Skip to content

NPMplus

v2026-04-21-r2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Reverse Proxies & Load Balancers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

nginx nginx-php nginx-proxy nginx-proxy-manager nginx-reverse-proxy npmplus

Summary

AI summary

Removed AUTH_REQUEST_TINYAUTH_DOMAIN env var; tinyauth v5.0.7+ now required; cookie names changed.

Full changelog

What's Changed since last release

  • fix CSP (fix notifications)
  • dep updates

What Changed in the last releases

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-21-r1...2026-04-21-r2

Breaking Changes

  • AUTH_REQUEST_TINYAUTH_DOMAIN env var removed
  • tinyauth v5.0.7+ now required (minimum version bump)
  • Cookie names changed due to stricter cookie handling

Security Fixes

  • CSP fix for notifications
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track NPMplus

Get notified when new releases ship.

Sign up free

About NPMplus

a fork of nginx-proxy-manager

All releases →

Related context

Beta — feedback welcome: [email protected]