• Milestone

This is a major release, just in time for the holidays 🎄

Selected new features ✨:

• New sorting and filtering by date of User modified, with corresponding search operator, e.g. userdate:PT1H for the past hour
• New sorting by article length
• New advanced search form
• New overview of dates with most unread articles
• New ability to share feed visibility through API (implemented by e.g. Capy Reader)
  • Bonus: Capy Reader is also the first open source Android app to support user labels
• Better transitions UI between groups of articles
• New links in UI for transitions between groups of articles, and jump to next transition
• Docker default image updated to Debian 13 Trixie with PHP 8.4.11
• And much more…

Improved performance 🏎️:

• Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users
• Improve SQL speed for some critical requests for large databases
• API performance optimisation thanks to streaming of large responses

Selected bug fixes 🐛:

• Fix OpenID Connect with Debian 13
• Fix MySQL / MariaDB bug wrongly sorting new articles
• Fix SQLite bind bug when adding tag

Breaking changes 💥:

• Move unsafe autologin to an extension
• Potential breaking changes for some extensions (which have to rename some old functions)

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @andris155, @horvi28, @math-GH, @minna-xD and newcomers @Darkentia, @FollowTheWizard, @GreyChame1eon, @McFev, @jocmp, @larsks, @martinhartmann, @matthew-neavling, @pudymody, @raspo, @scharmach, @scollovati, @stag-enterprises, @vandys, @xtmd, @yzx9.

Full changelog:

