Skip to content

Bump go.temporal.io/server to v1.31.1 (security patch via OSS server)#1088

Merged
fretz12 merged 1 commit into
release/1.7.xfrom
fredtzeng/cli-1.7.2-server-1.31.1
Jun 10, 2026
Merged

Bump go.temporal.io/server to v1.31.1 (security patch via OSS server)#1088
fretz12 merged 1 commit into
release/1.7.xfrom
fredtzeng/cli-1.7.2-server-1.31.1

Conversation

@fretz12

@fretz12 fretz12 commented Jun 10, 2026

Copy link
Copy Markdown

What changed?

Bumps go.temporal.io/server v1.31.0v1.31.1.

Transitively picks up the OSS server v1.31.1 security fixes:

  • apache/thrift v0.21.0v0.23.0 (CVE-2026-41602 / GHSA-wf45-q9ch-q8gh)
  • golang.org/x/crypto v0.46.0v0.52.0 (GO-2026-5005, -5006, -5013, -5017, -5018, -5019, -5020, -5021, -5023 CRITICAL/HIGH)
  • golang.org/x/net v0.48.0v0.55.0 (GO-2026-5026 CRITICAL idna + others)
  • Go toolchain 1.26.31.26.4 (CVE-2026-42504, -42507, -27145, GO-2026-5037/5038/5039 stdlib HIGH)
  • golang.org/x/sys, x/term, x/text, x/sync, x/mod, x/tools bumped transitively to satisfy the above

@fretz12 fretz12 marked this pull request as ready for review June 10, 2026 15:00
@fretz12 fretz12 requested a review from a team as a code owner June 10, 2026 15:00
@fretz12 fretz12 requested a review from chaptersix June 10, 2026 15:00
@fretz12 fretz12 merged commit b89f8f8 into release/1.7.x Jun 10, 2026
14 of 15 checks passed
@fretz12 fretz12 deleted the fredtzeng/cli-1.7.2-server-1.31.1 branch June 10, 2026 15:04
@fretz12 fretz12 mentioned this pull request Jun 10, 2026
Merged
5 tasks
fretz12 added a commit to temporalio/temporal that referenced this pull request Jun 10, 2026
@fretz12
Bump defaultCliVersion to 1.7.2 for v1.31.1 admin-tools (#10640)
7558eac 
## What changed?
Bumps `defaultCliVersion` from `"1.7.1"` to `"1.7.2"` in
`.github/actions/build-docker-images/scripts/main.go`.
This is the version of the `temporal` CLI binary downloaded and bundled
into the admin-tools Docker image at build time.

## Why?
Final step of the OSS server v1.31.1 patch. CLI v1.7.2 was just released
([temporalio/cli#1088](temporalio/cli#1088)) and
bumps `go.temporal.io/server v1.31.0 → v1.31.1`, picking up the v1.31.1
security fixes transitively:

  - `apache/thrift v0.21.0 → v0.23.0` (CVE-2026-41602)
  - `golang.org/x/crypto v0.46.0 → v0.52.0` (GO-2026-5005..5023)
  - `golang.org/x/net v0.48.0 → v0.55.0` (GO-2026-5026, etc.)
  - Go toolchain `1.26.3 → 1.26.4` (stdlib HIGH CVEs)

These findings show up in grype scans of
`temporaliotest/admin-tools:sha-<latest>` because the bundled CLI binary
at v1.7.1 was built before our v1.31.1 cherry-picks. Bumping to v1.7.2
clears them.


## How did you test it?
- [X] built
- [ ] run locally and tested manually
- [X] covered by existing tests
- [ ] added new unit test(s)
- [ ] added new functional test(s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaptersix chaptersix chaptersix approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fretz12 @chaptersix