What's Changed since last release
- fix #2795 by patching openappsec attachment to use zlib-ng
What's Changed in last release
- This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
- Make sure to create a backup first
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- remove support for setting the database config using a config file
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- use zlib-ng instead of zlib
- use quickjs-ng-dev instead of the njs inbuilt engine
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates and pin more deps (github actions)
- the NGINX_WORKER_CONNECTIONS env was re-added
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
- set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
- the download button is now hidden for custom certs since it was never supported
- use strict cookies if possible
- add rate-limiting to token and oidc endpoints
- improve "upload-object" validation of custom certs
Image tags:
docker.io/zoeyvid/npmplus:2026-02-19-r2(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-19-r2(fixed to this release)docker.io/zoeyvid/npmplus:latest(latest stable)ghcr.io/zoeyvid/npmplus:latest(latest stable)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: 2026-02-19-r1...2026-02-19-r2