diff --git a/config/docker/gitea/docker-compose.yml b/config/docker/gitea/docker-compose.yml
index 6d1f27f..8d74784 100644
--- a/config/docker/gitea/docker-compose.yml
+++ b/config/docker/gitea/docker-compose.yml
@@ -14,7 +14,7 @@ networks:
 
 services:
   server:
-    image: gitea/gitea:latest
+    image: gitea/gitea:1.24
     container_name: gitea
     environment:
       - USER_UID=1000
diff --git a/config/docker/jellyfin/docker-compose.yml b/config/docker/jellyfin/docker-compose.yml
index 4ef803c..8457a31 100644
--- a/config/docker/jellyfin/docker-compose.yml
+++ b/config/docker/jellyfin/docker-compose.yml
@@ -11,7 +11,7 @@
 
 services:
   jellyfin:
-    image: jellyfin/jellyfin:latest
+    image: jellyfin/jellyfin:10.11.6
     container_name: jellyfin
     restart: unless-stopped
 
diff --git a/config/docker/nextcloud/docker-compose.yml b/config/docker/nextcloud/docker-compose.yml
index edb32be..8eb946d 100644
--- a/config/docker/nextcloud/docker-compose.yml
+++ b/config/docker/nextcloud/docker-compose.yml
@@ -31,7 +31,7 @@ services:
       - nextcloud
 
   nextcloud-app:
-    image: nextcloud:29
+    image: nextcloud:32
     restart: unless-stopped
     container_name: nextcloud-app
     ports:
diff --git a/config/docker/portainer/docker-compose.yml b/config/docker/portainer/docker-compose.yml
index 84cb923..9e0c172 100644
--- a/config/docker/portainer/docker-compose.yml
+++ b/config/docker/portainer/docker-compose.yml
@@ -9,7 +9,7 @@
 
 services:
   portainer:
-    image: portainer/portainer-ce:latest
+    image: portainer/portainer-ce:2.39.0
     container_name: portainer
     restart: unless-stopped
 
@@ -38,13 +38,7 @@ services:
           cpus: '0.1'
           memory: 128M
 
-    # Health check
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9000/api/status"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 30s
+    # No healthcheck — Portainer is distroless (no shell available)
 
 volumes:
   portainer_data:
diff --git a/config/docker/qbittorrent/docker-compose.yml b/config/docker/qbittorrent/docker-compose.yml
index 022d176..ca57012 100644
--- a/config/docker/qbittorrent/docker-compose.yml
+++ b/config/docker/qbittorrent/docker-compose.yml
@@ -11,7 +11,7 @@
 
 services:
   qbittorrent:
-    image: linuxserver/qbittorrent:latest
+    image: linuxserver/qbittorrent:5.1.4
     container_name: qbittorrent
     restart: unless-stopped
 
@@ -23,7 +23,7 @@ services:
       - WEBUI_PORT=8080
 
     # Security hardening
-    user: "1000:1000"
+    # NOTE: No user: directive — linuxserver uses s6-overlay (starts as root, drops to PUID/PGID)
     read_only: false  # qBittorrent needs write access for downloads
     tmpfs:
       - /tmp:noexec,nosuid,size=100m