catalin/fukuops
1
0
Fork 1
Code Issues Pull requests 2 Releases Packages 1 Activity

chore(deps): update miniflux/miniflux docker tag to v2.2.17 #544

Closed
renovate-bot wants to merge 1 commit from renovate/miniflux-miniflux-2.x into main
pull from: renovate/miniflux-miniflux-2.x
merge into: catalin:main
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate-bot commented 2026-01-06 02:25:30 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
miniflux/miniflux (source) patch 2.2.132.2.17

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

miniflux/v2 (miniflux/miniflux)

v2.2.17: Miniflux 2.2.17

Compare Source

Security
  • Do not expose the Miniflux version on unauthenticated endpoints (deprecated since version 2.0.49).
  • Improve HTML sanitizer by switching from the tokenizer to the golang.org/x/net/html parser to better match browser behavior and reduce the risk of injection issues.
  • Enforce blocked resource checks on srcset URLs.
  • Improve blocked resource handling (including updates to blocked URL substrings).
  • Add validation for TRUSTED_REVERSE_PROXY_NETWORKS configuration to prevent silent misconfiguration.
  • Prevent possible deadlock when cleaning removed entries.
  • Ensure HTTP response bodies are always closed, even on client errors.
Improvements

  • Rewrite srcset parser to follow HTML specifications (WebKit-style parsing) and handle edge cases more correctly.

  • Improve sanitizer performance (various optimizations, including reduced allocations and better attribute handling).

  • Handle deeply nested HTML more robustly in the sanitizer.

  • Add scraper and rewrite rules for:

    • bleepingcomputer.com
    • vnexpress.net

  • Improve JSON Feed support:

    • Support malformed feeds with author objects in the authors array.
    • Avoid panic when parsing null feeds.
    • Improve title fallback logic.
    • Include external_url in JSON entry hash fallback.

  • Ignore WordPress wp-json API endpoint during JSON feed discovery.

  • Add unread status filter to search results.

  • Improve timezone handling internals and performance.

  • Improve API payload structures and Godoc comments.

  • Improve JavaScript code readability and keyboard shortcut handling.

  • Restore cmd/ctrl/shift-click behavior on main navigation.

  • Fix Safari PWA behavior for the v shortcut to open links in the main browser.

Bug Fixes
  • Do not keep old enclosures when an updated entry has none.
  • Handle sql.ErrNoRows properly in IconByFeedID.
  • Change FindRemoteIP to fall back to 127.0.0.1.
Configuration Changes
  • Removed FILTER_ENTRY_MAX_AGE_DAYS.
    This option can be replaced with a filter rule such as max-age:<duration>.
    Global environment variables should be reserved for process-level configuration.
Dependencies

  • Update github.com/lib/pq to 1.11.2.

  • Update:

    • golang.org/x/net to 0.50.0
    • golang.org/x/crypto to 0.48.0
    • golang.org/x/image to 0.36.0
    • golang.org/x/oauth2 to 0.35.0
    • golang.org/x/term to 0.40.0

  • Update Debian packager Docker image to Trixie.

As always, thank you to all contributors who helped improve Miniflux in this release.

v2.2.16: Miniflux 2.2.16

Compare Source

Security
  • Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level.
  • Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level.
  • Add the TRUSTED_REVERSE_PROXY_NETWORKS configuration option to prevent spoofing of HTTP headers such as X-Forwarded-For, X-Forwarded-Proto, and X-Real-Ip. This option must be configured when AUTH_PROXY_HEADER is enabled.
  • Stop logging generated Google Reader API tokens, even when debug mode is enabled.
  • Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface.
Performance and Storage
  • Avoid indexing the content of removed entries, significantly reducing database index size after cleanup.
  • Minor storage and database refactoring to simplify code paths and reduce unnecessary formatting overhead.
API and Integrations
  • Add a new API endpoint to import entries into an existing feed.
  • Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization.
  • Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers.
  • Add an auto-push option to the Readeck integration.
User Interface
  • Add smooth page transitions for a more polished navigation experience.
  • Add a route to view individual starred entries directly from a category’s starred list.
  • Add a link to the GitHub contributors page in templates.
  • Update all translations.
Documentation and Tooling
  • Improve consistency and fix typos in the miniflux(1) manual page.
  • Remove the obsolete version key from Docker Compose examples.
  • Update the Go devcontainer image to go:1-trixie.
  • Update the Distroless container base image to Debian 13.
  • Update GitHub Actions dependencies.

As always, thank you to all contributors who helped improve Miniflux in this release.

v2.2.15: Miniflux 2.2.15

Compare Source

New Features
  • New configuration option to disable the Miniflux API
  • Added option to save entries to a specific Linkwarden collection
  • YouTube subscription improvements:
    • Provide multiple feeds for YouTube content: Channel, videos only, short videos, live streams
    • Better canonical URL detection (now has its own dedicated step)
    • Improved YouTube channel parsing, including default playlists
  • Allow feed entries with <i> and <small> tags
  • URL Cleaner: Remove additional trackers from URLs
🐛 Bug Fixes
  • YouTube embeds: Avoid Error 153 (video player configuration error) in various scenarios
  • API: fetchContent endpoint now properly rewrites media URLs when using the media proxy
  • Security: Only relative paths are now allowed for the redirectURL parameter
  • CI fixes:
    • Improved CodeQL workflow (language matrix + dynamic analysis)
    • Fixed missing GitHub Actions permissions
    • Fixed RPM package versioning for scheduled and pull_request triggers
🧹 Refactoring & Maintenance
  • JavaScript optimizations: use replace instead of remove/add, minor regex cleanup
  • Performance improvement: removed string concatenation in loops
  • Updated Polish translation
  • Updated Postgres volume path in Docker Compose examples
  • Added new CI workflow to mirror the Git repo to Codeberg
📦 Dependency Updates

This release includes updates to several dependencies:

  • golang.org/x/* modules (net, oauth2, image, crypto)
  • github.com/tdewolff/minify/v2
  • github.com/coreos/go-oidc/v3
  • github.com/go-webauthn/webauthn
  • github.com/PuerkitoBio/goquery
  • Docker base image updates (Alpine 3.23)
  • GitHub Actions:
    • actions/checkout v6
    • actions/upload-artifact v5
    • golangci/golangci-lint-action v9

For more details, look at the Git commit history.

v2.2.14: Miniflux 2.2.14

Compare Source

New Features
  • Go Client: Allow passing a custom http.Client and add context support to API methods.
  • UI: Redirect users back to the original page after logging in.
  • Template: Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed default-src to 'none' for stronger security.
  • Integrations:
    • Added tags option for the Karakeep integration.
    • Added new Archive.org integration.
  • Rewrite Rules:
    • Added remove_img_blur_params rule.
    • Added add_image_title rule for explainxkcd.com.
🧰 Improvements & Refactoring
  • Replaced custom modal with native <dialog> element for simpler, more accessible UI.
  • Simplified date parsing in the reader and XML encoding logic.
  • Optimized sanitizer functions (hasRequiredAttributes, hasValidURIScheme, isBlockedResource).
  • Replaced fmt.Errorf with errors.New where applicable.
  • Removed dependency on hstore in the database layer and relaxed implicit NOT NULL for serial types.
  • Simplified Fever API slice sizing and various internal cleanups.
  • Preallocated slices and optimized string/number conversions for better performance.
🧪 Tests
  • Added test cases for XML encoding behavior.
🐛 Bug Fixes
  • Fixed CSS layout overflow when external links are too long.
  • Fixed JSON Feed parser to fallback to external_url when url is missing.
  • Updated scraper rule for Dark Reading.
📚 Documentation
  • Clarified the POLLING_FREQUENCY environment variable in the documentation.
🏗️ Build & CI

  • Updated dependencies:

    • github.com/tdewolff/minify/v2 → 2.24.4
    • golang.org/x/net → 0.46.0
    • golang.org/x/image → 0.32.0
    • golang.org/x/oauth2 → 0.32.0
    • github.com/coreos/go-oidc/v3 → 3.16.0
    • github/codeql-action → 4

  • Updated make lint and enabled additional Go linters (perfsprint, goheader).

