2026-05-25-b1

What's Changed since last beta

• dep updates (including the openappsec attachment module)

What else Changed since last release

• feat: Support for Multiple Access Control Lists and Location Specific Access Control Lists by @shopsD in #3101
• nginx: set http3_stream_buffer_size to 1m to improve http3 speed on non perfect connections
• nginx: disable SHA1 and RSA_PKCS1 sigalgs, RSA-PKCS1 cna be reenabled using NGINX_TRUST_RSA_PKCS1
• nginx: hide more "useless" upstream headers
• nginx: update openappsec attachment and crowdsec
• nginx: update nginx to fix recent CVEs, see: #3285
• startup: reduce time for 'chown' process when PUID/PGID != 0 by @invario in #3144
• startup: fix disabling ech without container recreation and too early nginx reload
• startup: fix blocked startup if acme server is down
• startup: disable oepnappsec attachment during host regeneration
• UI: diffrent CSPs for NPMplus-UI and swaggerUI
• UI: add Permission Policy
• UI: improve sorting of online/offline/disabled column
• UI: fix button switching in custom location when clicking on the label
• Build: pin git clone steps against commit shas instead of tags and branches
• Build: verify downloaded patches against a shasum
• merge upstream (mainly lang updates)
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-05-25-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-05-25-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

What's Changed

New Contributors

• @shopsD made their first contribution in #3101
• @invario made their first contribution in #3144

Full Changelog: 2026-05-22-b1...2026-05-25-b1

2026-05-22-b1

What's Changed since last beta

• update nginx to fix a new CVE, I've added it to #3285, nearly all NPMplus installation should NOT be effected

What else Changed since last release

• feat: Support for Multiple Access Control Lists and Location Specific Access Control Lists by @shopsD in #3101
• nginx: set http3_stream_buffer_size to 1m to improve http3 speed on non perfect connections
• nginx: disable SHA1 and RSA_PKCS1 sigalgs, RSA-PKCS1 cna be reenabled using NGINX_TRUST_RSA_PKCS1
• nginx: hide more "useless" upstream headers
• nginx: update openappsec attachment and crowdsec
• nginx: update nginx to fix recent CVEs, see: #3285
• startup: reduce time for 'chown' process when PUID/PGID != 0 by @invario in #3144
• startup: fix disabling ech without container recreation and too early nginx reload
• startup: fix blocked startup if acme server is down
• startup: disable oepnappsec attachment during host regeneration
• UI: diffrent CSPs for NPMplus-UI and swaggerUI
• UI: add Permission Policy
• UI: improve sorting of online/offline/disabled column
• UI: fix button switching in custom location when clicking on the label
• Build: pin git clone steps against commit shas instead of tags and branches
• Build: verify downloaded patches against a shasum
• merge upstream (mainly lang updates)
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-05-22-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-05-22-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

What's Changed

New Contributors

• @shopsD made their first contribution in #3101
• @invario made their first contribution in #3144

Full Changelog: 2026-05-21-b3...2026-05-22-b1

2026-05-21-b3

What's Changed since last beta

• fix #3353 (comment)

What else Changed since last release

• feat: Support for Multiple Access Control Lists and Location Specific Access Control Lists by @shopsD in #3101
• nginx: set http3_stream_buffer_size to 1m to improve http3 speed on non perfect connections
• nginx: disable SHA1 and RSA_PKCS1 sigalgs, RSA-PKCS1 cna be reenabled using NGINX_TRUST_RSA_PKCS1
• nginx: hide more "useless" upstream headers
• nginx: update openappsec attachment and crowdsec
• nginx: update nginx to fix recent CVEs, see: #3285
• startup: reduce time for 'chown' process when PUID/PGID != 0 by @invario in #3144
• startup: fix disabling ech without container recreation and too early nginx reload
• startup: fix blocked startup if acme server is down
• startup: disable oepnappsec attachment during host regeneration
• UI: diffrent CSPs for NPMplus-UI and swaggerUI
• UI: add Permission Policy
• UI: improve sorting of online/offline/disabled column
• UI: fix button switching in custom location when clicking on the label
• Build: pin git clone steps against commit shas instead of tags and branches
• Build: verify downloaded patches against a shasum
• merge upstream (mainly lang updates)
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-05-21-b3 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-05-21-b3 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