• Features
  • New sorting and filtering by date of User modified #7886, #8090,
    #8105, #8118, #8130
    • Corresponding search operator, e.g. userdate:PT1H for the past hour #8093
    • Allows finding articles marked by the local user as read/unread or starred/unstarred at specific dates for e.g. undo action.
  • New sorting by article length #8119
  • New advanced search form #8103, #8122, #8226
  • Add compatibility with PCRE word boundary \b and \B for regex search using PostgreSQL #8141
  • More uniform SQL search and PHP search for accents and case-sensitivity (e.g. for automatically marking as read) #8329
  • New overview of dates with most unread articles #8089
  • Allow marking as read articles older than 1 or 7 days also when sorting by publication date #8163
  • New option to show user labels instead of tags in RSS share #8112
  • Add new feed visibility (priority) Show in its feed #7972
  • New ability to share feed visibility through API (implemented by e.g. Capy Reader) #7583, #8158
  • Configurable notification timeout #7942
  • OPML export/import of unicity criteria #8243
  • Ensure stable IDs (categories, feeds, labels) during export/import #7988
  • Add username and timestamp to SQLite export from Web UI #8169
  • Add option to apply filter actions to existing articles #7959, #8259
  • Support CSS selector ~ subsequent-sibling #8154
    • Upstream PR phpgt/CssXPath#231
  • Rework saving of configuration files for more reliability in case of e.g. full disk #8220
  • Web scraping support date format as milliseconds for Unix epoch #8266
  • Allow negative category sort numbers #8330
• Performance
  • Improve SQL speed for updating cached information #6957, #8207,
    #8255, #8254, #8255
  • Fix SQL performance issue with MySQL, using an index hint #8211
  • Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users #8277
  • API streaming of large responses for reducing memory consumption and increasing speed #8041
• Security
  • 💥 Move unsafe autologin to an extension #7958
  • Fix some CSRFs #8035
  • Strengthen some crypto (login, tokens, nonces) #8061, #8320
  • Create separate HTTP Retry-After rules for proxies #8029, #8218
  • Add data: to CSP in subscription controller #8253
  • Improve anonymous authentication logic #8165
  • Enable GitHub release immutability #8205
• Bug fixing
  • Exclude local networks for domain-wide HTTP Retry-After #8195
  • Fix OpenID Connect with Debian 13 #8032
  • Fix MySQL / MariaDB bug wrongly sorting new articles #8223
  • Fix MySQL / MariaDB database size calculation #8282
  • Fix SQLite bind bug when adding tag #8101
  • Fix SQL auto-update of field f.kind to ease migrations from FreshRSS versions older than 1.20.0 #8148
  • Fix search encoding and quoting #8311, #8324, #8338
  • Fix handling of database unexpected null content (during migrations) #8319, #8321
  • Fix drag & drop of user query losing information #8113
  • Fix DOM error while filtering retrieved full content #8132, #8161
  • Fix config.custom.php during install #8033
  • Fix do not mark important feeds as read from category #8067
  • Fix regression of warnings in Web browser console due to lack of window.bcrypt object #8166
  • Fix chart resize regression due to chart.js v4 update #8298
  • Fix CLI user creation warning when language is not given #8283
  • Fix merging of custom HTTP headers #8251
  • Fix bug in the case of duplicated mark-as-read filters #8322
• SimplePie
  • Fix support of HTTP trailer headers #7983, simplepie#943
  • Apply HTTPS policy also on GUIDs and permalinks #8037, simplepie#951
    • Fix WordPress.com HTTP duplicates with WebSub Automattic/pushpress#16
  • Implement HTML whitelist for SimplePie sanitizer #7924, simplepie#947
  • Various upstream contributions simplepie#940, simplepie#944
• Deployment
  • Docker default image updated to Debian 13 Trixie with PHP 8.4.11 and Apache 2.4.65 #8032
  • Docker alternative image updated to Alpine 3.23 with PHP 8.4.15 and Apache 2.4.65 #8285
  • Fix Docker healthcheck cli/health.php compatibility with OpenID Connect #8040
  • Improve Docker for compatibility with other base images such as Arch Linux #8299
    • Improve cli/access-permissions.sh to detect the correct permission Web group such as www-data, apache, or http
  • Update PostgreSQL volume for Docker #8216, #8224
  • Catch lack of exec() function for git update #8228
  • Work around DOMDocument::saveHTML() scrambling charset encoding in some versions of libxml2 #8296
  • Improve configuration checks for PHP extensions (in Web UI and CLI), including recommending e.g. php-intl #8334
• UI
  • New button for toggling sidebar on desktop view #8201, #8286
  • Better transitions between groups of articles #8174
  • New links in transitions and jump to next transition #8294
  • More visible selected article #8230
  • Show the parsed search query instead of the original user input #8293,
    #8306, #8341
  • Show search query in the page title #8217
  • Scroll into filtered feed/category on page load in the sidebar #8281, #8307
  • Fix autocomplete issues in change password form #7812
  • Fix navigating between read feeds using shortcut shift+j/k #8057
  • Dark background in Web app manifest to avoid white flash when opening #8140
  • Increase button visibility in UI to change theme #8149
  • Replace arrow navigation in theme switcher with <select> #8190
  • Improve scroll of article after load of user labels #7962
  • Keep scroll state of page when closing the slider #8295, #8301
  • Scroll into filtered feed/category on page load #8281
  • Display sidebar dropdowns above if no space below #8335, #8336
  • Use native CSS instead of SCSS #8200, #8241
    • Using CSS nesting and relative colours.
  • Various UI and style improvements: #8171, #8185, #8196
  • JavaScript finalise migration from Promise to async/await: #8182
• API
  • API performance optimisation: streaming of large responses #8041
  • Fever API: Add with_ids parameter to mass-change read/unread/saved/unsaved on lists of articles #8312
  • Misc API: better REST error semantics #8232
• Extensions
  • Add support for extension priority #8038
  • Add support for extension compatibility #8081
  • Improve PHP code with hook enums #8036
  • New hook nav_entries #8054
  • Rename Extensions default branch from master to main #8194
• I18n
  • Translation status as text in README #7842
  • Add new translate CLI commands move #8214
  • Change some regional language codes to comply with RFC 5646 / IETF BCP 47 / ISO 3166 / ISO 639-1 #8065
  • Improve German #8028
  • Improve Greek #8146
  • Improve Finnish #8073, #8092
  • Improve Hungarian #8244
  • Improve Italian #8115, #8186
  • Improve Polish #8134, #8135
  • Improve Russian #8155, #8197
  • Improve Simplified Chinese #8308, #8313
• Misc.
  • Add code to modify a search expression #8293
  • Remove Pocket sharing service #8127, #8128
  • Update to PHPMailer 7.0.1 #8048, #8180, #8272
  • 💥 Housekeeping of lib_rss.php with potential breaking changes for some extensions #8193,
  • Use native PHP #[Deprecated] #8325
  • Improve PHP code #8156, #8203, #8284,
    #8292, #8297
  • GitHub Actions: --no-progress #8315
  • Update dev dependencies #8043, #8044,
    #8045, #8046, #8047,
    #8052, #8176, #8177,
    #8178, #8179, #8210,
    #8270, #8271, #8273,
    #8274, #8275, #8276

• Milestone

This is a security-fix and bug-fix release for FreshRSS 1.27.x.

