Skip to content

fix(deps): update module github.com/mmcdole/gofeed to v1.4.0#128

Open
renovate[bot] wants to merge 1 commit into
developfrom
renovate/github.com-mmcdole-gofeed-1.x
Open

fix(deps): update module github.com/mmcdole/gofeed to v1.4.0#128
renovate[bot] wants to merge 1 commit into
developfrom
renovate/github.com-mmcdole-gofeed-1.x

Conversation

@renovate

@renovate renovate Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/mmcdole/gofeed v1.3.0v1.4.0 age confidence

Release Notes

mmcdole/gofeed (github.com/mmcdole/gofeed)

v1.4.0

Compare Source

This release focuses on bug fixes for malformed and off-spec feeds. Illegal XML control characters, unusual date formats, incorrectly typed JSON Feed fields, and unescaped ampersands in URLs could previously break a parse or silently drop content. The parser now handles these cases without failing the feed or losing the affected content.

It also fixes a lazy-initialization data race when a default-configured Parser is reused across goroutines (#​278). Three new options give callers more control over resource use: an HTTP response-size limit, optional retention of the original source feed, and a switch to disable RSS content-image scanning.

For RSS and Atom, the universal Parser.Parse method no longer holds two complete copies of the raw feed in memory during format detection. It examines the first 4 KiB, detects the format, and then parses directly from the reader. The returned Feed is still fully materialized, so this is not a streaming API. JSON Feed decoding still buffers the complete document.

Compatibility

  • Go 1.25 or newer is required. v1.4.0 updates golang.org/x/net from v0.4.0 to v0.56.0 to resolve 22 reachable vulnerabilities reported by govulncheck; that release and its golang.org/x/text dependency require Go 1.25.
  • ParseURL now applies a 30-second request timeout. ParseURLWithContext continues to use the caller's context.
  • Parse now examines only the first 4 KiB to detect the feed type. RSS and Atom roots must begin within that window. In v1.4.0, a JSON Feed whose complete document does not fit within the window is not detected by the universal Parser and returns ErrFeedTypeNotDetected.
  • The text returned by ErrFeedTypeNotDetected.Error() now begins with lowercase failed.
  • No exported v1 identifier was removed. Feed now has private storage for the original source feed, so external positional Feed{...} literals no longer compile; keyed literals are unaffected.

Added

  • Add Parser.MaxByteSize and ErrResponseTooLarge to limit response bodies fetched by ParseURL and ParseURLWithContext. (#​286)
  • Add Parser.KeepOriginalFeed and Feed.OriginalFeed() for access to the parsed *rss.Feed, *atom.Feed, or *json.Feed. (#​289)
  • Add DefaultRSSTranslator.DisableContentImageScan to skip the HTML image fallback on large feeds while preserving existing behavior by default. (#​330)

Parsing and translation fixes

  • Fix a data race when the same default-configured Parser is reused across goroutines. (#​278)
  • Limit universal-parser format detection to a 4 KiB lookahead, parse RSS and Atom directly from the reader without retaining two complete raw copies, and propagate reader I/O errors. (#​327)
  • Preserve parse errors when closing an HTTP response also returns an error.
  • Tolerate non-HTTP URI schemes and resolve RSS and Atom xml:base values without mutating sibling scope. (#​240, #​283, #​290)
  • Resolve every URI-bearing HTML attribute, including elements with multiple URI attributes. (#​323)
  • Preserve ordinary Atom content that merely looks like base64 and trim whitespace-prefixed Atom links. (#​238, #​283)
  • Promote embedded Atom author, date, content, summary, and category elements from RSS into universal fields. (#​292)
  • Correct RSS guid isPermaLink handling and replace the invalid itunes:subtitle feed-link fallback with atom:link. (#​283, #​322)
  • Handle illegal C0 XML controls, mixed CDATA content, namespace whitespace, <cloud> children, and non-content <encoded> elements without losing the feed. (#​284, #​295, #​317, #​318, #​325)
  • Continue entity decoding after bare ampersands without corrupting query parameters that resemble legacy HTML entities. (#​319, #​321)
  • Correct named timezone offsets and additional date layouts. (#​234, #​282, #​324)
  • Tolerate off-spec JSON Feed IDs, booleans, attachment sizes, and durations; use attachment byte size for Enclosure.Length; and reject out-of-range numeric sizes safely. (#​279, #​326)
  • Prevent sorting panics when items have nil parsed publication dates.

Dependencies and maintenance

  • Replace jsoniter with encoding/json. (#​280)
  • Migrate to github.com/mmcdole/goxpp/v2 v2.0.0. (#​329)
  • Replace goquery and cascadia with direct x/net/html traversal. (#​330)
  • Upgrade golang.org/x/net and golang.org/x/text for security, and upgrade testify and urfave/cli.
  • Expand regression fixtures and consolidate parser and translator control flow. (#​332, #​333)
  • Add contributor guidance and test-fixture conventions. (#​331)
  • Modernize GitHub Actions with stable/oldstable builds, race-enabled shuffled tests, Staticcheck, govulncheck, Codecov, and Dependabot; remove the defunct Travis configuration. (#​297, #​335)

Contributors

Contributions in this release came from @​mmcdole, @​TypicalAM, @​oprudkyi, and @​akfaew.

Full changelog: mmcdole/gofeed@v1.3.0...v1.4.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 4 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.19 -> 1.25.0
golang.org/x/crypto v0.16.0 -> v0.53.0
golang.org/x/net v0.19.0 -> v0.56.0
golang.org/x/sys v0.15.0 -> v0.46.0
golang.org/x/text v0.14.0 -> v0.38.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants