Skip to content

Bump dependencies to address CVEs (v1.5.x)#953

Merged
chaptersix merged 1 commit intotemporalio:release/v1.5.xfrom
chaptersix:security/v1.5.1
Feb 25, 2026
Merged

Bump dependencies to address CVEs (v1.5.x)#953
chaptersix merged 1 commit intotemporalio:release/v1.5.xfrom
chaptersix:security/v1.5.1

Conversation

@chaptersix
Copy link
Contributor

@chaptersix chaptersix commented Feb 25, 2026
edited
Loading

Summary

Bumps Go module dependencies to address known CVEs found via govulncheck on the v1.5.x release branch.

Bumped

Module Previous Updated CVEs Addressed
Go toolchain 1.25.0 1.25.7 GO-2026-4341 (net/url), GO-2026-4340 (crypto/tls), GO-2026-4337 (crypto/tls), GO-2025-4175 (crypto/x509), GO-2025-4155 (crypto/x509)
go.temporal.io/server v1.29.1 v1.29.2 GO-2026-4273 (incorrect authorization), GO-2025-4272 (namespace policy bypass)
golang.org/x/crypto v0.38.0 v0.45.0 Transitive (required by server v1.29.2)
golang.org/x/net v0.40.0 v0.47.0 Transitive (required by server v1.29.2)
golang.org/x/sync v0.14.0 v0.18.0 Transitive
golang.org/x/sys v0.33.0 v0.38.0 Transitive
golang.org/x/term v0.32.0 v0.37.0 Transitive
golang.org/x/text v0.25.0 v0.31.0 Transitive

Not bumped (with rationale)

Module CVE Reason
go.opentelemetry.io/otel/sdk v1.35.0 GO-2026-4394 (PATH hijacking, CVSS 7.0 High) Fix requires v1.40.0 which introduces breaking Prometheus behavioral changes. Same rationale as temporalio/temporal#9400.

Test plan

  • govulncheck ./... shows only the intentionally skipped otel vuln
  • go build ./cmd/temporal succeeds
  • go test ./... passes

@chaptersix
fix: bump dependencies to address CVEs
7812480 
Bump Go toolchain to 1.25.7 and update module dependencies to fix
known vulnerabilities found via govulncheck:

- go.temporal.io/server v1.29.1 -> v1.29.2 (GO-2026-4273, GO-2025-4272)
- golang.org/x/crypto v0.38.0 -> v0.45.0
- golang.org/x/net v0.40.0 -> v0.47.0
- golang.org/x/sync v0.14.0 -> v0.18.0
- golang.org/x/sys v0.33.0 -> v0.38.0
- golang.org/x/term v0.32.0 -> v0.37.0
- golang.org/x/text v0.25.0 -> v0.31.0

otel/sdk (GO-2026-4394) intentionally not bumped; fix requires v1.40.0
with breaking Prometheus changes and the vuln is macOS-only requiring
local filesystem access.
@chaptersix
Copy link
Contributor Author

chaptersix commented Feb 25, 2026

will open another pr with the patched server version so the admin tools gets a version with as many patched CVEs as possible

@chaptersix chaptersix marked this pull request as ready for review February 25, 2026 21:49
@chaptersix chaptersix requested review from a team as code owners February 25, 2026 21:49
@chaptersix chaptersix merged commit 22f258a into temporalio:release/v1.5.x Feb 25, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaptersix