LoginSign Up
← Back to all sparks
C

Coolify

DEVOPS
Velocity2.5

Coolify is in a sustained security-hardening run while the v4 beta inches forward.

self-hosted-paassecurity-hardeningdocker-deploymentopen-sourcebeta-releasesmulti-tenancy
Current state
Coolify is releasing roughly weekly beta builds dominated by security and reliability work: mass-assignment protection, query scoping, input validation, encrypted webhook secrets, accidental-prune protection. Each release also slips in small bug fixes and the occasional new service template. The same release is published across two feeds, so duplicates are common in the changelog.
Where it's heading
The product is hardening for production self-hosted use rather than expanding feature surface. Several recent fixes — team-scoped queries, locked properties, encryption for secrets — are the kind of multi-tenant defenses that matter when self-hosted PaaS instances start hosting more than one team's workloads. The v4 beta is converging toward stable, but security debt is still being paid down before that happens.
Prediction
Expect a v4 GA cut once the security backlog drains and the new-template flow stabilizes, plus an explicit audit/security advisory listing the hardening work. New service templates will continue to drip in opportunistically.

Recent moves

  1. 2mo ago

    Beta 474: data-loss guard for pruned containers, encrypted webhook secrets

    v4.0.0-beta.474 prevents data loss when persistent containers are pruned, encrypts manual webhook secrets, and fixes S3 backup endpoints under the API. The persistent-container fix in particular addresses a long-standing footgun in self-hosted deployments.

  2. 2mo ago

    Beta 474 (duplicate publish)

    Cross-feed duplicate of beta.474 — same release published a few hours apart. No additional content.

    View source ↗
  3. 2mo ago

    Beta 473: upgrade modal + Git source cleanup fixes

    Beta.473 is a small fixup release: upgrade modal showing correct version, safe cleanup of team-owned Git app sources on user deletion. Cleanup work, not new capability.

  4. 2mo ago

    Beta 473 (duplicate publish)

    Cross-feed duplicate of beta.473 from the same day. No additional content.

    View source ↗
  5. 2mo ago

    Beta 472: Alpine/Alexandrie patches, quoted Docker args, new templates

    Beta.472 ships Alpine and Alexandrie image patches for an upstream advisory, plus quoted-args support in custom Docker run options and a few new service templates. Steady security maintenance with a small ergonomic win for Docker users.

  6. 2mo ago

    Beta 471: multi-issue security hardening sweep

    Beta.471 is a broad multi-issue security sweep: mass-assignment hardening, team-scoped queries, locked component properties, Docker network name validation, URL escaping. The volume of changes signals a coordinated audit pass rather than ad-hoc fixes.