What Changed since the last release
- breaking: always remove Strict-Transport-Security header if not enabled in NPMplus
- nginx: update to 1.31.3 to fix new CVEs
- UI: add host grouping to all host types (via advanced tab) #3519
- UI: merge NginxProxyManager#5681
- UI: allow final "allow all" access rules
- initial startup: change default of APPSEC_DROP_UNREADABLE_BODY in initial crowdsec config file to false since it break DELETE requests with an empty body
- update list of hidden headers (https://raw.githubusercontent.com/OWASP/www-project-secure-headers/refs/heads/master/ci/headers_remove.json)
- dep updates
Image tags:
docker.io/zoeyvid/npmplus:2026-07-15-r1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-07-15-r1(fixed to this release)docker.io/zoeyvid/npmplus:latest(latest stable)ghcr.io/zoeyvid/npmplus:latest(latest stable)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: 2026-06-25-r1...2026-07-15-r1