What's Changed

New Contributors

• @shopsD made their first contribution in #3101
• @invario made their first contribution in #3144

Full Changelog: 2026-05-21-b2...2026-05-21-b3

2026-05-21-b2

What's Changed since last beta

• startup: reduce time for 'chown' process when PUID/PGID != 0 by @invario in #3144

What else Changed since last release

• feat: Support for Multiple Access Control Lists and Location Specific Access Control Lists by @shopsD in #3101
• nginx: set http3_stream_buffer_size to 1m to improve http3 speed on non perfect connections
• nginx: disable SHA1 and RSA_PKCS1 sigalgs, RSA-PKCS1 cna be reenabled using NGINX_TRUST_RSA_PKCS1
• nginx: hide more "useless" upstream headers
• nginx: update openappsec attachment and crowdsec
• nginx: update nginx to fix recent CVEs, see: #3285
• startup: fix disabling ech without container recreation and too early nginx reload
• startup: fix blocked startup if acme server is down
• startup: disable oepnappsec attachment during host regeneration
• UI: diffrent CSPs for NPMplus-UI and swaggerUI
• UI: add Permission Policy
• UI: improve sorting of online/offline/disabled column
• UI: fix button switching in custom location when clicking on the label
• Build: pin git clone steps against commit shas instead of tags and branches
• Build: verify downloaded patches against a shasum
• merge upstream (mainly lang updates)
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-05-21-b2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-05-21-b2 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

What's Changed

New Contributors

• @shopsD made their first contribution in #3101
• @invario made their first contribution in #3144

Full Changelog: 2026-05-21-b1...2026-05-21-b2

2026-05-21-b1

What's Changed since last release

• Support for Multiple Access Control Lists and Location Specific Access Control Lists by @shopsD in #3101
• set http3_stream_buffer_size to 1m to improve http3 speed on non perfect connections
• nginx: disable SHA1 and RSA_PKCS1 sigalgs, RSA-PKCS1 cna be reenabled using NGINX_TRUST_RSA_PKCS1
• nginx: hide more "useless" upstream headers
• nginx: update openappsec attachment and crowdsec
• nginx: update nginx to fix recent CVEs, see: #3285
• startup: fix disabling ech without container recreation and too early nginx reload
• startup: fix blocked startup if acme server is down
• startup: disable oepnappsec attachment during host regeneration
• UI: diffrent CSPs for NPMplus-UI and swaggerUI
• UI: add Permission Policy
• UI: improve sorting of online/offline/disabled column
• UI: fix button switching in custom location when clicking on the label
• Build: pin git clone steps against commit shas instead of tags and branches
• Build: verify downloaded patches against a shasum
• merge upstream (mainly lang updates)
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-05-21-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-05-21-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

New Contributors

• @shopsD made their first contribution in #3101

Full Changelog: 2026-04-21-r2...2026-05-21-b1

2026-04-21-r2

What's Changed since last release

• fix CSP (fix notifications)
• dep updates

What Changed in the last releases

• support voidauth
• remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
• allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
• cookies are more strict now, the cookie name has changed because of this
• always send "Origin-Agent-Cluster: ?1" header
• hsts buttons are now better labeled
• CERTBOT_RUN_INTERVAL is now limited to 500 hours
• inbuilt php has been fixed
• the error log written to disk now uses error level info
• rename the advanced tab from a cogwheel symbol to advanced
• show a star if a custom config is set for locations
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-21-r1...2026-04-21-r2

2026-04-21-r1

What's Changed since last release

• fix cookie deletion and with this the logout button
• dep updates

What Changed in the last releases

• support voidauth
• remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
• allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
• cookies are more strict now, the cookie name has changed because of this
• always send "Origin-Agent-Cluster: ?1" header
• hsts buttons are now better labeled
• CERTBOT_RUN_INTERVAL is now limited to 500 hours
• inbuilt php has been fixed
• the error log written to disk now uses error level info
• rename the advanced tab from a cogwheel symbol to advanced
• show a star if a custom config is set for locations
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-20-r1...2026-04-21-r1

