Skip to content

Release history

NPMplus releases

a fork of nginx-proxy-manager

Back to tool Latest release

All releases

19 shown

2026-04-21-r2 Breaking risk
⚠ Upgrade required
  • CERTBOT_RUN_INTERVAL now limited to 500 hours maximum
  • If experiencing issues with Apple clients, try disabling http2 in upstreams
Breaking changes
  • AUTH_REQUEST_TINYAUTH_DOMAIN env var removed
  • tinyauth v5.0.7+ now required (minimum version bump)
  • Cookie names changed due to stricter cookie handling
Security fixes
  • CSP fix for notifications
Notable features
  • Support for voidauth
  • Backend can now send all Upgrade headers
  • Origin-Agent-Cluster: ?1 header always sent
Full changelog

What's Changed since last release

  • fix CSP (fix notifications)
  • dep updates

What Changed in the last releases

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-21-r1...2026-04-21-r2

View release on GitHub
2026-04-21-r1 Breaking risk
⚠ Upgrade required
  • If experiencing issues with Apple clients after upgrade, disable http2 in upstream configuration
Breaking changes
  • Removed AUTH_REQUEST_TINYAUTH_DOMAIN environment variable; tinyauth v5.0.7+ is now required
  • Cookie name has changed due to stricter cookie handling
Security fixes
  • Always send Origin-Agent-Cluster: ?1 header for security hardening
  • Cookies are now stricter, improving security posture
Notable features
  • Added support for voidauth
  • Fixed cookie deletion and logout button
  • Backend now sends all Upgrade headers
Full changelog

What's Changed since last release

  • fix cookie deletion and with this the logout button
  • dep updates

What Changed in the last releases

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-20-r1...2026-04-21-r1

View release on GitHub
2026-04-20-r1 Breaking risk
⚠ Upgrade required
  • If experiencing issues with Apple clients, disable http2 in upstreams to work around Upgrade header behavior changes
  • Error logs written to disk now use info level
Breaking changes
  • AUTH_REQUEST_TINYAUTH_DOMAIN environment variable removed
  • tinyauth v5.0.7+ is now required
  • Cookie name changed due to stricter cookie handling
Security fixes
  • Stricter cookie handling with changed cookie names
  • Always send Origin-Agent-Cluster: ?1 header
Notable features
  • Support for voidauth authentication method
  • Backend can now send all Upgrade headers again
  • UI improvements: advanced tab redesigned (cogwheel → 'advanced'), HSTS buttons relabeled, custom location configs indicated with star
Full changelog

What's Changed since last release

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-12-r1...2026-04-20-r1

View release on GitHub
2026-04-12-r1 Breaking risk
Breaking changes
  • tls, access, npmplus and nginx/logs folders now restricted to owner (PUID)
  • creating location / as custom location or in advanced tab will crash nginx
Security fixes
  • Fix for issue allowing non-admin users to become admin (upstream still vulnerable)
Notable features
  • nginx built with aws-lc instead of openssl
  • Certificate compression using zlib-ng and brotli support
  • mTLS support (on, off, optional)
View release on GitHub
2026-04-10-r2 Mixed
Breaking changes
  • tls, access, npmplus and nginx/logs folders now restricted to owner (PUID)
  • Creating location / as custom location or in advanced tab will crash nginx, use details tab instead
Security fixes
  • Non-admin user privilege escalation (nginx-proxy-manager #5441)
Notable features
  • Nginx built with aws-lc instead of OpenSSL with certificate compression support
  • mTLS support with on/off/optional modes
  • OAuth2proxy as auth_request provider
View release on GitHub
2026-04-10-r1 Breaking risk
Breaking changes
  • tls, access, npmplus, nginx/logs folders restricted to owner (PUID)
  • Creating location / as custom location will crash nginx
  • Removed Authentik domain level auth mode
Security fixes
  • Fixed non-admin privilege escalation vulnerability
Notable features
  • nginx built with aws-lc (certificate compression support)
  • IPv4/IPv6 certificate support
  • Cookie encryption
View release on GitHub
2026-02-19-r3 Security relevant
Security fixes
  • TOTP vulnerability: logged-in users could disable TOTP without reentering valid token if length wasn't 6 or 8 characters
View release on GitHub
2026-02-19-r2 Breaking risk
Breaking changes
  • Multiple button values reset (buffering split, noindex/bots split, fancyindex split, HTTP/3)
  • X_FRAME_OPTIONS env removed
  • Database config file support removed
Security fixes
  • TOTP vulnerability: logged-in users could disable TOTP without reentering valid token
View release on GitHub
2026-02-19-r1 Breaking risk
Breaking changes
  • Multiple button values reset
  • X_FRAME_OPTIONS env removed
  • Database config file support removed
Security fixes
  • Critical TOTP vulnerability: logged-in users could disable TOTP or regenerate backup codes without reentering valid token
Notable features
  • Auth provider integration (anubis, tinyauth, authelia, authentik)
  • Toggle custom locations on/off without deletion
View release on GitHub
2026-02-06-r1 Bug fix

Fixed broken TOTP functionality to restore two-factor authentication capability.

View release on GitHub
2026-02-04-r1 Security relevant
Breaking changes
  • Stream button names changed to start with npmplus_ (API breaking change)
Security fixes
  • CVE-2026-1642 nginx vulnerability
View release on GitHub
2026-01-22-r1 Bug fix

Fixed broken setup initialization and logout functionality to restore account and configuration management.

View release on GitHub
2026-01-20-r2 Bug fix
Breaking changes
  • PowerDNS certificates require full recreation (not renewal)
Notable features
  • Stream TLS upstream option
  • Bot blocking with noindex header
  • OIDC fallback redirect
View release on GitHub
2026-01-17-r2 Bug fix

Fixed bulk host generation to execute sequentially instead of in parallel.

View release on GitHub
2026-01-17-r1 Bug fix

Fixed TOTP authentication and reduced error verbosity in response buffering with dependency updates and documentation improvements.

View release on GitHub
2026-01-16-r2 Bug fix

Updated template version to ensure proper host regeneration when upgrading from previous beta releases.

View release on GitHub
2026-01-16-r1 Breaking risk
Breaking changes
  • License changed to AGPLv3
  • All hosts will be regenerated
  • Let's Encrypt limited to 25 domains per certificate
Notable features
  • OIDC authentication with secure httponly cookies
  • Let's Encrypt short-lived certificates with ACME profile support
  • Local gravatar caching, custom certificate editing, zstd compression
View release on GitHub

Beta — feedback welcome: [email protected]