📝 Additional Notes

If you are seeing this Postgres error: Error: pq: must be owner of extension hstore, you can fix it by running the following SQL command as a superuser for the Miniflux database:

DROP EXTENSION hstore;

This error means you initially created the hstore extension as a different database user than the one you are currently using for Miniflux.

For more details, look at the Git commit history.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [miniflux/miniflux](https://miniflux.app) ([source](https://github.com/miniflux/v2)) | patch | `2.2.13` → `2.2.17` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the warning logs for more information. --- ### Release Notes <details> <summary>miniflux/v2 (miniflux/miniflux)</summary> ### [`v2.2.17`](https://github.com/miniflux/v2/releases/tag/2.2.17): Miniflux 2.2.17 [Compare Source](https://github.com/miniflux/v2/compare/2.2.16...2.2.17) ##### Security - Do not expose the Miniflux version on unauthenticated endpoints (deprecated since version 2.0.49). - Improve HTML sanitizer by switching from the tokenizer to the `golang.org/x/net/html` parser to better match browser behavior and reduce the risk of injection issues. - Enforce blocked resource checks on `srcset` URLs. - Improve blocked resource handling (including updates to blocked URL substrings). - Add validation for `TRUSTED_REVERSE_PROXY_NETWORKS` configuration to prevent silent misconfiguration. - Prevent possible deadlock when cleaning removed entries. - Ensure HTTP response bodies are always closed, even on client errors. ##### Improvements - Rewrite `srcset` parser to follow HTML specifications (WebKit-style parsing) and handle edge cases more correctly. - Improve sanitizer performance (various optimizations, including reduced allocations and better attribute handling). - Handle deeply nested HTML more robustly in the sanitizer. - Add scraper and rewrite rules for: - `bleepingcomputer.com` - `vnexpress.net` - Improve JSON Feed support: - Support malformed feeds with `author` objects in the `authors` array. - Avoid panic when parsing `null` feeds. - Improve title fallback logic. - Include `external_url` in JSON entry hash fallback. - Ignore WordPress `wp-json` API endpoint during JSON feed discovery. - Add unread status filter to search results. - Improve timezone handling internals and performance. - Improve API payload structures and Godoc comments. - Improve JavaScript code readability and keyboard shortcut handling. - Restore cmd/ctrl/shift-click behavior on main navigation. - Fix Safari PWA behavior for the `v` shortcut to open links in the main browser. ##### Bug Fixes - Do not keep old enclosures when an updated entry has none. - Handle `sql.ErrNoRows` properly in `IconByFeedID`. - Change `FindRemoteIP` to fall back to `127.0.0.1`. ##### Configuration Changes - Removed `FILTER_ENTRY_MAX_AGE_DAYS`. This option can be replaced with a filter rule such as `max-age:<duration>`. Global environment variables should be reserved for process-level configuration. ##### Dependencies - Update `github.com/lib/pq` to 1.11.2. - Update: - `golang.org/x/net` to 0.50.0 - `golang.org/x/crypto` to 0.48.0 - `golang.org/x/image` to 0.36.0 - `golang.org/x/oauth2` to 0.35.0 - `golang.org/x/term` to 0.40.0 - Update Debian packager Docker image to Trixie. *** As always, thank you to all contributors who helped improve Miniflux in this release. ### [`v2.2.16`](https://github.com/miniflux/v2/releases/tag/2.2.16): Miniflux 2.2.16 [Compare Source](https://github.com/miniflux/v2/compare/2.2.15...2.2.16) ##### Security - Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level. - Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level. - Add the `TRUSTED_REVERSE_PROXY_NETWORKS` configuration option to prevent spoofing of HTTP headers such as `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Real-Ip`. This option must be