imgproxy

v4.0.0 Breaking

This release includes 10 breaking changes for platform teams planning a safe upgrade.

Published 21d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

avif crop-image docker go image image-processing

+9 more

image-server jpeg jpeg-xl jxl libvips microservice png resize-images webp

ReleasePort's take

Moderate signal

editorial:auto 13d

imgproxy v4.0.0 removes several deprecated configuration options and CLI arguments; adopt the new settings before upgrading.

Why it matters: Patch immediately to replace IMGPROXY_CONCURRENCY with IMGPROXY_WORKERS, drop --keypath/--saltpath/--presets/--info-presets flags, and update timeout configs; failure causes runtime errors on upgrade.

Summary

AI summary

imgproxy v4.0.0 adds internal caching, raw format loading, object‑crop processing, HDR preservation config, telemetry propagation controls, bucket allow/deny lists, pretty error pages, and autoquality improvements.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Added bucket allowlist configs for S3, GCS, ABS, Swift Added bucket allowlist configs for S3, GCS, ABS, Swift Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Added bucket denylist configs for S3, GCS, ABS, Swift Added bucket denylist configs for S3, GCS, ABS, Swift Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking
Breaking	Medium	Removed deprecated IMGPROXY_CONCURRENCY config, use IMGPROXY_WORKERS Removed deprecated IMGPROXY_CONCURRENCY config, use IMGPROXY_WORKERS Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated --keypath and --saltpath CLI arguments Removed deprecated --keypath and --saltpath CLI arguments Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated --presets CLI argument Removed deprecated --presets CLI argument Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated --info-presets CLI argument (pro) Removed deprecated --info-presets CLI argument (pro) Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated IMGPROXY_WRITE_TIMEOUT, use IMGPROXY_TIMEOUT Removed deprecated IMGPROXY_WRITE_TIMEOUT, use IMGPROXY_TIMEOUT Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated IMGPROXY_READ_TIMEOUT config Removed deprecated IMGPROXY_READ_TIMEOUT config Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed deprecated IMGPROXY_UNSHARPENING_* configs Removed deprecated IMGPROXY_UNSHARPENING_* configs Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Removed Prometheus histograms for download and processing duration Removed Prometheus histograms for download and processing duration Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	IMGPROXY_USE_GCS no longer automatically set when key present IMGPROXY_USE_GCS no longer automatically set when key present Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	IMGPROXY_USE_ETAG and IMGPROXY_USE_LAST_MODIFIED enabled by default IMGPROXY_USE_ETAG and IMGPROXY_USE_LAST_MODIFIED enabled by default Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	SVG rendering DPI changed from 72 to 96 DPI SVG rendering DPI changed from 72 to 96 DPI Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Etag generation now based on source Etag and buster only Etag generation now based on source Etag and buster only Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Log format and naming changed to match documentation Log format and naming changed to match documentation Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Custom New Relic metrics renamed from imgproxy.X to Custom/imgproxy/X Custom New Relic metrics renamed from imgproxy.X to Custom/imgproxy/X Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	Medium	Docker images now built on Ubuntu 22.04; minimum libc version required is 2.35 Docker images now built on Ubuntu 22.04; minimum libc version required is 2.35 Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Breaking	Medium	Removed deprecated OpenTelemetry environment variable configs Removed deprecated OpenTelemetry environment variable configs Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	Medium	Minimum libc version requirement changed to 2.35 Minimum libc version requirement changed to 2.35 Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	Medium	Removed deprecated OpenTelemetry configuration options (endpoint, protocol, GRPC_INSECURE, propagators, connection timeout); use corresponding OTEL_* variables Removed deprecated OpenTelemetry configuration options (endpoint, protocol, GRPC_INSECURE, propagators, connection timeout); use corresponding OTEL_* variables Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Feature
Feature	Medium	Source image colorspace preserved when possible Source image colorspace preserved when possible Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Internal cache added for processed images (pro) Internal cache added for processed images (pro) Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Digital camera raw format support added (pro) Digital camera raw format support added (pro) Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	crop_objects processing option for object detection (pro) crop_objects processing option for object detection (pro) Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Autoquality feature enhanced with weighted DSSIM calculation and new ML models for JPEG, WebP, AVIF, JPEG XL (pro) Autoquality feature enhanced with weighted DSSIM calculation and new ML models for JPEG, WebP, AVIF, JPEG XL (pro) Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Medium	Autoquality improved with weighted DSSIM calculation (pro) Autoquality improved with weighted DSSIM calculation (pro) Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	IMGPROXY_PRESERVE_HDR config added for HDR preservation IMGPROXY_PRESERVE_HDR config added for HDR preservation Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	preserve_hdr processing option added to override config preserve_hdr processing option added to override config Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	thumb_hash info option calculates ThumbHash of image thumb_hash info option calculates ThumbHash of image Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Low	IMGPROXY_PRESERVE_HDR configuration added to attempt preserving image bits per pixel when possible IMGPROXY_PRESERVE_HDR configuration added to attempt preserving image bits per pixel when possible Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	phash info option calculates perceptual hash of the source image (pro) phash info option calculates perceptual hash of the source image (pro) Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	classify info option classifies objects in the source image using a model (pro) classify info option classifies objects in the source image using a model (pro) Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature	Low	IMGPROXY_LAST_MODIFIED_BUSTER config controls passing through If‑Modified‑Since header to source (pro) IMGPROXY_LAST_MODIFIED_BUSTER config controls passing through If‑Modified‑Since header to source (pro) Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Performance
Performance	Medium	Implemented asynchronous downloading and processing of images to improve performance with slow sources or heavy processing Implemented asynchronous downloading and processing of images to improve performance with slow sources or heavy processing Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Performance	Medium	SVG minification improved; faster and more efficient SVG minification improved; faster and more efficient Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Performance	Medium	Asynchronous image downloading and processing implemented Asynchronous image downloading and processing implemented Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	SVG minification performance and efficiency improved SVG minification performance and efficiency improved Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Low	Most of the code base refactored for improved maintainability and extensibility Most of the code base refactored for improved maintainability and extensibility Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

