Skip to content
Deprecations

Deprecation Schedule

Deprecated and removed features in Drydock, with removal versions and migration guidance.

This page lists every deprecated feature, the version it will be removed in, and how to migrate. Until removal, deprecated features continue to work. Detection methods and warning behavior vary by feature; check the applicable Detection row and the detection summary.

Features listed under a removal version will stop working in that release. Migrate before upgrading.

Removal in v1.5.0

Legacy aggregate container stats endpoint

GET /api/v1/containers/stats was removed when fleet-level stats moved to the dedicated stats API. Current releases catch the old path and return 410 Gone with migration targets instead of treating stats as a container id.

Deprecated sincev1.5.0-rc.17
Removed sincev1.5.0-rc.17
Compatibility response sincev1.5.0-rc.34
MigrationUse GET /api/v1/stats/summary or GET /api/v1/stats/summary/stream for aggregate stats; use GET /api/v1/containers/:id/stats for one container

Implicit wildcard CORS origin

Older drydock releases allowed DD_SERVER_CORS_ENABLED=true without DD_SERVER_CORS_ORIGIN and treated it like * (all origins). Since v1.5.0-rc.9, drydock fails closed instead: startup throws an error and the server does not start.

Deprecated sincev1.4.0
Removed sincev1.5.0-rc.9
MigrationSet DD_SERVER_CORS_ORIGIN to your trusted origin(s), e.g. DD_SERVER_CORS_ORIGIN=https://drydock.example.com

v1.6.0 removals and deferrals

Unversioned API paths (/api/*)

The unversioned /api/* path was a backward-compatible alias for /api/v1/*. As of v1.6.0, /api/* requests return 410 Gone with a JSON body pointing at the /api/v1/ equivalent, except the four whitelisted wud-card compatibility endpoints — those keep working at /api/* when DD_COMPAT_WUDCARD=true, served by their own router rather than by falling through to the removed alias, so they're unaffected by this removal (three return WUD's bare-array response shape instead of drydock's envelope; the fourth passes through unmodified). Two standalone auth aliases are unaffected for the same reason, unconditionally: GET /api/auth/methods (registered directly on the app, removed on its own v1.7.0 timeline) and GET /api/auth/status (also registered directly on the app, a permanent compatibility alias for GET /api/v1/auth/status with no removal scheduled).

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationReplace /api/ with /api/v1/ in all integrations. If you depend on wud-card or Homepage's whatsupdocker widget and can't change their base path, set DD_COMPAT_WUDCARD=true

Legacy WUD_* environment variables

WUD_* prefixed environment variables are ignored as of v1.6.0. Only DD_* variables are loaded at runtime; the migration CLI still recognizes old names so it can rewrite existing files.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationRename all WUD_* vars to DD_*. Run node dist/index.js config migrate --dry-run to preview changes

Legacy wud.* container labels

wud.* prefixed Docker labels are ignored as of v1.6.0. Only dd.* labels affect container discovery, display, grouping, hooks, rollback, webhooks, and trigger behavior.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationRename all wud.* labels to dd.* in your compose files. Run node dist/index.js config migrate --file /path/to/compose.yml

Legacy template variable aliases

Simple template aliases (id, name, watcher, kind, semver, local, remote, link) and the batch alias count are no longer supplied to templates.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationReplace with container.* equivalents: idcontainer.id, namecontainer.name, countcontainers.length, etc. See Trigger templates

PUT /api/settings

The PUT method on /api/settings is a compatibility alias for PATCH. Responses include Deprecation and Sunset HTTP headers.

