head 1.16; access; symbols pkgsrc-2026Q1:1.13.0.2 pkgsrc-2026Q1-base:1.13 pkgsrc-2025Q4:1.7.0.2 pkgsrc-2025Q4-base:1.7; locks; strict; comment @# @; 1.16 date 2026.05.07.18.50.11; author bsiegert; state Exp; branches; next 1.15; commitid MMrI2EXGAt3HJUEG; 1.15 date 2026.04.08.05.45.13; author bsiegert; state Exp; branches; next 1.14; commitid FFJx9trbRMg7k7BG; 1.14 date 2026.04.05.08.18.17; author wiz; state Exp; branches; next 1.13; commitid YqugA0NrgmLHgKAG; 1.13 date 2026.03.15.13.14.59; author wiz; state Exp; branches 1.13.2.1; next 1.12; commitid OSBIEbfXEHUqA4yG; 1.12 date 2026.03.06.21.08.07; author bsiegert; state Exp; branches; next 1.11; commitid AQtIeR1eh5qvuXwG; 1.11 date 2026.02.24.08.45.42; author bsiegert; state Exp; branches; next 1.10; commitid IrpU9bGVDwSIHBvG; 1.10 date 2026.02.16.12.15.55; author wiz; state Exp; branches; next 1.9; commitid oA6X1LyI7h008BuG; 1.9 date 2026.01.15.19.54.59; author bsiegert; state Exp; branches; next 1.8; commitid Zuo9UmMrkrU4HwqG; 1.8 date 2026.01.07.21.19.29; author wiz; state Exp; branches; next 1.7; commitid ud6xnJDhkmlbqvpG; 1.7 date 2025.12.12.20.52.51; author wiz; state Exp; branches; next 1.6; commitid hGxtmhYJJmYR6amG; 1.6 date 2025.12.02.19.25.25; author bsiegert; state Exp; branches; next 1.5; commitid 269raRGxaHJBWRkG; 1.5 date 2025.11.16.21.18.24; author wiz; state Exp; branches; next 1.4; commitid e7O6AnpS45Zr5PiG; 1.4 date 2025.10.16.18.00.05; author bsiegert; state Exp; branches; next 1.3; commitid RAGpkHmyeYCUYOeG; 1.3 date 2025.10.08.06.54.41; author bsiegert; state Exp; branches; next 1.2; commitid 5p46uH9RJXSFyJdG; 1.2 date 2025.10.05.20.41.43; author wiz; state Exp; branches; next 1.1; commitid SzBjp2XcFdSzeqdG; 1.1 date 2025.10.05.20.33.45; author wiz; state Exp; branches; next ; commitid qoUDqAN3yXPQbqdG; 1.13.2.1 date 2026.04.22.14.32.21; author maya; state Exp; branches; next ; commitid iDHLLUhOplH6NXCG; desc @@ 1.16 log @Revbump all Go packages after go126 security update @ text @# $NetBSD: Makefile,v 1.15 2026/04/08 05:45:13 bsiegert Exp $ DISTNAME= miniflux-2.2.19 PKGREVISION= 2 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_GITHUB:=miniflux/} GITHUB_PROJECT= v2 GITHUB_TAG= ${PKGVERSION_NOREV} MAINTAINER= pkgsrc-users@@NetBSD.org HOMEPAGE= https://github.com/miniflux/v2/ COMMENT= Minimalist and opinionated feed reader LICENSE= apache-2.0 USE_LANGUAGES= c INSTALLATION_DIRS+= ${PKGMANDIR}/man1 post-install: ${INSTALL_DATA} ${WRKSRC}/miniflux.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1 .include "go-modules.mk" .include "../../lang/go/go-module.mk" .include "../../mk/bsd.pkg.mk" @ 1.15 log @Revbump all Go packages after security update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2026/04/05 08:18:17 wiz Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.14 log @miniflux: update to 2.2.19. Security Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages. Improve OAuth2 security: Verify OIDC ID token signatures and claims. Prevent OAuth identity overwrite when already linked. Clear PKCE verifier and CSRF state after use. Validate HTTP status from Google userinfo endpoint. Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication. Use constant-time comparison for token validation. Fix potential DoS when truncating large untrusted input in templates. Reject oversized favicons. Improvements Improve configuration validation with cross-field consistency checks. OAuth2: Explicit provider selection via OAUTH2_PROVIDER. Better separation between Google and OIDC providers. Updated Google OAuth endpoints to v2. UI: Add cache-busting for static assets (JS, CSS, icons). Add Cache-Control: immutable for static resources. Sanitizer: Allow iframes from framatube.org. Improve performance and parsing behavior. Metrics and workers: Graceful shutdown support for worker pool and metrics collector. Better error reporting for metrics. API / HTTP: Support weak ETag comparison. Improve response helpers and headers handling. Performance Reduce number of SQL queries for unread entries and UI pages. Optimize database queries and locking behavior: Use SKIP LOCKED