Added

(pro) Add internal cache for processed images.
(pro) Add digital camera raw formats support (loading only).
(pro) Add crop_objects processing option to crop the image to detected objects.
(pro) Add thumb_hash info option to calculate ThumbHash of the source image.
(pro) Add phash info option to calculate perceptual hash of the source image.
(pro) Add classify info option to classify objects in the source image using a classification model.
Add IMGPROXY_PRESERVE_HDR config. When set to true, imgproxy will try to keep the image's bits per pixel when possible.
Add preserve_hdr processing option to override the IMGPROXY_PRESERVE_HDR config on a per-request basis.
Add IMGPROXY_OPEN_TELEMETRY_ENABLE_LOGS config to control whether to send logs to OpenTelemetry.
Add IMGPROXY_NEW_RELIC_PROPAGATE_EXTERNAL, IMGPROXY_DATADOG_PROPAGATE_EXTERNAL, and IMGPROXY_OPEN_TELEMETRY_PROPAGATE_EXTERNAL configs to control propagation of tracing headers to external requests.
Add IMGPROXY_S3_ALLOWED_BUCKETS, IMGPROXY_GCS_ALLOWED_BUCKETS, IMGPROXY_ABS_ALLOWED_BUCKETS, and IMGPROXY_SWIFT_ALLOWED_BUCKETS configs to allowlist buckets/containers that imgproxy can read source images from.
Add IMGPROXY_S3_DENIED_BUCKETS, IMGPROXY_GCS_DENIED_BUCKETS, IMGPROXY_ABS_DENIED_BUCKETS, and IMGPROXY_SWIFT_DENIED_BUCKETS configs to denylist buckets/containers that imgproxy can read source images from.
Add pretty error pages when IMGPROXY_DEVELOPMENT_ERRORS_MODE is enabled.
Add documentation links to errors. They will be visible in logs and error reports.
Add IMGPROXY_LAST_MODIFIED_BUSTER config to control whether to pass through the If-Modified-Since header to the image source.

Changed

Most of the code base is refactored to improve maintainability and extensibility.
Implemented asynchronous downloading and processing of images. This improves performance when the source image is slow to download or when processing is slow.
Source image colorspace is now preserved when possible.
(pro) Improved SVG minification. It is now much faster and more efficient.
(pro) Improved autoquality. Implemented weighted DSSIM calculation and trained new ML models for JPEG, WebP, AVIF, and JPEG XL.
IMGPROXY_USE_ETAG and IMGPROXY_USE_LAST_MODIFIED are now enabled by default.
Etag generation is now based only on Etag received from the image source and IMGPROXY_ETAG_BUSTER config.
IMGPROXY_USE_GCS is not automatically set if the GCS key is present anymore. It should be set explicitly to enable loading images from Google Cloud Storage.
SVG rendering DPI is changed from 72 to 96 to match W3C recommendations.
(pro) Improved behavior of IMGPROXY_OBJECT_DETECTION_GRAVITY_MODE=one_best_centermost.
Custom New Relic metrics are now reported as timescales. Metric names have been changed from imgproxy.X to Custom/imgproxy/X.
Changed log formats. Option and argument names now match those in the documentation.
(docker) imgproxy and its dependencies are now built on Ubuntu 22.04. Linux packages exported from Docker images now require a minimum libc version of 2.35.

