github miniflux/v2 2.2.18
Miniflux 2.2.18
on GitHub

6 hours ago

Security

  • Block outbound requests to private networks made by the fetcher by default.
  • Add SSRF protection for integration HTTP clients by blocking connections to private network addresses at connect time.
  • Fix a possible SSRF TOCTOU / DNS-rebinding issue in the fetcher private network check.
  • Ensure private network protections also apply to redirect targets.
  • Treat RFC 6598 shared address space (100.64.0.0/10) as non-public.

Breaking Changes

To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default.

  • FETCHER_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access feeds hosted on a local network.
  • INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access third-party integration services hosted on a local network.

Improvements

  • Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content.
  • Add ignore_entry_updates feed option to skip updating existing entries during scheduled polling.
  • Add Arabic (ar_SA) translation.
  • Add Galician (gl_ES) translation.
  • Update Polish translation.
  • Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API).
  • Simplify parts of the Google Reader code and reduce allocations in several hot paths.
  • Reduce fetcher request size slightly to improve packet efficiency.

Bug Fixes

  • Fix multiple bugs and inconsistencies across integration sub-packages (error handling, logging, status checks, and naming).
  • Fix potential panic in the Omnivore integration when handling empty error arrays.
  • Correct error prefixes and typos in several integrations.

Dependencies

  • Update golang.org/x/net to 0.52.0.
  • Update golang.org/x/crypto to 0.49.0.
  • Update golang.org/x/image to 0.37.0.
  • Update golang.org/x/oauth2 to 0.36.0.
  • Update github.com/go-webauthn/webauthn to 0.16.1.
  • Update github.com/tdewolff/minify/v2 to 2.24.10.

Other Changes

  • Upgrade to Go 1.26.
  • Add go:fix directive for deprecated client.New() to ease migration to NewClient().
  • Add KOI8-R encoding tests with a sample XML feed.
  • Add additional tests for CharsetReader.
  • Update several GitHub Actions used for CI and container builds.
  • Avoid building Debian packages bi-weekly on forks.

As always, thank you to all contributors who helped improve Miniflux in this release.

Check out latest releases or
releases around miniflux/v2 2.2.18

Don't miss a new v2 release

NewReleases is sending notifications on new releases.

Get notifications