Not quite a Bug but it’s not clear what other category it should go in. It is problematic and isn’t a Feature. Possibly Support but I’m fairly sure I know what I’m doing here.
See also: a similar post from 3 years ago Dockerfile in official install instructions uses unsupported version of Nginx
A routine pentest this week found that the version of NGINX that is in use was EOL. It wasn’t possible to exploit it, but it’s been flagged as needing fixing ASAP.
Trying to update Discourse via git pull still hasn’t fixed the issue, because although the Discourse Docker repo is updated, the templates pin the base image as the previous version (discourse/base:2.0.20260109-0020)
Some questions:
-
Why was the pinned version of NGINX so old as to be EOL in the first place? Is there a rationale I’m not aware of?
-
Why has the new version been chosen as 1.28.1, not 1.29.4 (latest as at 2026.01.27) - again is there a rationale?
Generally Discourse seems to be quite keen on keeping all users on a recent version (seems sensible) ie what was tests-passed.
How do I get NGINX updated (ideally without local hackarounds)?