diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd88e48..1d610ba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,3 +54,10 @@ date: 29 June 2021
 source: **mainline/alpine/**
 
 ---
+## mainline/alpine 1.21.5
+
+date: 13 January 2022
+
+source: **mainline/alpine/**
+
+---
diff --git a/pipeline/pipe-resource.yaml b/pipeline/pipe-resource.yaml
index 7bb36ad..9a86f1b 100644
--- a/pipeline/pipe-resource.yaml
+++ b/pipeline/pipe-resource.yaml
@@ -7,7 +7,7 @@ spec:
   type: image
   params:
     - name: url
-      value: termas.librecloud.online/termas_librecloud/nginx:1.21.0
+      value: termas.librecloud.online/termas_librecloud/nginx:1.21.5
 ---
 apiVersion: tekton.dev/v1alpha1
 kind: PipelineResource
diff --git a/repo-config.yaml b/repo-config.yaml
index f4e425a..ffe93f7 100644
--- a/repo-config.yaml
+++ b/repo-config.yaml
@@ -1,4 +1,3 @@
-
 Active: true
 # Active: false  # to not follow up webhook workflow
 
@@ -8,7 +7,7 @@ Source: docker-nginx/mainline/alpine
 
 # Name - Version, etc
 Name: nginx
-Version: 1.21.0
+Version: 1.21.5
 
 # To get latest
 IMAGE_NAME: nginx
diff --git a/src/Dockerfile b/src/Dockerfile
index 437942a..0016c13 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -3,20 +3,18 @@
 #
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
-FROM alpine:3.13
+FROM alpine:3.15
 
 LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
 
-ENV NGINX_VERSION 1.21.0
-ENV NJS_VERSION   0.5.3
+ENV NGINX_VERSION 1.21.5
+ENV NJS_VERSION   0.7.1
 ENV PKG_RELEASE   1
 
 RUN set -x \
 # create nginx user/group first, to be consistent throughout docker variants
     && addgroup -g 101 -S nginx \
     && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
-		&& addgroup -g 82 -S www-data \
-    && adduser -S -D -H -u 82 -h /var/cache/nginx -s /sbin/nologin -G www-data -g www-data www-data \
 		&& apkArch="$(cat /etc/apk/arch)" \
     && nginxPackages=" \
         nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
@@ -25,11 +23,14 @@ RUN set -x \
         nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \
         nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \
     " \
+# install prerequisites for public key and pkg-oss checks
+    && apk add --no-cache --virtual .checksum-deps \
+        openssl \
     && case "$apkArch" in \
         x86_64|aarch64) \
 # arches officially built by upstream
             set -x \
-            && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \
+						&& KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \
             && apk add --no-cache --virtual .cert-deps \
                 openssl \
             && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
@@ -62,16 +63,22 @@ RUN set -x \
                 geoip-dev \
                 perl-dev \
                 libedit-dev \
-                mercurial \
                 bash \
                 alpine-sdk \
                 findutils \
             && su nobody -s /bin/sh -c " \
                 export HOME=${tempDir} \
                 && cd ${tempDir} \
-                && hg clone https://hg.nginx.org/pkg-oss \
-                && cd pkg-oss \
-                && hg up ${NGINX_VERSION}-${PKG_RELEASE} \
+                && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+                && PKGOSSCHECKSUM=\"b0ed109a820a2e8921f313d653032b8e70d3020138d634039ebb9194dc3968493f6eb4d85bdbf18d2aea7229deddb98ca0f1d9825defcc5af45f68ee37845232 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+                && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
+                    echo \"pkg-oss tarball checksum verification succeeded!\"; \
+                else \
+                    echo \"pkg-oss tarball checksum verification failed!\"; \
+                    exit 1; \
+                fi \
+                && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+                && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
                 && cd alpine \
                 && make all \
                 && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
@@ -82,6 +89,8 @@ RUN set -x \
             && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
             ;; \
     esac \
+# remove checksum deps
+    && apk del .checksum-deps \
 # if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
     && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
     && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \