miniflux/v2 2.3.0

Miniflux 2.3.0

on GitHub

Security

• Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
• Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
• Persist WebAuthn backup eligibility/state and validated credential state after login.
• Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
• Apply CSRF protection to all non-safe HTTP methods.
• Add http.CrossOriginProtection middleware for the web UI.
• Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
• Restore URL scheme validation in templates for untrusted feed URLs.
• Sanitize filenames in Content-Disposition headers to prevent header injection.
• Reject empty OAuth2 state parameters when no authentication flow is in progress.
• Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
• Validate URI schemes case-insensitively according to RFC 3986.
• Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
• Cap the maximum entry limit to 1000 across the UI, API, and storage layer.

Improvements

• Add support for exporting and importing Miniflux-specific feed settings in OPML files, allowing full feed configuration backups and restores.
• Add enclosure links rewrite rule to expose podcast/video enclosure URLs inside entry content for external RSS clients.
• Add support for the shortcuts: iOS URL scheme in sanitized content.
• Add Linux riscv64 builds.
• Allow disabling local authentication without enabling automatic OAuth2/auth-proxy user creation.
• Improve Chinese Traditional (zh-TW) translations.
• Improve RSS parsing for feeds that reuse the same GUID across multiple entries.
• Improve UI consistency for authentication settings and external-link behavior.
• Automatically clean up orphaned feed icons from the database.
• Detect Cloudflare bot challenge pages during feed refresh and return a dedicated error message.
• Improve error handling and cleanup in WebAuthn login flows.
• Simplify large feed and user deletions using ON DELETE CASCADE.

Performance

• Improve sanitizer performance significantly and reduce allocations in multiple hot paths.
• Optimize reading-time calculation to avoid unnecessary allocations.
• Improve feed parsing performance by preallocating slices/maps and reducing string allocations.
• Optimize ISO8601 duration parsing for YouTube and podcast feeds.
• Reduce database queries for navigation metadata and storage operations.
• Optimize template rendering for icons and CSP generation.
• Avoid loading entry content from PostgreSQL when not needed.
• Reuse a singleton HTML minifier instance instead of allocating one per request.
• Optimize string handling in the reader and sanitizer packages.

Bug Fixes

• Fix incorrect read/starred toggling in Google Reader API.
• Prevent archived/deleted entries from reappearing as unread by using a tombstone table and removing the removed entry status.
• Fix handling of slow HTTP headers.
• Fix "open in new tab" behavior for redirected external entry links.
• Fix Wallabag integration typo in error messages.

Dependency Updates

• Update github.com/go-webauthn/webauthn to v0.17.3.
• Update various golang.org/x/* packages.
• Update github.com/coreos/go-oidc/v3 to v3.18.0.
• Update github.com/tdewolff/minify/v2 to v2.24.13.

As always, thank you to all contributors who helped improve Miniflux in this release.