Update ghcr.io/miniflux/miniflux Docker tag to v2.3.0 #708

2026-05-16T03:03:51Z

renovate commented

2026-05-16 03:03:51 +00:00

This PR contains the following updates:

Package	Update	Change
ghcr.io/miniflux/miniflux (source)	minor	`2.2.19` → `2.3.0`

Release Notes

miniflux/v2 (ghcr.io/miniflux/miniflux)

`v2.3.0`: Miniflux 2.3.0

Compare Source

Security

Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
Persist WebAuthn backup eligibility/state and validated credential state after login.
Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
Apply CSRF protection to all non-safe HTTP methods.
Add http.CrossOriginProtection middleware for the web UI.
Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
Restore URL scheme validation in templates for untrusted feed URLs.
Sanitize filenames in Content-Disposition headers to prevent header injection.
Reject empty OAuth2 state parameters when no authentication flow is in progress.
Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
Validate URI schemes case-insensitively according to RFC 3986.
Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
Cap the maximum entry limit to 1000 across the UI, API, and storage layer.

Improvements

Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
Add support for the shortcuts: iOS URL scheme in sanitized content.
Add Linux riscv64 builds.
Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
Improve Chinese Traditional (zh-TW) translations.
Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
Improve UI consistency for authentication settings and external-link behavior.
Automatically clean up orphaned feed icons from the database.
Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
Improve error handling and cleanup in WebAuthn login flows.
Simplify large feed and user deletions using ON DELETE CASCADE.

Performance

Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
Optimize reading-time calculation to avoid unnecessary allocations.
Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
Optimize ISO8601 duration parsing for YouTube and podcast feeds.
Reduce database queries for navigation metadata and storage operations.
Optimize template rendering for icons and CSP generation.
Avoid loading entry content from PostgreSQL when not needed.
Reuse a singleton HTML minifier instance instead of allocating one per request.
Optimize string handling in the reader and sanitizer packages.

Bug Fixes

Fix incorrect read/starred toggling in Google Reader API.
Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status.
Fix handling of slow HTTP headers.
Fix "open in new tab" behavior for redirected external entry links.
Fix Wallabag integration typo in error messages.

Dependency Updates

Update github.com/go-webauthn/webauthn to v0.17.3.
Update various golang.org/x/* packages.
Update github.com/coreos/go-oidc/v3 to v3.18.0.
Update github.com/tdewolff/minify/v2 to v2.24.13.

As always, thank you to all contributors who helped improve Miniflux in this release.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | minor | `2.2.19` → `2.3.0` | --- ### Release Notes <details> <summary>miniflux/v2 (ghcr.io/miniflux/miniflux)</summary> ### [`v2.3.0`](https://github.com/miniflux/v2/releases/tag/2.3.0): Miniflux 2.3.0 [Compare Source](https://github.com/miniflux/v2/compare/2.2.19...v2.3.0) ##### Security - Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login. - Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support. - Persist WebAuthn backup eligibility/state and validated credential state after login. - Require `POST` requests for logout, feed refresh, and OAuth2 unlink actions. - Apply CSRF protection to all non-safe HTTP methods. - Add `http.CrossOriginProtection` middleware for the web UI. - Validate redirect URL schemes in `HTMLRedirect` to prevent unsafe redirects. - Restore URL scheme validation in templates for untrusted feed URLs. - Sanitize filenames in `Content-Disposition` headers to prevent header injection. - Reject empty OAuth2 state parameters when no authentication flow is in progress. - Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects. - Validate URI schemes case-insensitively according to RFC 3986. - Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks. - Cap the maximum entry limit to 1000 across the UI, API, and storage layer. ##### Improvements - Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores. - Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients. - Add support for the `shortcuts:` iOS URL scheme in sanitized content. - Add Linux `riscv64` builds. - Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation. - Improve Chinese Traditional (`zh-TW`) translations. - Improve RSS parsing for feeds that reuse the same GUID across multiple entries. - Improve UI consistency for authentication settings and external-link behavior. - Automatically clean up orphaned feed icons from the database. - Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message. - Improve error handling and cleanup in WebAuthn login flows. - Simplify large feed and user deletions using `ON DELETE CASCADE`. ##### Performance - Improve sanitizer performance significantly and reduce allocations in multiple hot paths. - Optimize reading-time calculation to avoid unnecessary allocations. - Improve feed parsing performance by preallocating slices/maps and reducing string allocations. - Optimize ISO8601 duration parsing for YouTube and podcast feeds. - Reduce database queries for navigation metadata and storage operations. - Optimize template rendering for icons and CSP generation. - Avoid loading entry content from PostgreSQL when not needed. - Reuse a singleton HTML minifier instance instead of allocating one per request. - Optimize string handling in the reader and sanitizer packages. ##### Bug Fixes - Fix incorrect read/starred toggling in Google Reader API. - Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the `removed` entry status. - Fix handling of slow HTTP headers. - Fix "open in new tab" behavior for redirected external entry links. - Fix Wallabag integration typo in error messages. ##### Dependency Updates - Update `github.com/go-webauthn/webauthn` to `v0.17.3`. - Update various `golang.org/x/*` packages. - Update `github.com/coreos/go-oidc/v3` to `v3.18.0`. - Update `github.com/tdewolff/minify/v2` to `v2.24.13`. *** As always, thank you to all contributors who helped improve Miniflux in this release. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-05-16 03:03:52 +00:00

Update ghcr.io/miniflux/miniflux Docker tag to v2.3.0 e3d2b0f65f

This pull request doesn't have enough required approvals yet. 0 of 1 official approvals granted.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/ghcr.io-miniflux-miniflux-2.x:renovate/ghcr.io-miniflux-miniflux-2.x

git checkout renovate/ghcr.io-miniflux-miniflux-2.x

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: AverageMarcus/cluster.fun#708