# Upstream sources — custom-html

| service | image | source repo | releases / changelog |
|---------|-------|-------------|----------------------|
| app | nginx | https://github.com/nginx/nginx | https://nginx.org/en/CHANGES |
| git | alpine/git | https://github.com/alpine-docker/git | https://hub.docker.com/r/alpine/git/tags |

## Standing notes
- nginx even-numbered minor versions (1.28.x, 1.30.x) are mainline; odd (1.27.x, 1.29.x) are stable. The recipe tracks mainline.
- compose.git-pull.yml is an optional overlay for git-pull functionality; alpine/git version lives there.
- compose.sftp.yml and compose.sso.yml are other optional overlays; linuxserver/openssh-server uses `latest` tag and is not version-pinned.
- Breaking change in nginx 1.31.0: HTTP/2 and HTTP/3 requests with Connection/Proxy-Connection/Keep-Alive/Transfer-Encoding/Upgrade/TE headers are now rejected.
- Breaking change in nginx 1.29.7: keepalive in upstream block is enabled by default; proxy_http_version changed to 1.1; Connection proxy header no longer sent by default.
- nginx 1.31.2 (17 Jun 2026) is a security patch release: CVE-2026-42530 (HTTP/3 QUIC use-after-free), CVE-2026-42055 (heap buffer overflow with ignore_invalid_headers off + large_client_header_buffers + HTTP/2/gRPC backend), CVE-2026-48142 (charset_map UTF-8 heap overread). No breaking changes for static-file-serving use case.
- alpine/git is a thin Docker wrapper around git (no formal release notes; version tracks bundled git). Source repo: alpine-docker/git (NOT alpine-git/alpine-git).