in archive operations. Reduce unnecessary queries and connections. Improve UI performance: Cache keymaps instead of recomputing on each keypress. Batch DOM updates when marking entries as read. Optimize sanitizer, media proxy, routing, and template rendering. Reduce allocations in various hot paths. Bug Fixes Fix category update validation rendering. Fix redirect after marking a feed as read from category view. Fix timezone comparison logic. Fix Arabic pluralization rules (ar_SA). Fix validator behavior when clearing user filters. Fix CLI behavior for --info and --version. Fix CORS preflight responses (return 204). Ensure 204 responses do not include Content-Type. Ignore unsupported media proxy targets and handle MIME types correctly. Refactoring Remove dependency on gorilla/mux across the codebase. Improve code structure and naming consistency (API, OAuth2, config, validators). Simplify timezone and server setup logic. Improve testability and documentation (GoDoc updates). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2026/03/15 13:14:59 wiz Exp $ d4 1 @ 1.13 log @miniflux: update to 2.2.18. Security Block outbound requests to private networks made by the fetcher by default. Add SSRF protection for integration HTTP clients by blocking connections to private network addresses at connect time. Fix a possible SSRF TOCTOU / DNS-rebinding issue in the fetcher private network check. Ensure private network protections also apply to redirect targets. Treat RFC 6598 shared address space (100.64.0.0/10) as non-public. Breaking Changes To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default. FETCHER_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access feeds hosted on a local network. INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access third-party integration services hosted on a local network. Improvements Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content. Add ignore_entry_updates feed option to skip updating existing entries during scheduled polling. Add Arabic (ar_SA) translation. Add Galician (gl_ES) translation. Update Polish translation. Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API). Simplify parts of the Google Reader code and reduce allocations in several hot paths. Reduce fetcher request size slightly to improve packet efficiency. Bug Fixes Fix multiple bugs and inconsistencies across integration sub-packages (error handling, logging, status checks, and naming). Fix potential panic in the Omnivore integration when handling empty error arrays. Correct error prefixes and typos in several integrations. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2026/03/06 21:08:07 bsiegert Exp $ d3 1 a3 1 DISTNAME= miniflux-2.2.18 @ 1.13.2.1 log @Revbump all Go packages after go126 security fix @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2026/03/15 13:14:59 wiz Exp $ a3 1 PKGREVISION= 1 @ 1.12 log @Revbump all Go packages after go126 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2026/02/24 08:45:42 bsiegert Exp $ d3 1 a3 2 DISTNAME= miniflux-2.2.17 PKGREVISION= 2 @ 1.11 log @Revbump all Go packages after default version bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2026/02/16 12:15:55 wiz Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.10 log @miniflux: update to 2.2.17. Security Do not expose the Miniflux version on unauthenticated endpoints (deprecated since version 2.0.49). Improve HTML sanitizer by switching from the tokenizer to the golang.org/x/net/html parser to better match browser behavior and reduce the risk of injection issues. Enforce blocked resource checks on srcset URLs. Improve blocked resource handling (including updates to blocked URL substrings). Add validation for TRUSTED_REVERSE_PROXY_NETWORKS configuration to prevent silent misconfiguration. Prevent possible deadlock when cleaning removed entries. Ensure HTTP response bodies are always closed, even on client errors. Improvements Rewrite srcset parser to follow HTML specifications (WebKit-style parsing) and handle edge cases more correctly. Improve sanitizer performance (various optimizations, including