v2
Dashboards & Home PagesA minimalist, privacy‑focused feed reader that’s simple, fast and easy to install.
Features
- Supports Atom, RSS and JSON Feed formats with OPML import/export
- Privacy features: strips trackers, sanitizes content, blocks external scripts, provides a media proxy
- Extensive integrations (Discord, Slack, Matrix, Notion, etc.) and REST API with Go/Python clients
Recent releases
View all 6 releases →
2.2.19
Security relevant
Sensitive data was stripped from logs, OAuth2 flows were hardened, token validation switched to constant-time HMAC-SHA256, DoS risks in template truncation were mitigated, and large favicons were rejected, improving overall security posture.
2.2.18
Breaking risk
Breaking changes
- Private network access blocked by default—requires FETCHER_ALLOW_PRIVATE_NETWORKS=1 and INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 environment variables
Security fixes
- SSRF protection for private networks
- DNS-rebinding TOCTOU mitigation
- RFC 6598 shared address space protection
Notable features
- SSRF protection for fetcher and integrations
- Entry blocking rules applied pre/post scraping
- ignore_entry_updates feed option
2.2.17
Security relevant
Security fixes
- Version hiding on unauthenticated endpoints
- Improved HTML sanitizer to prevent injection issues
- Blocked resource enforcement on srcset URLs
Notable features
- HTML sanitizer using golang.org/x/net/html parser
- srcset parser following HTML specifications
- Blocked resource enforcement on srcset URLs
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
