# Upstream sources — cryptpad

| service | image | source repo | releases / changelog |
|---------|-------|-------------|----------------------|
| app     | cryptpad/cryptpad | https://github.com/cryptpad/cryptpad | https://github.com/cryptpad/cryptpad/releases |
| web     | nginx             | https://github.com/nginx/nginx       | https://nginx.org/en/CHANGES |

## Standing notes
- `abra recipe upgrade` cannot parse the `version-YYYY.M.D` tag format of the cryptpad/cryptpad image,
  so the app image is bumped by hand; the nginx sidecar is what `abra recipe upgrade` actually moves.
- nginx is HTTP/1.1-only here (sidecar on :8083, `proxy_http_version 1.1`), so HTTP/2/3 CVE changes in
  nginx releases generally don't affect this recipe — but still note them.