Skip to content

Release history

v2 releases

Minimalist and opinionated feed reader

Back to tool Latest release

All releases

6 shown

Upgrade now
2.3.1 Security relevant
Auth RCE / SSRF

Security fixes

Open
Review required
2.3.0 Breaking risk
Auth RBAC

WebAuthn credential restriction

Open
2.2.19 Security relevant

Sensitive data was stripped from logs, OAuth2 flows were hardened, token validation switched to constant-time HMAC-SHA256, DoS risks in template truncation were mitigated, and large favicons were rejected, improving overall security posture.

View release on GitHub
2.2.18 Breaking risk
Breaking changes
  • Private network access blocked by default—requires FETCHER_ALLOW_PRIVATE_NETWORKS=1 and INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 environment variables
Security fixes
  • SSRF protection for private networks
  • DNS-rebinding TOCTOU mitigation
  • RFC 6598 shared address space protection
Notable features
  • SSRF protection for fetcher and integrations
  • Entry blocking rules applied pre/post scraping
  • ignore_entry_updates feed option
View release on GitHub
2.2.17 Security relevant
Security fixes
  • Version hiding on unauthenticated endpoints
  • Improved HTML sanitizer to prevent injection issues
  • Blocked resource enforcement on srcset URLs
Notable features
  • HTML sanitizer using golang.org/x/net/html parser
  • srcset parser following HTML specifications
  • Blocked resource enforcement on srcset URLs
View release on GitHub
2.2.16 Security relevant patches GO-2026-4287
Security fixes
  • SSRF mitigation for media proxy
  • SSRF mitigation for feed icon fetching
  • Google Reader API CORS removal
Notable features
  • SSRF mitigation for media proxy and feed icons
  • TRUSTED_REVERSE_PROXY_NETWORKS validation
  • New API endpoint for importing entries into feeds
View release on GitHub

Beta — feedback welcome: [email protected]