A few highlights ✨:

• Keep sort and order criteria after marking as read
• Automatic database recovery: skip broken entries during CLI export/import
• Add possibility of Docker healthcheck
• Add security option for CSP frame-ancestors
• Several security fixes
• Several bug fixes
• New translation to Ukrainian
• Improvements of some themes
• And much more…

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @math-GH and newcomers @beerisgood, @nykula, @horvi28, @nhirokinet, @rnkln, @scmaybee.

Full changelog:

• Features
  • Automatic database recovery: skip broken entries during CLI export/import #7949
  • Add security option for CSP frame-ancestors #7857, #8021
  • Lazy-load <track src> #7997
• Security
  • Regenerate session ID on login #7829
  • Disallow setting non-existent language #7878, #7934
  • Safer calling of install.php #7971
  • Prevent log CR/LF injection #7883
  • Restrict allowed cURL parameters #7979, #8009
  • Fix reauthentication while updating #7989
  • Fix some CSRFs #8000
• Bug fixing
  • Include port number for HTTP Retry-After #7875
  • Fix logic for searching labels #7863
  • Fix cURL response parsing for HTTP redirections #7866
  • Fix fetching OPML URL with special characters #7843
  • Fix validation when creating a new user label #7890
  • Fix bug in user self-deletion #7877
  • Fix displaying of current date in main statistics #7892
  • Fix default values on stat processing #7891
  • Fix UI JavaScript error when navigating to last article with keyboard #7957
  • Fix some links in anonymous mode #8011, #8012
  • Fixes for no-cache.txt #7907
  • Fix Docker Traefik .yml and SERVER_DNS example #7858
• SimplePie
  • Upstream contribution: Normalize encoding uppercase simplepie#936, #7967
  • Sync upstream, including bump to 1.9.0 with better PHP 8.5+ support #7955
• Deployment
  • Docker improve CMD compatibility #7861
  • Add possibility of Docker healthcheck #7945
• UI
  • Keep sort and order after marking as read #7974
  • Improve leave validation #7830
  • Improve Origine theme visibility of toggle buttons #7956
  • Improve Dark pink theme #8020
  • Improve Mapco and Ansum themes: read all button in mobile view #7873
  • Improve Swage theme #7608
  • Use standard CSS overflow-wrap instead of word-wrap #7898
  • Various UI and style improvements: #7868, #7872,
    #7882, #7893, #7904,
    #7952
• I18n
  • Clarify the concepts of visibility hidden vs. archived in feeds settings #7970
  • Translate the API information page #7922
  • Add a default language constant #7933
  • Label config delete label #7871
  • Add Ukrainian #7961
  • Improve Dutch #7940
  • Improve German #7833
  • Improve Hungarian #7986
  • Improve Japanese #7903, #7918
  • Improve Polish #7963
  • Improve Simplified Chinese #7943, #7944
  • Minor improvements #7881
  • Add CLI command to add i18n file #7917
  • Add make target to generate the translation progress #7905
• Extensions
  • Add entry_before_update and entry_before_add hooks for extensions #7977
• Misc.
  • Improve make #7901
  • Improve PHP code #7906, #7916, #7939,
    #7941, #7960, #7991
  • Upgrade to PHP_CodeSniffer 4 #7993
  • Update dev dependencies #7902, #7895, #7896,
    #7899, #7966, #7969

• Milestone

A few highlights ✨:

• Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After
• Add sort by category title, or by feed title
• Add search operator c: for categories like c:23,34 or !c:45,56
• Custom feed favicons
• Several security improvements, such as:
  • Implement reauthentication (sudo mode)
  • Add Content-Security-Policy: frame-ancestors
  • Ensure CSP everywhere
  • Fix access rights when creating a new user
• Several bug fixes, such as:
  • Fix redirections when scraping from HTML
  • Fix feed redirection when coming from WebSub
  • Fix support for XML feeds with HTML entities, or encoded in UTF-16LE
• Docker alternative image updated to Alpine 3.22 with PHP 8.4 (PHP 8.4 for default Debian image coming soon)
• Start supporting PHP 8.5+
• And much more…