Deprecated sincev1.4.0
RemovalDeferred to API v2 — /api/v1 is frozen, so the method cannot be dropped from the versioned surface; the Sunset header advertises the earliest retirement instant
DetectionLog warning on each PUT request; Deprecation and Sunset response headers
MigrationChange PUT /api/settings to PATCH /api/settings

HTTP OIDC discovery URLs

OIDC providers configured with http:// discovery URLs are rejected. Identity Providers must serve discovery over HTTPS.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationUpdate your IdP discovery URL to use https://. If your IdP uses a self-signed certificate, set DD_AUTH_OIDC_{name}_INSECURE=true

Legacy password hash formats

SHA-1, APR1/MD5 (Apache), crypt, and plain-text password hashes are rejected. Basic authentication accepts only the documented argon2id hash format.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationRegenerate your password hash with argon2id. See Basic authentication

Kafka clientId configuration key

The camelCase clientId key is rejected by Kafka trigger validation.

Deprecated sincev1.4.5
Removed sincev1.6.0
MigrationRename clientId to clientid (lowercase) in your Kafka trigger configuration

DD_WATCHER_*_WATCHDIGEST environment variable

Per-watcher digest watching via environment variable has been removed.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationUse the dd.watch.digest=true label on individual containers instead

DD_WATCHER_*_WATCHATSTART environment variable

Watching at startup is always scheduled. WATCHATSTART is no longer part of watcher configuration, including the former false suppression behavior.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationRemove the variable from your configuration. If you need to delay the first scan, use DD_WATCHER_{name}_CRON to control the schedule instead

Token-only Hub/DHI PUBLIC_TOKEN configuration

Hub/DHI public instances that provide PUBLIC_TOKEN without the matching PUBLIC_LOGIN are rejected instead of silently falling back to anonymous access. The TOKEN key itself remains supported as part of a complete LOGIN+TOKEN pair.

Deprecated sincev1.4.0
Removed sincev1.6.0
MigrationAdd the matching login and use LOGIN+TOKEN, use LOGIN+PASSWORD, use AUTH, or remove credentials for intentional anonymous access

Removal in v1.7.0

curl in Docker image

The official Docker image keeps curl available in v1.5.x and v1.6.x for backward compatibility with custom healthcheck overrides. The default built-in HEALTHCHECK uses the lightweight static binary (/bin/healthcheck) instead.

Deprecated sincev1.5.0
DetectionUI deprecation banner when Drydock can inspect its own container via the local Docker socket; otherwise manual config review
MigrationCustom curl-based healthcheck overrides remain supported in v1.5.x. v1.6.0 is the final warning release. Removal is scheduled for v1.7.0. Prefer the built-in image healthcheck, or switch custom intervals to test: /bin/healthcheck ${DD_SERVER_PORT:-3000}. See Monitoring

DD_TRIGGER_* environment variable prefix

The DD_TRIGGER_* prefix is being replaced by semantic prefixes that distinguish action triggers from notification triggers.

Deprecated sincev1.5.0
DetectionError-level startup log for every legacy key; Prometheus counter dd_legacy_input_total; UI deprecation banner
MigrationRename DD_TRIGGER_* to DD_ACTION_* (for Docker/Compose/Command triggers) or DD_NOTIFICATION_* (for Slack/email/Pushover/etc.). Run node dist/index.js config migrate --source trigger to auto-rewrite. See Triggers

dd.trigger.include / dd.trigger.exclude container labels

These labels are being replaced by semantic equivalents.

Deprecated sincev1.5.0
DetectionError-level log during container initialization
MigrationReplace dd.trigger.include with dd.action.include or dd.notification.include. Replace dd.trigger.exclude with dd.action.exclude or dd.notification.exclude

A legacy label applies to both trigger categories, but only as a fallback: for a given category it is consulted only when that category's own scoped label is absent from the container. It is never merged with a scoped label that is present. So dd.action.include=docker plus dd.trigger.include=slack filters action triggers by docker and notification triggers by slack.

Manual updates bypass dd.action.include / dd.action.exclude

In v1.5.x, the trigger-not-included and trigger-excluded eligibility reasons are soft blockers: the UI shows a Trigger filtered / Trigger excluded pill, but clicking the per-row Update button still queues the update after a confirmation step. In v1.7.0 these reasons become hard blockers and the Update button is locked when the labels filter out the action trigger.

