miniflux/v2 2.2.19

Miniflux 2.2.19

on GitHub

Security

• Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages.
• Improve OAuth2 security:
  • Verify OIDC ID token signatures and claims.
  • Prevent OAuth identity overwrite when already linked.
  • Clear PKCE verifier and CSRF state after use.
  • Validate HTTP status from Google userinfo endpoint.
• Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication.
• Use constant-time comparison for token validation.
• Fix potential DoS when truncating large untrusted input in templates.
• Reject oversized favicons.

Improvements

• Improve configuration validation with cross-field consistency checks.
• OAuth2:
  • Explicit provider selection via OAUTH2_PROVIDER.
  • Better separation between Google and OIDC providers.
  • Updated Google OAuth endpoints to v2.
• UI:
  • Add cache-busting for static assets (JS, CSS, icons).
  • Add Cache-Control: immutable for static resources.
• Sanitizer:
  • Allow iframes from framatube.org.
  • Improve performance and parsing behavior.
• Metrics and workers:
  • Graceful shutdown support for worker pool and metrics collector.
  • Better error reporting for metrics.
• API / HTTP:
  • Support weak ETag comparison.
  • Improve response helpers and headers handling.

Performance

• Reduce number of SQL queries for unread entries and UI pages.
• Optimize database queries and locking behavior:
  • Use SKIP LOCKED in archive operations.
  • Reduce unnecessary queries and connections.
• Improve UI performance:
  • Cache keymaps instead of recomputing on each keypress.
  • Batch DOM updates when marking entries as read.
• Optimize sanitizer, media proxy, routing, and template rendering.
• Reduce allocations in various hot paths.

Bug Fixes

• Fix category update validation rendering.
• Fix redirect after marking a feed as read from category view.
• Fix timezone comparison logic.
• Fix Arabic pluralization rules (ar_SA).
• Fix validator behavior when clearing user filters.
• Fix CLI behavior for --info and --version.
• Fix CORS preflight responses (return 204).
• Ensure 204 responses do not include Content-Type.
• Ignore unsupported media proxy targets and handle MIME types correctly.

Refactoring

• Remove dependency on gorilla/mux across the codebase.
• Improve code structure and naming consistency (API, OAuth2, config, validators).
• Simplify timezone and server setup logic.
• Improve testability and documentation (GoDoc updates).

Dependencies

• Update multiple dependencies, including:

  • github.com/lib/pq
  • github.com/go-jose/go-jose/v4
  • github.com/go-webauthn/webauthn
  • github.com/andybalholm/brotli
  • github.com/tdewolff/minify/v2
  • golang.org/x/image
  • github.com/PuerkitoBio/goquery