compare Source

Security
  • Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
  • Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
  • Persist WebAuthn backup eligibility/state and validated credential state after login.
  • Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
  • Apply CSRF protection to all non-safe HTTP methods.
  • Add http.CrossOriginProtection middleware for the web UI.
  • Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
  • Restore URL scheme validation in templates for untrusted feed URLs.
  • Sanitize filenames in Content-Disposition headers to prevent header injection.
  • Reject empty OAuth2 state parameters when no authentication flow is in progress.
  • Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
  • Validate URI schemes case-insensitively according to RFC 3986.
  • Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
  • Cap the maximum entry limit to 1000 across the UI, API, and storage layer.
Improvements
  • Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
  • Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
  • Add support for the shortcuts: iOS URL scheme in sanitized content.
  • Add Linux riscv64 builds.
  • Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
  • Improve Chinese Traditional (zh-TW) translations.
  • Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
  • Improve UI consistency for authentication settings and external-link behavior.
  • Automatically clean up orphaned feed icons from the database.
  • Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
  • Improve error handling and cleanup in WebAuthn login flows.
  • Simplify large feed and user deletions using ON DELETE CASCADE.
Performance
  • Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
  • Optimize reading-time calculation to avoid unnecessary allocations.
  • Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
  • Optimize ISO8601 duration parsing for YouTube and podcast feeds.
  • Reduce database queries for navigation metadata and storage operations.
  • Optimize template rendering for icons and CSP generation.
  • Avoid loading entry content from PostgreSQL when not needed.
  • Reuse a singleton HTML minifier instance instead of allocating one per request.
  • Optimize string handling in the reader and sanitizer packages.
Bug Fixes
  • Fix incorrect read/starred toggling in Google Reader API.
  • Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status.
  • Fix handling of slow HTTP headers.
  • Fix "open in new tab" behavior for redirected external entry links.
  • Fix Wallabag integration typo in error messages.
Dependency Updates
  • Update github.com/go-webauthn/webauthn to v0.17.3.
  • Update various golang.org/x/* packages.
  • Update github.com/coreos/go-oidc/v3 to v3.18.0.
  • Update github.com/tdewolff/minify/v2 to v2.24.13.

As always, thank you to all contributors who helped improve Miniflux in this release.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | minor | `2.2.19` → `2.3.0` | --- ### Release Notes <details> <summary>miniflux/v2 (ghcr.io/miniflux/miniflux)</summary> ### [`v2.3.0`](https://github.com/miniflux/v2/releases/tag/2.3.0): Miniflux 2.3.0 [Compare Source](https://github.com/miniflux/v2/compare/2.2.19...v2.3.0) ##### Security - Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. - Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support. - Persist WebAuthn backup eligibility/state and validated credential state after login. - Require `POST` requests for logout, feed refresh, and OAuth2 unlink actions. - Apply CSRF protection to all non-safe HTTP methods. - Add `http.CrossOriginProtection` middleware for the web UI. - Validate redirect URL schemes in `HTMLRedirect` to prevent unsafe redirects. - Restore URL scheme validation in templates for untrusted feed URLs. - Sanitize filenames in `Content-Disposition` headers to prevent header injection. - Reject empty OAuth2 state parameters when no authentication flow is in progress. - Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects. - Validate URI schemes case-insensitively according to RFC 3986. - Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks. - Cap the maximum entry limit to 1000 across the UI, API, and storage layer. ##### Improvements - Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores. - Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. - Add support for the `shortcuts:` iOS URL scheme in sanitized content. - Add Linux `riscv64` builds. - Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation. - Improve Chinese Traditional (`zh-TW`) translations. - Improve RSS parsing for feeds that reuse the same GUID across multiple entries. - Improve UI consistency for authentication settings and external-link behavior. - Automatically clean up orphaned feed icons from the database. - Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. - Improve error handling and cleanup in WebAuthn login flows. - Simplify large feed and user deletions using `ON DELETE CASCADE`. ##### Performance - Improve sanitizer performance significantly and reduce allocations in multiple hot paths. - Optimize reading-time calculation to avoid unnecessary allocations. - Improve feed parsing performance by preallocating slices/maps and reducing string allocations. - Optimize ISO8601 duration parsing for YouTube and podcast feeds. - Reduce database queries for navigation metadata and storage operations. - Optimize template rendering for icons and CSP generation. - Avoid loading entry content from PostgreSQL when not needed. - Reuse a singleton HTML minifier instance instead of allocating one per request. - Optimize string handling in the reader and sanitizer packages. ##### Bug Fixes - Fix incorrect read/starred toggling in Google Reader API. - Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the `removed` entry status. - Fix handling of slow HTTP headers. - Fix "open in new tab" behavior for redirected external entry links. - Fix Wallabag integration typo in error messages. ##### Dependency Updates - Update `github.com/go-webauthn/webauthn` to `v0.17.3`. - Update various `golang.org/x/*` packages. - Update `github.com/coreos/go-oidc/v3` to `v3.18.0`. - Update `github.com/tdewolff/minify/v2` to `v2.24.13`. *** As always, thank you to all contributors who helped improve Miniflux in this release. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODAuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE4MC4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
renovate added 1 commit 2026-05-16 03:03:52 +00:00
Update ghcr.io/miniflux/miniflux Docker tag to v2.3.0 e3d2b0f65f
AverageMarcus merged commit a1baddb427 into master 2026-05-16 04:43:57 +00:00
AverageMarcus deleted branch renovate/ghcr.io-miniflux-miniflux-2.x 2026-05-16 04:44:01 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
renovate (Renovate Bot) AverageMarcus (Marcus Noble)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: AverageMarcus/cluster.fun#708
Delete Branch "renovate/ghcr.io-miniflux-miniflux-2.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?