2026-04-20-r1

What's Changed since last release

• support voidauth
• remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
• allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
• cookies are more strict now, the cookie name has changed because of this
• always send "Origin-Agent-Cluster: ?1" header
• hsts buttons are now better labeled
• CERTBOT_RUN_INTERVAL is now limited to 500 hours
• inbuilt php has been fixed
• the error log written to disk now uses error level info
• rename the advanced tab from a cogwheel symbol to advanced
• show a star if a custom config is set for locations
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-12-r1...2026-04-20-r1

2026-04-19-b1

What's Changed since last release

• support voidauth
• remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
• allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
• cookies are more strict now
• always send "Origin-Agent-Cluster: ?1" header
• hsts buttons are now better labeled
• CERTBOT_RUN_INTERVAL is now limited to 500 hours
• inbuilt php has been fixed
• the error log written to disk now uses error level info
• rename the advanced tab from a cogwheel symbol to advanced
• show a star if a custom config is set for locations
• dep and doc updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-19-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-19-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-12-r1...2026-04-19-b1

2026-04-12-r1

What Changed since last release

• fix streams and custom locations
• use nginx default of add_header_inherit/add_trailer_inherit

What Changed in the last release

• security: fix NginxProxyManager#5441, this allowed any non-admin user to make themself an admin, please note that upstream nginx-proxy-manager is still vulnerable to this.
• breaking: the tls, access, npmplus and nginx/logs folder are now restricted to the owner (PUID)
• breaking: creating a location / as custom location or in the advanced tab will now crash nginx
• you can now insert configs in the location / directly in the details tab
• nginx is now built with aws-lc instead of openssl
• certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
• make email addresses lowercase in more places
• build aws-lc from source
• fix bpf by merging nginx/nginx#1219
• add nginx patch based on nginx/nginx#973 to support encrypted client hello with aws-lc (see readme)
• fix $request_port / $is_request_port being empty if auth_request is used (fixed #3034)
• support ip certificates
• use a upstream block in nginx to support keepalive
• add a small start next to the tab title if there is any advaced config set or custom locations exist
• add nginx patch to use the listing IP as SNI if the client doesn't send one, this is required to improve ip certificate support since the RFC forbids clients (browsers) to send the SNI for IP targets, this required network_mode host
• support easier changing the images used by anubis (see readme)
• drop authentik domain level mode (drop AUTH_REQUEST_AUTHENTIK_DOMAIN env), single application mode is still supported
• add oauth2proxy ass auth_request provider (untested by be)
• allow upstreams to only trigger websocket upgrades, this should prevent issues with apple clients when the backend (apache2) tries to upgrade the connection to http2 between itself and nginx (which then causes a chain of issues if nginx already talks http2 to the client but nginx blindly forwards the upstreams upgrade request to the client which rejects it since it is already using http2 to nginx)
• encrypt cookies, the secret will be generated on container restart, so sessions are invalidated after restart (set the COOKIE_SECRET to keep them valid)
• improve CSRF protection in the backend a bit
• make the CSP more restrictive
• block enabling appsec and disabling request buffering at the same time
• add ENABLE_MPTCP env to enable multipathtcp in nginx, defaults to false, only works when using network_mode host
• merge NginxProxyManager#5421
• make more async in the backend
• disable stream tls tab if udp forwarding is enabled
• add advanced config tab to streams, since ssl_preread is now off by default
• merge #2783
• use node:crypto instead of the openssl command to read certificate meta data
• rename the CRT env to CERTBOT_RUN_INTERVAL
• switch from moment to dayjs
• add mTLS support (on, off, optional)
• add certid to tables
• add indicator for active sorted columns
• add searchbar to auditlog
• fix directadmin dns provider by @NoroNetwork
• add swagger docs ui under /api/docs
• LISTEN_PROXY_PROTOCOL can now also be set independently using LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS
• add ACME_KEY_SIZE env
• invert default of NGINX_TRUST_SECPR1 env
• fix anubis under some conditions
• spoof host header for auth_request targets
• not required caps are now dropped in the compose.yaml
• Update docs by @gingemonster in #2790
• doc and dep updates
• merge upstream (no real changes)

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-12-r1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-12-r1 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-10-r2...2026-04-12-r1