Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
Persist WebAuthn backup eligibility/state and validated credential state after login.
Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
Apply CSRF protection to all non-safe HTTP methods.
Add http.CrossOriginProtection middleware for the web UI.
Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
Restore URL scheme validation in templates for untrusted feed URLs.
Sanitize filenames in Content-Disposition headers to prevent header injection.
Reject empty OAuth2 state parameters when no authentication flow is in progress.
Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
Validate URI schemes case-insensitively according to RFC 3986.
Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
Cap the maximum entry limit to 1000 across the UI, API, and storage layer.
Improvements
Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
Add support for the shortcuts: iOS URL scheme in sanitized content.
Add Linux riscv64 builds.
Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
Improve Chinese Traditional (zh-TW) translations.
Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
Improve UI consistency for authentication settings and external-link behavior.
Automatically clean up orphaned feed icons from the database.
Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
Improve error handling and cleanup in WebAuthn login flows.
Simplify large feed and user deletions using ON DELETE CASCADE.
Performance
Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
Optimize reading-time calculation to avoid unnecessary allocations.
Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
Optimize ISO8601 duration parsing for YouTube and podcast feeds.
Reduce database queries for navigation metadata and storage operations.
Optimize template rendering for icons and CSP generation.
Avoid loading entry content from PostgreSQL when not needed.
Reuse a singleton HTML minifier instance instead of allocating one per request.
Optimize string handling in the reader and sanitizer packages.
Bug Fixes
Fix incorrect read/starred toggling in Google Reader API.
Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status.
Fix handling of slow HTTP headers.
Fix "open in new tab" behavior for redirected external entry links.
Fix Wallabag integration typo in error messages.
Dependency Updates
Update github.com/go-webauthn/webauthn to v0.17.3.
Update various golang.org/x/* packages.
Update github.com/coreos/go-oidc/v3 to v3.18.0.
Update github.com/tdewolff/minify/v2 to v2.24.13.
As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅Schedule: (UTC)
Branch creation
At any time (no schedule defined)
Automerge
At any time (no schedule defined)
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [ghcr.io/miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | minor | `2.2.19` → `2.3.0` |
---
### Release Notes
<details>
<summary>miniflux/v2 (ghcr.io/miniflux/miniflux)</summary>
### [`v2.3.0`](https://github.com/miniflux/v2/releases/tag/2.3.0): Miniflux 2.3.0
[Compare Source](https://github.com/miniflux/v2/compare/2.2.19...v2.3.0)
##### Security
- Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
- Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
- Persist WebAuthn backup eligibility/state and validated credential state after login.
- Require `POST` requests for logout, feed refresh, and OAuth2 unlink actions.
- Apply CSRF protection to all non-safe HTTP methods.
- Add `http.CrossOriginProtection` middleware for the web UI.
- Validate redirect URL schemes in `HTMLRedirect` to prevent unsafe redirects.
- Restore URL scheme validation in templates for untrusted feed URLs.
- Sanitize filenames in `Content-Disposition` headers to prevent header injection.
- Reject empty OAuth2 state parameters when no authentication flow is in progress.
- Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
- Validate URI schemes case-insensitively according to RFC 3986.
- Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
- Cap the maximum entry limit to 1000 across the UI, API, and storage layer.
##### Improvements
- Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
- Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
- Add support for the `shortcuts:` iOS URL scheme in sanitized content.
- Add Linux `riscv64` builds.
- Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
- Improve Chinese Traditional (`zh-TW`) translations.
- Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
- Improve UI consistency for authentication settings and external-link behavior.
- Automatically clean up orphaned feed icons from the database.
- Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
- Improve error handling and cleanup in WebAuthn login flows.
- Simplify large feed and user deletions using `ON DELETE CASCADE`.
##### Performance
- Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
- Optimize reading-time calculation to avoid unnecessary allocations.
- Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
- Optimize ISO8601 duration parsing for YouTube and podcast feeds.
- Reduce database queries for navigation metadata and storage operations.
- Optimize template rendering for icons and CSP generation.
- Avoid loading entry content from PostgreSQL when not needed.
- Reuse a singleton HTML minifier instance instead of allocating one per request.
- Optimize string handling in the reader and sanitizer packages.
##### Bug Fixes
- Fix incorrect read/starred toggling in Google Reader API.
- Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the `removed` entry status.
- Fix handling of slow HTTP headers.
- Fix "open in new tab" behavior for redirected external entry links.
- Fix Wallabag integration typo in error messages.
##### Dependency Updates
- Update `github.com/go-webauthn/webauthn` to `v0.17.3`.
- Update various `golang.org/x/*` packages.
- Update `github.com/coreos/go-oidc/v3` to `v3.18.0`.
- Update `github.com/tdewolff/minify/v2` to `v2.24.13`.
***
As always, thank you to all contributors who helped improve Miniflux in this release.
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODAuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE4MC4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
2.2.19→2.3.0Release Notes
miniflux/v2 (ghcr.io/miniflux/miniflux)
v2.3.0: Miniflux 2.3.0Compare Source
Security
POSTrequests for logout, feed refresh, and OAuth2 unlink actions.http.CrossOriginProtectionmiddleware for the web UI.HTMLRedirectto prevent unsafe redirects.Content-Dispositionheaders to prevent header injection.Improvements
shortcuts:iOS URL scheme in sanitized content.riscv64builds.zh-TW) translations.ON DELETE CASCADE.Performance
Bug Fixes
removedentry status.Dependency Updates
github.com/go-webauthn/webauthntov0.17.3.golang.org/x/*packages.github.com/coreos/go-oidc/v3tov3.18.0.github.com/tdewolff/minify/v2tov2.24.13.As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.