imgproxy

v4.0.2 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 13d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

avif crop-image docker go image image-processing

+9 more

image-server jpeg jpeg-xl jxl libvips microservice png resize-images webp

ReleasePort's take

Moderate signal

editorial:auto 13d

Version v4.0.2 of imgproxy fixes a rare deadlock in the image downloading component and normalizes URL path parsing for option‑less paths, while removing the deprecated 'expires' processing option from cache keys.

Why it matters: Patch to v4.0.2 immediately if you experience deadlocks during downloads; migrate code that relied on the removed expires option before next deployment.

Summary

AI summary

Fixed a rare deadlock during image downloading.

Changes in this release

Type	Severity	Summary	CVE
Deprecation	Medium	Processing option expires removed from cache key. Processing option expires removed from cache key. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Resolved rare deadlock during image downloading. Resolved rare deadlock during image downloading. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Corrected normalized URL path parsing for option-less paths. Corrected normalized URL path parsing for option-less paths. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Changed

(pro) expires processing option is removed from the cache key.

Fixed

Fixed a rare deadlock during image downloading.
Fix normalized URL path parsing when it doesn't contain any options.

Breaking Changes

Removed `expires` processing option from the cache key

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track imgproxy

Get notified when new releases ship.

About imgproxy

Fast and secure standalone server for resizing and converting remote images.

All releases →

Related context

Related tools

Earlier breaking changes

v4.0.0 Removed deprecated OpenTelemetry configuration options (endpoint, protocol, GRPC_INSECURE, propagators, connection timeout); use corresponding OTEL_* variables
v4.0.0 Docker images now built on Ubuntu 22.04; minimum libc version required is 2.35
v4.0.0 Minimum libc version requirement changed to 2.35
v4.0.0 Custom New Relic metrics renamed from imgproxy.X to Custom/imgproxy/X
v4.0.0 Log format and naming changed to match documentation