Block outbound requests to private networks made by the fetcher by default.
Add SSRF protection for integration HTTP clients by blocking connections to private network addresses at connect time.
Fix a possible SSRF TOCTOU / DNS-rebinding issue in the fetcher private network check.
Ensure private network protections also apply to redirect targets.
Treat RFC 6598 shared address space (100.64.0.0/10) as non-public.
Breaking Changes
To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default.
FETCHER_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access feeds hosted on a local network.
INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access third-party integration services hosted on a local network.
Improvements
Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content.
Add ignore_entry_updates feed option to skip updating existing entries during scheduled polling.
Add Arabic (ar_SA) translation.
Add Galician (gl_ES) translation.
Update Polish translation.
Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API).
Simplify parts of the Google Reader code and reduce allocations in several hot paths.
Reduce fetcher request size slightly to improve packet efficiency.
Bug Fixes
Fix multiple bugs and inconsistencies across integration sub-packages (error handling, logging, status checks, and naming).
Fix potential panic in the Omnivore integration when handling empty error arrays.
Correct error prefixes and typos in several integrations.
Dependencies
Update golang.org/x/net to 0.52.0.
Update golang.org/x/crypto to 0.49.0.
Update golang.org/x/image to 0.37.0.
Update golang.org/x/oauth2 to 0.36.0.
Update github.com/go-webauthn/webauthn to 0.16.1.
Update github.com/tdewolff/minify/v2 to 2.24.10.
Other Changes
Upgrade to Go 1.26.
Add go:fix directive for deprecated client.New() to ease migration to NewClient().
Add KOI8-R encoding tests with a sample XML feed.
Add additional tests for CharsetReader.
Update several GitHub Actions used for CI and container builds.
Avoid building Debian packages bi-weekly on forks.
As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [ghcr.io/miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | patch | `2.2.17` → `2.2.18` |
---
### Release Notes
<details>
<summary>miniflux/v2 (ghcr.io/miniflux/miniflux)</summary>
### [`v2.2.18`](https://github.com/miniflux/v2/releases/tag/2.2.18): Miniflux 2.2.18
[Compare Source](https://github.com/miniflux/v2/compare/2.2.17...2.2.18)
##### Security
- Block outbound requests to private networks made by the fetcher by default.
- Add SSRF protection for integration HTTP clients by blocking connections to private network addresses at connect time.
- Fix a possible SSRF TOCTOU / DNS-rebinding issue in the fetcher private network check.
- Ensure private network protections also apply to redirect targets.
- Treat RFC 6598 shared address space (`100.64.0.0/10`) as non-public.
##### Breaking Changes
To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default.
- `FETCHER_ALLOW_PRIVATE_NETWORKS=1` must now be enabled to access feeds hosted on a local network.
- `INTEGRATION_ALLOW_PRIVATE_NETWORKS=1` must now be enabled to access third-party integration services hosted on a local network.
##### Improvements
- Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content.
- Add `ignore_entry_updates` feed option to skip updating existing entries during scheduled polling.
- Add Arabic (`ar_SA`) translation.
- Add Galician (`gl_ES`) translation.
- Update Polish translation.
- Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API).
- Simplify parts of the Google Reader code and reduce allocations in several hot paths.
- Reduce fetcher request size slightly to improve packet efficiency.
##### Bug Fixes
- Fix multiple bugs and inconsistencies across integration sub-packages (error handling, logging, status checks, and naming).
- Fix potential panic in the Omnivore integration when handling empty error arrays.
- Correct error prefixes and typos in several integrations.
##### Dependencies
- Update `golang.org/x/net` to 0.52.0.
- Update `golang.org/x/crypto` to 0.49.0.
- Update `golang.org/x/image` to 0.37.0.
- Update `golang.org/x/oauth2` to 0.36.0.
- Update `github.com/go-webauthn/webauthn` to 0.16.1.
- Update `github.com/tdewolff/minify/v2` to 2.24.10.
##### Other Changes
- Upgrade to Go 1.26.
- Add `go:fix` directive for deprecated `client.New()` to ease migration to `NewClient()`.
- Add KOI8-R encoding tests with a sample XML feed.
- Add additional tests for `CharsetReader`.
- Update several GitHub Actions used for CI and container builds.
- Avoid building Debian packages bi-weekly on forks.
***
As always, thank you to all contributors who helped improve Miniflux in this release.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43NS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNzUuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
2.2.17→2.2.18Release Notes
miniflux/v2 (ghcr.io/miniflux/miniflux)
v2.2.18: Miniflux 2.2.18Compare Source
Security
100.64.0.0/10) as non-public.Breaking Changes
To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default.
FETCHER_ALLOW_PRIVATE_NETWORKS=1must now be enabled to access feeds hosted on a local network.INTEGRATION_ALLOW_PRIVATE_NETWORKS=1must now be enabled to access third-party integration services hosted on a local network.Improvements
ignore_entry_updatesfeed option to skip updating existing entries during scheduled polling.ar_SA) translation.gl_ES) translation.Bug Fixes
Dependencies
golang.org/x/netto 0.52.0.golang.org/x/cryptoto 0.49.0.golang.org/x/imageto 0.37.0.golang.org/x/oauth2to 0.36.0.github.com/go-webauthn/webauthnto 0.16.1.github.com/tdewolff/minify/v2to 2.24.10.Other Changes
go:fixdirective for deprecatedclient.New()to ease migration toNewClient().CharsetReader.As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.