This release has been made by @Alkarex, @Inverle, @the7thNightmare and newcomers @Deioces120, @Fraetor, @Tarow, @dotsam, @hilariousperson, @pR0Ps, @triatic, @tryallthethings

Full changelog:

• Features
  • Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After #7760
  • Add sort by category title, or by feed title #7702
  • Add search operator c: for categories like c:23,34 or !c:45,56 #7696
  • Custom feed favicons #7646, #7704, #7717,
    #7792
  • Rework fetch favicons for fewer HTTP requests #7767
  • Add more unicity criteria based on title and/or content #7789
  • Automatically restore user configuration from backup #7682
  • API add support for states in s parameter of streamId #7695
  • Improve sharing via Print #7728
  • Redirect to the login page from bookmarklet instead of 403 #7782
  • Clean local cache more often, when refreshing feeds #7827
• Security
  • Implement reauthentication (sudo mode) #7753
  • Add Content-Security-Policy: frame-ancestors #7677
  • Ensure CSP everywhere #7810
  • Show warning when unsafe CSP policy is in use #7804
  • Fix access rights when creating a new user #7783
  • Improve security of form for user details #7771, #7786
  • Disallow setting non-existent theme #7722
  • Regenerate cookie ID after logging out #7762
  • Require current password when setting new password #7763
  • Add missing access checks for feed-related actions #7768
  • Strip more unsafe attributes such as referrerpolicy, ping #7770
  • Remove unneeded execution permissions #7802
• Bug fixing
  • Fix redirections when scraping from HTML #7654, #7741
  • Fix multiple authentication HTTP headers #7703
  • Fix HTML queries with a single feed #7730
  • WebSub: only perform a redirection when coming from WebSub #7738
  • Include enclosures in entries’ hash #7719
    • Negative side-effect: users of the option to automatically mark updated articles as unread will once have some articles with enclosures re-appear as unread
  • Fix cancellation of slider exit UI #7705
  • Honor disable update on update page #7733
  • Fix no registration limit setting #7751
  • Fix XML encoding of sharing functions #7822
• SimplePie
  • Fix propagation of HTTP error codes #7670
  • Fix support for XML feeds with HTML entities #7689, simplepie#915
  • Fix feeds encoded in UTF-16LE #7691, simplepie#916
  • Various upstream contributions simplepie#917, simplepie#924,
    simplepie#926, simplepie#932, simplepie#933
  • Sync upstream #7706, FreshRSS/simplepie#45, #7775,
    FreshRSS/simplepie#50, #7824, #7825,
  • Fix regex Backtrack limit was exhausted in clean_hash() #7813, FreshRSS/simplepie#48
• Deployment
  • Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 #7805
  • Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 #7740, #7740,
    #7803
  • Start supporting PHP 8.5+ #7787, #7826
    • Docker Alpine dev image :newest updated to PHP 8.5-alpha and Apache 2.4.65 #7773
  • Docker: interpolate FRESHRSS_INSTALL and FRESHRSS_USER variables #7725
  • Docker: Reduce how much data needs to be chown/chmod’ed on container startup #7793
  • Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) #7651
• Extensions
  • Add API endpoint for extensions #7576
  • Expose the reading modes for extensions #7668, #7688
  • New extension hook before_login_btn #7761
• UI
  • Improve mark as read request showing popup due to onbeforeunload #7554
  • Fix lazy-loading for <video poster="..."> and <image> #7636
  • Avoid styling <code> inside of <pre> #7797
  • Improve confirmation logic with data-auto-leave-validation #7785
  • Update chart.js to 4.5.0 #7752, #7816
  • Various UI and style improvements: #7616, #7811
• I18n
  • Show translation status in README #7715
  • Improve Indonesian #7654, #7721
  • Improve Persian #7795
• Misc.
  • Improve PHP code #7642, #7665, #7761,
    #7781, #7794
  • Update dev dependencies #7708, #7709, #7710,
    #7711, #7776, #7777