configured when `AUTH_PROXY_HEADER` is enabled. - Stop logging generated Google Reader API tokens, even when debug mode is enabled. - Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface. ##### Performance and Storage - Avoid indexing the content of removed entries, significantly reducing database index size after cleanup. - Minor storage and database refactoring to simplify code paths and reduce unnecessary formatting overhead. ##### API and Integrations - Add a new API endpoint to import entries into an existing feed. - Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization. - Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers. - Add an auto-push option to the Readeck integration. ##### User Interface - Add smooth page transitions for a more polished navigation experience. - Add a route to view individual starred entries directly from a category’s starred list. - Add a link to the GitHub contributors page in templates. - Update all translations. ##### Documentation and Tooling - Improve consistency and fix typos in the `miniflux(1)` manual page. - Remove the obsolete `version` key from Docker Compose examples. - Update the Go devcontainer image to `go:1-trixie`. - Update the Distroless container base image to Debian 13. - Update GitHub Actions dependencies. *** As always, thank you to all contributors who helped improve Miniflux in this release. ### [`v2.2.15`](https://github.com/miniflux/v2/releases/tag/2.2.15): Miniflux 2.2.15 [Compare Source](https://github.com/miniflux/v2/compare/2.2.14...2.2.15) ##### ✨ New Features - New configuration option to disable the Miniflux API - Added option to save entries to a specific Linkwarden collection - YouTube subscription improvements: - Provide multiple feeds for YouTube content: Channel, videos only, short videos, live streams - Better canonical URL detection (now has its own dedicated step) - Improved YouTube channel parsing, including default playlists - Allow feed entries with `<i>` and `<small>` tags - URL Cleaner: Remove additional trackers from URLs ##### 🐛 Bug Fixes - **YouTube embeds:** Avoid Error 153 (`video player configuration error`) in various scenarios - **API:** `fetchContent` endpoint now properly rewrites media URLs when using the media proxy - **Security:** Only relative paths are now allowed for the `redirectURL` parameter - **CI fixes:** - Improved CodeQL workflow (language matrix + dynamic analysis) - Fixed missing GitHub Actions permissions - Fixed RPM package versioning for scheduled and pull\_request triggers ##### 🧹 Refactoring & Maintenance - JavaScript optimizations: use `replace` instead of `remove/add`, minor regex cleanup - Performance improvement: removed string concatenation in loops - Updated Polish translation - Updated Postgres volume path in Docker Compose examples - Added new CI workflow to mirror the Git repo to Codeberg ##### 📦 Dependency Updates This release includes updates to several dependencies: - `golang.org/x/*` modules (`net`, `oauth2`, `image`, `crypto`) - `github.com/tdewolff/minify/v2` - `github.com/coreos/go-oidc/v3` - `github.com/go-webauthn/webauthn` - `github.com/PuerkitoBio/goquery` - Docker base image updates (Alpine 3.23) - GitHub Actions: - `actions/checkout` v6 - `actions/upload-artifact` v5 - `golangci/golangci-lint-action` v9 For more details, look at the Git commit history. ### [`v2.2.14`](https://github.com/miniflux/v2/releases/tag/2.2.14): Miniflux 2.2.14 [Compare Source](https://github.com/miniflux/v2/compare/v2.2.13...2.2.14) ##### ✨ New Features - **Go Client:** Allow passing a custom `http.Client` and add context support to API methods. - **UI:** Redirect users back to the original page after logging in. - **Template:** Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed `default-src` to `'none'` for stronger security. - **Integrations:** - Added **tags option** for the Karakeep integration. - Added new **Archive.org** integration. - **Rewrite Rules:** - Added `remove_img_blur_params` rule. - Added `add_image_title` rule for *explainxkcd.com*. ##### 🧰 Improvements & Refactoring - Replaced custom modal with native `<dialog>` element for simpler, more accessible UI. - Simplified date parsing in the reader and XML encoding logic. - Optimized sanitizer functions (`hasRequiredAttributes`, `hasValidURIScheme`, `isBlockedResource`). - Replaced `fmt.Errorf` with `errors.New` where applicable. - Removed dependency on `hstore` in the database layer and relaxed implicit `NOT NULL` for serial types. - Simplified Fever API slice sizing and various internal cleanups. - Preallocated slices and optimized string/number conversions for better performance. ##### 🧪 Tests - Added test cases for XML encoding behavior. ##### 🐛 Bug Fixes - Fixed CSS layout overflow when external links are too long. - Fixed JSON Feed parser to fallback to `external_url` when `url` is missing. - Updated scraper rule for *Dark Reading*. ##### 📚 Documentation - Clarified the `POLLING_FREQUENCY` environment variable in the documentation. ##### 🏗️ Build & CI - Updated dependencies: - `github.com/tdewolff/minify/v2` → 2.24.4 - `golang.org/x/net` → 0.46.0 - `golang.org/x/image` → 0.32.0 - `golang.org/x/oauth2` → 0.32.0 - `github.com/coreos/go-oidc/v3` → 3.16.0 - `github/codeql-action` → 4 - Updated `make lint` and enabled additional Go linters (`perfsprint`, `goheader`). ##### 📝 Additional Notes If you are seeing this Postgres error: `Error: pq: must be owner of extension hstore`, you can fix it by running the following SQL command as a superuser for the Miniflux database: ```sql DROP EXTENSION hstore; ``` This error means you initially created the `hstore` extension as a different database user than the one you are currently using for Miniflux. For more details, look at the Git commit history. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4yNC4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzEuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
chore(deps): update miniflux/miniflux docker tag to v2.2.15
Some checks are pending
checks / pre-commit (push) Waiting to run
Details
checks / k8s (push) Waiting to run
Details
checks / tflint (push) Waiting to run
Details
61580d0bcf
renovate-bot changed title from chore(deps): update miniflux/miniflux docker tag to v2.2.15 to chore(deps): update miniflux/miniflux docker tag to v2.2.16 2026-01-07 03:00:17 +00:00
renovate-bot force-pushed renovate/miniflux-miniflux-2.x from 61580d0bcf
Some checks are pending
checks / pre-commit (push) Waiting to run
Details
checks / k8s (push) Waiting to run
Details
checks / tflint (push) Waiting to run
Details
to fc0270daa2
Some checks failed
checks / pre-commit (push) Has been cancelled
Details
checks / k8s (push) Has been cancelled
Details
checks / tflint (push) Has been cancelled
Details
2026-01-07 03:00:22 +00:00 Compare
renovate-bot force-pushed renovate/miniflux-miniflux-2.x from fc0270daa2
Some checks failed
checks / pre-commit (push) Has been cancelled
Details
checks / k8s (push) Has been cancelled
Details
checks / tflint (push) Has been cancelled
Details
to 89515b7744
Some checks failed
checks / k8s (push) Has been cancelled
Details
checks / pre-commit (push) Has been cancelled
Details
checks / tflint (push) Has been cancelled
Details
2026-02-15 23:43:02 +00:00 Compare
renovate-bot changed title from chore(deps): update miniflux/miniflux docker tag to v2.2.16 to chore(deps): update miniflux/miniflux docker tag to v2.2.17 2026-02-15 23:43:15 +00:00
catalin closed this pull request 2026-03-11 09:26:27 +00:00
Some checks failed
checks / k8s (push) Has been cancelled
Details
checks / pre-commit (push) Has been cancelled
Details
checks / tflint (push) Has been cancelled
Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
catalin/fukuops!544
No description provided.