Removed

Removed deprecated IMGPROXY_CONCURRENCY config. Use IMGPROXY_WORKERS instead.
Removed deprecated --keypath and --saltpath CLI arguments. Use IMGPROXY_KEY and IMGPROXY_SALT environment variables instead.
Removed deprecated --presets CLI argument. Use IMGPROXY_PRESETS_PATH environment variable instead.
(pro) Removed deprecated --info-presets CLI argument. Use IMGPROXY_INFO_PRESETS_PATH environment variable instead.
Removed gif_options processing option, as it does nothing since v3.
Removed deprecated IMGPROXY_WRITE_TIMEOUT config. Use IMGPROXY_TIMEOUT instead.
Removed deprecated IMGPROXY_READ_TIMEOUT config. Use IMGPROXY_READ_REQUEST_TIMEOUT instead.
Removed obsolete IMGPROXY_MAX_SVG_CHECK_BYTES config.
Removed deprecated IMGPROXY_OPEN_TELEMETRY_ENDPOINT config. Use OTEL_EXPORTER_OTLP_ENDPOINT instead. Unlike IMGPROXY_OPEN_TELEMETRY_ENDPOINT, OTEL_EXPORTER_OTLP_ENDPOINT should contain a URL scheme (http:// or https://).
Removed deprecated IMGPROXY_OPEN_TELEMETRY_PROTOCOL config. Use OTEL_EXPORTER_OTLP_PROTOCOL instead.
Removed deprecated IMGPROXY_OPEN_TELEMETRY_GRPC_INSECURE config. Use OTEL_EXPORTER_OTLP_ENDPOINT with http:// scheme instead.
Removed deprecated IMGPROXY_OPEN_TELEMETRY_SERVICE_NAME config. Use OTEL_SERVICE_NAME instead.
Removed deprecated IMGPROXY_OPEN_TELEMETRY_PROPAGATORS config. Use OTEL_PROPAGATORS instead.
Removed deprecated IMGPROXY_OPEN_TELEMETRY_CONNECTION_TIMEOUT config. Use OTEL_EXPORTER_OTLP_TIMEOUT instead.
Removed deprecated IMGPROXY_UNSHARPENING_MODE, IMGPROXY_UNSHARPENING_WEIGHT, IMGPROXY_UNSHARPENING_DIVIDER configs. Use IMGPROXY_UNSHARP_MASKING_MODE, IMGPROXY_UNSHARP_MASKING_WEIGHT, IMGPROXY_UNSHARP_MASKING_DIVIDER instead.
Removed deprecated download_duration_seconds and processing_duration_seconds histograms from Prometheus metrics. Use request_span_duration_seconds histogram with span label instead.
Removed obsolete IMGPROXY_DOWNLOAD_BUFFER_SIZE and IMGPROXY_BUFFER_POOL_CALIBRATION_THRESHOLD configs.

Breaking Changes

Removed deprecated `IMGPROXY_CONCURRENCY` config; use `IMGPROXY_WORKERS` instead
Removed deprecated CLI arguments `--keypath`, `--saltpath`, `--presets`; use corresponding environment variables (`IMGPROXY_KEY`, `IMGPROXY_SALT`, `IMGPROXY_PRESETS_PATH`) instead
Removed deprecated CLI argument `--info-presets`; use `IMGPROXY_INFO_PRESETS_PATH` environment variable instead
Removed processing option `gif_options` (no‑op since v3)
Removed deprecated configs `IMGPROXY_WRITE_TIMEOUT`, `IMGPROXY_READ_TIMEOUT`; use `IMGPROXY_TIMEOUT` and `IMGPROXY_READ_REQUEST_TIMEOUT` respectively
Removed obsolete config `IMGPROXY_MAX_SVG_CHECK_BYTES`
Removed deprecated OpenTelemetry configs (`IMGPROXY_OPEN_TELEMETRY_ENDPOINT`, `IMGPROXY_OPEN_TELEMETRY_PROTOCOL`, `IMGPROXY_OPEN_TELEMETRY_GRPC_INSECURE`, `IMGPROXY_OPEN_TELEMETRY_SERVICE_NAME`, `IMGPROXY_OPEN_TELEMETRY_PROPAGATORS`, `IMGPROXY_OPEN_TELEMETRY_CONNECTION_TIMEOUT`); use corresponding OTEL_* environment variables
Removed deprecated unsharpening configs (`IMGPROXY_UNSHARPENING_MODE`, `IMGPROXY_UNSHARPENING_WEIGHT`, `IMGPROXY_UNSHARPENING_DIVIDER`); use `IMGPROXY_UNSHARP_MASKING_*` instead
Removed Prometheus histograms `download_duration_seconds`, `processing_duration_seconds`; use `request_span_duration_seconds` with `span` label
Removed obsolete configs `IMGPROXY_DOWNLOAD_BUFFER_SIZE`, `IMGPROXY_BUFFER_POOL_CALIBRATION_THRESHOLD`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track imgproxy

Get notified when new releases ship.

About imgproxy

Fast and secure standalone server for resizing and converting remote images.

All releases →