reduced allocations and better attribute handling). Handle deeply nested HTML more robustly in the sanitizer. Add scraper and rewrite rules for: bleepingcomputer.com vnexpress.net Improve JSON Feed support: Support malformed feeds with author objects in the authors array. Avoid panic when parsing null feeds. Improve title fallback logic. Include external_url in JSON entry hash fallback. Ignore WordPress wp-json API endpoint during JSON feed discovery. Add unread status filter to search results. Improve timezone handling internals and performance. Improve API payload structures and Godoc comments. Improve JavaScript code readability and keyboard shortcut handling. Restore cmd/ctrl/shift-click behavior on main navigation. Fix Safari PWA behavior for the v shortcut to open links in the main browser. Bug Fixes Do not keep old enclosures when an updated entry has none. Handle sql.ErrNoRows properly in IconByFeedID. Change FindRemoteIP to fall back to 127.0.0.1. Configuration Changes Removed FILTER_ENTRY_MAX_AGE_DAYS. This option can be replaced with a filter rule such as max-age:. Global environment variables should be reserved for process-level configuration. Dependencies Update github.com/lib/pq to 1.11.2. Update: golang.org/x/net to 0.50.0 golang.org/x/crypto to 0.48.0 golang.org/x/image to 0.36.0 golang.org/x/oauth2 to 0.35.0 golang.org/x/term to 0.40.0 Update Debian packager Docker image to Trixie. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2026/01/15 19:54:59 bsiegert Exp $ d4 1 @ 1.9 log @Revbump all Go packages after go125 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2026/01/07 21:19:29 wiz Exp $ d3 1 a3 2 DISTNAME= miniflux-2.2.16 PKGREVISION= 1 @ 1.8 log @miniflux: update to 2.2.16. Security Disallow the media proxy from fetching resources on private networks to mitigate potential SSRF issues. This behavior is configurable at the instance level. Disallow fetching feed icons from private networks to reduce the SSRF attack surface. This is also configurable at the instance level. Add the TRUSTED_REVERSE_PROXY_NETWORKS configuration option to prevent spoofing of HTTP headers such as X-Forwarded-For, X-Forwarded-Proto, and X-Real-Ip. This option must be configured when AUTH_PROXY_HEADER is enabled. Stop logging generated Google Reader API tokens, even when debug mode is enabled. Remove the CORS handler from the Google Reader API, as it is not intended to be used by web clients, reducing the overall attack surface. Performance and Storage Avoid indexing the content of removed entries, significantly reducing database index size after cleanup. Minor storage and database refactoring to simplify code paths and reduce unnecessary formatting overhead. API and Integrations Add a new API endpoint to import entries into an existing feed. Execute the content sanitizer when updating or importing entries through the API to ensure consistent sanitization. Improve Google Reader API compatibility by removing unnecessary output parameter checks and aligning behavior with other open-source RSS readers. Add an auto-push option to the Readeck integration. User Interface Add smooth page transitions for a more polished navigation experience. Add a route to view individual starred entries directly from a category’s starred list. Add a link to the GitHub contributors page in templates. Update all translations. Documentation and Tooling Improve consistency and fix typos in the miniflux(1) manual page. Remove the obsolete version key from Docker Compose examples. Update the Go devcontainer image to go:1-trixie. Update the Distroless container base image to Debian 13. Update GitHub Actions dependencies. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2025/12/12 20:52:51 wiz Exp $ d4 1 @ 1.7 log @miniflux: update to 2.2.15. ✨ New Features New configuration option to disable the Miniflux API Added option to save entries to a specific Linkwarden collection YouTube subscription improvements: Provide multiple feeds for YouTube content: Channel, videos only, short videos, live streams Better canonical URL detection (now has its own dedicated step) Improved YouTube channel parsing, including default playlists Allow feed entries with and tags URL Cleaner: Remove additional trackers from URLs πŸ› Bug Fixes YouTube embeds: Avoid Error 153 (video player configuration error) in various scenarios API: fetchContent endpoint now properly rewrites media URLs when using the media proxy Security: Only relative paths are now allowed for the redirectURL parameter CI fixes: Improved CodeQL workflow (language matrix + dynamic analysis) Fixed missing GitHub Actions permissions Fixed RPM package versioning for scheduled and pull_request triggers 🧹 Refactoring & Maintenance JavaScript optimizations: use replace instead of remove/add, minor regex cleanup Performance improvement: removed string concatenation in loops Updated Polish translation Updated Postgres volume path in Docker Compose examples Added new CI workflow to mirror the Git repo to Codeberg @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2025/12/02 19:25:25 bsiegert Exp $ d3 1 a3 1 DISTNAME= miniflux-2.2.15 @ 1.6 log @Revbump all Go packages after go125 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2025/11/16 21:18:24 wiz Exp $ d3 1 a3 2 DISTNAME= miniflux-2.2.14 PKGREVISION= 1 @ 1.5 log @miniflux: update to 2.2.14. ✨ New Features Go Client: Allow passing a custom http.Client and add context support to API methods. UI: Redirect users back to the original page after logging in. Template: Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed default-src to 'none' for stronger security. Integrations: Added tags option for the Karakeep integration. Added new Archive.org integration. Rewrite Rules: Added remove_img_blur_params rule. Added add_image_title rule for explainxkcd.com. 🧰 Improvements & Refactoring Replaced custom modal with native element for simpler, more accessible UI. Simplified date parsing in the reader and XML encoding logic. Optimized sanitizer functions (hasRequiredAttributes, hasValidURIScheme, isBlockedResource). Replaced fmt.Errorf with errors.New where applicable. Removed dependency on hstore in the database layer and relaxed implicit NOT NULL for serial types. Simplified Fever API slice sizing and various internal cleanups. Preallocated slices and optimized string/number conversions for better performance. πŸ§ͺ Tests Added test cases for XML encoding behavior. πŸ› Bug Fixes Fixed CSS layout overflow when external links are too long. Fixed JSON Feed parser to fallback to external_url when url is missing. Updated scraper rule for Dark Reading. πŸ“š Documentation Clarified the POLLING_FREQUENCY environment variable in the documentation. πŸ—οΈ Build & CI Updated dependencies: github.com/tdewolff/minify/v2 β†’ 2.24.4 golang.org/x/net β†’ 0.46.0 golang.org/x/image β†’ 0.32.0 golang.org/x/oauth2 β†’ 0.32.0 github.com/coreos/go-oidc/v3 β†’ 3.16.0 github/codeql-action β†’ 4 Updated make lint and enabled additional Go linters (perfsprint, goheader). πŸ“ Additional Notes If you are seeing this Postgres error: Error: pq: must be owner of extension hstore, you can fix it by running the following SQL command as a superuser for the Miniflux database: DROP EXTENSION hstore; This error means you initially created the hstore extension as a different database user than the one you are currently using for Miniflux. For more details, look at the Git commit history. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2025/10/16 18:00:05 bsiegert Exp $ d4 1 @ 1.4 log @Revbump all Go packages after go125 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2025/10/08 06:54:41 bsiegert Exp $ d3 1 a3 2 DISTNAME= miniflux-2.2.13 PKGREVISION= 2 @ 1.3 log @Revbump all Go packages after go125 update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2025/10/05 20:41:43 wiz Exp $ d4 1 a4 1 PKGREVISION= 1 @ 1.2 log @miniflux: install man page. Ride import. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2025/10/05 20:33:45 wiz Exp $ d4 1 @ 1.1 log @www/miniflux: import miniflux-2.2.13 Miniflux is a minimalist and opinionated feed reader. It's simple, fast, lightweight and super easy to install. @ text @d1 1 a1 1 # $NetBSD$ d16 5 @