Deprecated sincev1.5.0
DetectionUI eligibility pill on container row; confirmation modal warning
MigrationIf you rely on manual updates bypassing an action trigger's include/exclude filter, either (a) remove the dd.action.exclude / dd.trigger.exclude label, (b) add the trigger to the container's dd.action.include / dd.trigger.include list, or (c) configure a separate action trigger that the labels permit. The eligibility pill on the row identifies the exact trigger / label combination in conflict

Unversioned GET /api/auth/methods alias

GET /api/auth/methods is a legacy, unversioned auth-discovery alias kept unauthenticated so the login screen can render before a session exists. It's registered directly on the app, ahead of the /api mounts, so it survived the /api/* path removal in v1.6.0 and keeps working on its own separate v1.7.0 timeline.

Deprecated sincev1.6.0
DetectionLog warning on each request plus RFC 9745 Deprecation and RFC 8594 Sunset response headers
MigrationReplace GET /api/auth/methods with GET /api/v1/auth/status

Agent-less Home Assistant MQTT topic layout (multi-agent)

The current Home Assistant MQTT topic layout (<topic>/<watcher>/<container> and the watcher-level sensor topics) has no agent segment. In a multi-agent deployment where the controller and one or more agents all use the default watcher name local, two containers with the same name on different agents publish to — and overwrite — the same MQTT topic, and watcher-level sensor counts sum across all agents.

Deprecated sincev1.5.0
Default flips inv1.7.0
DetectionManual — affects multi-agent Home Assistant MQTT deployments where more than one node uses the default watcher name local
MigrationSet DD_NOTIFICATION_MQTT_<name>_HASS_AGENTTOPICSEGMENT=true and re-point any affected Home Assistant references before v1.7.0 makes it the default. See MQTT trigger

Removal in v1.8.0

Legacy auth strategies response shape

GET /auth/strategies returns the older { strategies, warnings } response shape. The canonical replacement, GET /api/v1/auth/status (also available at /api/auth/status and /auth/status), returns { providers, errors } — the same provider list plus structured startup registration errors. Its unversioned alias, GET /api/auth/methods, is removed outright in v1.7.0 (see above), ahead of this response-shape migration deadline.

Deprecated sincev1.6.0
DetectionLog warning on each request plus RFC 9745 Deprecation and RFC 8594 Sunset response headers
MigrationRead providers/errors from GET /api/v1/auth/status instead of strategies/warnings from GET /auth/strategies

Enforced security changes (no deprecation window)

These behaviors were removed immediately rather than going through a grace period, because the deprecated behavior was itself the vulnerability. They're listed here for upgrade visibility, not because they're still active.

Implicit reverse-proxy header trust for CSRF origin checks

Removed sincev1.5.0-rc.30
MigrationSet DD_SERVER_TRUSTPROXY to the number of proxy hops in front of Drydock (e.g. 1) if you terminate TLS at a reverse proxy. See the FAQ

Command trigger process-environment inheritance

Removed sincev1.5.0-rc.35
MigrationScripts that need additional variables from the drydock process name them explicitly with DD_ACTION_COMMAND_{name}_ENV (comma-separated). See Command trigger

HTTP trigger requests to cloud metadata endpoints

Removed sincev1.5.0-rc.35
MigrationA deployment that genuinely needs a link-local target sets DD_NOTIFICATION_HTTP_{name}_ALLOWMETADATA=true on that trigger. See HTTP trigger

Detection summary

Drydock provides multiple channels for discovering deprecated feature usage:

ChannelCovers
Startup log warningsAll runtime-detectable deprecations
UI deprecation bannersActive v1.7 trigger-prefix inputs
Prometheus countersdd_legacy_input_total{source,key} for active trigger-prefix inputs, API tombstones, and historical observations
HTTP response headersDeprecation and Sunset on PUT /api/settings, GET /api/auth/methods, and GET /auth/strategies
Migration CLInode dist/index.js config migrate --dry-run previews all env var and label renames