Skip to content

chore(deps): bump github.com/mmcdole/gofeed from 1.3.0 to 1.4.0#2102

Open
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/go_modules/github.com/mmcdole/gofeed-1.4.0
Open

chore(deps): bump github.com/mmcdole/gofeed from 1.3.0 to 1.4.0#2102
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/go_modules/github.com/mmcdole/gofeed-1.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/mmcdole/gofeed from 1.3.0 to 1.4.0.

Release notes

Sourced from github.com/mmcdole/gofeed's releases.

v1.4.0

This release focuses on bug fixes for malformed and off-spec feeds. Illegal XML control characters, unusual date formats, incorrectly typed JSON Feed fields, and unescaped ampersands in URLs could previously break a parse or silently drop content. The parser now handles these cases without failing the feed or losing the affected content.

It also fixes a lazy-initialization data race when a default-configured Parser is reused across goroutines (#278). Three new options give callers more control over resource use: an HTTP response-size limit, optional retention of the original source feed, and a switch to disable RSS content-image scanning.

For RSS and Atom, the universal Parser.Parse method no longer holds two complete copies of the raw feed in memory during format detection. It examines the first 4 KiB, detects the format, and then parses directly from the reader. The returned Feed is still fully materialized, so this is not a streaming API. JSON Feed decoding still buffers the complete document.

Compatibility

  • Go 1.25 or newer is required. v1.4.0 updates golang.org/x/net from v0.4.0 to v0.56.0 to resolve 22 reachable vulnerabilities reported by govulncheck; that release and its golang.org/x/text dependency require Go 1.25.
  • ParseURL now applies a 30-second request timeout. ParseURLWithContext continues to use the caller's context.
  • Parse now examines only the first 4 KiB to detect the feed type. RSS and Atom roots must begin within that window. In v1.4.0, a JSON Feed whose complete document does not fit within the window is not detected by the universal Parser and returns ErrFeedTypeNotDetected.
  • The text returned by ErrFeedTypeNotDetected.Error() now begins with lowercase failed.
  • No exported v1 identifier was removed. Feed now has private storage for the original source feed, so external positional Feed{...} literals no longer compile; keyed literals are unaffected.

Added

  • Add Parser.MaxByteSize and ErrResponseTooLarge to limit response bodies fetched by ParseURL and ParseURLWithContext. (#286)
  • Add Parser.KeepOriginalFeed and Feed.OriginalFeed() for access to the parsed *rss.Feed, *atom.Feed, or *json.Feed. (#289)
  • Add DefaultRSSTranslator.DisableContentImageScan to skip the HTML image fallback on large feeds while preserving existing behavior by default. (#330)

Parsing and translation fixes

  • Fix a data race when the same default-configured Parser is reused across goroutines. (#278)
  • Limit universal-parser format detection to a 4 KiB lookahead, parse RSS and Atom directly from the reader without retaining two complete raw copies, and propagate reader I/O errors. (#327)
  • Preserve parse errors when closing an HTTP response also returns an error.
  • Tolerate non-HTTP URI schemes and resolve RSS and Atom xml:base values without mutating sibling scope. (#240, #283, #290)
  • Resolve every URI-bearing HTML attribute, including elements with multiple URI attributes. (#323)
  • Preserve ordinary Atom content that merely looks like base64 and trim whitespace-prefixed Atom links. (#238, #283)
  • Promote embedded Atom author, date, content, summary, and category elements from RSS into universal fields. (#292)
  • Correct RSS guid isPermaLink handling and replace the invalid itunes:subtitle feed-link fallback with atom:link. (#283, #322)
  • Handle illegal C0 XML controls, mixed CDATA content, namespace whitespace, <cloud> children, and non-content <encoded> elements without losing the feed. (#284, #295, #317, #318, #325)
  • Continue entity decoding after bare ampersands without corrupting query parameters that resemble legacy HTML entities. (#319, #321)
  • Correct named timezone offsets and additional date layouts. (#234, #282, #324)
  • Tolerate off-spec JSON Feed IDs, booleans, attachment sizes, and durations; use attachment byte size for Enclosure.Length; and reject out-of-range numeric sizes safely. (#279, #326)
  • Prevent sorting panics when items have nil parsed publication dates.

Dependencies and maintenance

  • Replace jsoniter with encoding/json. (#280)
  • Migrate to github.com/mmcdole/goxpp/v2 v2.0.0. (#329)
  • Replace goquery and cascadia with direct x/net/html traversal. (#330)
  • Upgrade golang.org/x/net and golang.org/x/text for security, and upgrade testify and urfave/cli.
  • Expand regression fixtures and consolidate parser and translator control flow. (#332, #333)
  • Add contributor guidance and test-fixture conventions. (#331)
  • Modernize GitHub Actions with stable/oldstable builds, race-enabled shuffled tests, Staticcheck, govulncheck, Codecov, and Dependabot; remove the defunct Travis configuration. (#297, #335)

Contributors

Contributions in this release came from @​mmcdole, @​TypicalAM, @​oprudkyi, and @​akfaew.

... (truncated)

Commits
  • ec8fd42 Remove defunct Travis CI configuration (#335)
  • 16bfe36 Route the parser element loops through one shared helper (#333)
  • d9ae564 Flatten the translator micro-methods (#332)
  • 33df57e Add CONTRIBUTING.md (#331)
  • f8a5f28 Add DisableContentImageScan and drop the goquery dependency (#330)
  • 8727c27 Migrate to goxpp v2 (#329)
  • 8cd10be Bump goxpp to v1.3.0 (#328)
  • 6011645 Stream XML feeds through Parse; surface reader I/O errors (#327)
  • 18a93c2 Coerce out-of-range float sizes to 0 instead of overflow garbage (#326)
  • f66719a Trim namespace URIs once, inside PrefixForNamespace (#325)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/mmcdole/gofeed](https://github.com/mmcdole/gofeed) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/mmcdole/gofeed/releases)
- [Commits](mmcdole/gofeed@v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/mmcdole/gofeed
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Development

Successfully merging this pull request may close these issues.

1 participant