Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account.
Fixed an open redirect vulnerability caused by backslashes in relative redirect URLs.
Fixed a potential SQL injection vulnerability in dynamically generated ORDER BY clauses.
Hardened metrics endpoint authentication by using constant-time credential comparisons.
Bug Fixes
Fixed an issue where the stdlib cross-origin protection middleware could block legitimate requests in certain self-hosted environments. The middleware has been reverted.
Improvements
Added Korean language support.
Improved HTML truncation performance and reduced memory allocations.
Optimized feed discovery, subscription detection, date parsing, and tag filtering.
Simplified and refactored several storage and query-building components for better maintainability.
Dependencies
Updated several dependencies, including:
github.com/go-webauthn/webauthn 0.17.4
golang.org/x/crypto 0.52.0
golang.org/x/image 0.41.0
golang.org/x/net 0.55.0
As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅Schedule: (UTC)
Branch creation
At any time (no schedule defined)
Automerge
At any time (no schedule defined)
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [ghcr.io/miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | patch | `2.3.0` → `2.3.1` |
---
### Release Notes
<details>
<summary>miniflux/v2 (ghcr.io/miniflux/miniflux)</summary>
### [`v2.3.1`](https://github.com/miniflux/v2/releases/tag/2.3.1): Miniflux 2.3.1
[Compare Source](https://github.com/miniflux/v2/compare/v2.3.0...2.3.1)
##### Security
- Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account.
- Fixed an open redirect vulnerability caused by backslashes in relative redirect URLs.
- Fixed a potential SQL injection vulnerability in dynamically generated `ORDER BY` clauses.
- Hardened metrics endpoint authentication by using constant-time credential comparisons.
##### Bug Fixes
- Fixed an issue where the stdlib cross-origin protection middleware could block legitimate requests in certain self-hosted environments. The middleware has been reverted.
##### Improvements
- Added Korean language support.
- Improved HTML truncation performance and reduced memory allocations.
- Optimized feed discovery, subscription detection, date parsing, and tag filtering.
- Simplified and refactored several storage and query-building components for better maintainability.
##### Dependencies
Updated several dependencies, including:
- `github.com/go-webauthn/webauthn` 0.17.4
- `golang.org/x/crypto` 0.52.0
- `golang.org/x/image` 0.41.0
- `golang.org/x/net` 0.55.0
***
As always, thank you to all contributors who helped improve Miniflux in this release.
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIwNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
2.3.0→2.3.1Release Notes
miniflux/v2 (ghcr.io/miniflux/miniflux)
v2.3.1: Miniflux 2.3.1Compare Source
Security
ORDER BYclauses.Bug Fixes
Improvements
Dependencies
Updated several dependencies, including:
github.com/go-webauthn/webauthn0.17.4golang.org/x/crypto0.52.0golang.org/x/image0.41.0golang.org/x/net0.55.0As always, thank you to all contributors who helped improve Miniflux in this release.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.