Conversation
Clears 6 CVEs flagged on the ui-server Docker image: Go toolchain (1.26.3): - CVE-2026-39836 (net: panic on NUL byte) - CVE-2026-33814 (net/http2: infinite loop on SETTINGS_MAX_FRAME_SIZE=0) - CVE-2026-33811 (net: double-free in LookupCNAME with cgo resolver) golang.org/x/net v0.54.0 (≥ v0.53.0): - CVE-2026-33814 at the library level curl removed from final runtime stage (kept in builder): - CVE-2026-3805 (SMB use-after-free) - CVE-2026-6276 (cookie leak via stale Host header) - CVE-2026-5773 (SMB connection reuse)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Alex-Tideman
approved these changes
May 20, 2026
laurakwhit
added a commit
that referenced
this pull request
May 21, 2026
Auto-generated version bump from 2.49.1 to 2.50.0 Bump type: minor Changes included: - [`29832bec`](29832be) Use initiatedEvent for startChildFailed event grouping (#3342) - [`91a01560`](91a0156) rm slash (#3343) - [`2e7b88d0`](2e7b88d) feat: Set Current Version action for worker deployment versions (#3319) - [`b2685f3b`](b2685f3) Add relative path prefix support to routeFor utilities (#3292) - [`9c888c0c`](9c888c0) fix: validate connection modal status, retry button, and copy nits (#3347) - [`38989c48`](38989c4) revert: restore original create worker deployment copy (#3348) - [`90e1fe58`](90e1fe5) Common Errors for Event History (#3306) - [`f479e4e2`](f479e4e) Show current duration for pending timeline events (#3346) - [`65a7ff0d`](65a7ff0) Add refresh button to workers list view (#3349) - [`219cfee4`](219cfee) Fix null conditionals in search attribute filter (#3351) - [`08bd2f01`](08bd2f0) Add support for adding caller Namespace even if it's not in list of allowed Namespace options for Nexus endpoint (#3167) - [`d424a78a`](d424a78) refactor(DT-3906): Add knip (#3350) - [`e828b14f`](e828b14) Remove icon (#3357) - [`252a755c`](252a755) Add Java to list of support versions for worker heartbeats (#3362) - [`0f446c7a`](0f446c7) refactor(DT-3906): Simple Svelte 5 migrations (#3359) - [`63db5b72`](63db5b7) feat(DT-3657): Support shift click for bulk selection in workflow table (#3344) - [`389d57bf`](389d57b) Enable Svelte 5 runes on files not using legacy features (#3363) - [`f4b87e1d`](f4b87e1) Update components/workflow to Svelte 5 syntax (#3361) - [`3e2cce43`](3e2cce4) refactor(DT-3906): More Svelte 5 Migrations (trivial ones) (#3364) - [`15adcd73`](15adcd7) refactor(DT-3906): UI svelte 5 migrate components/events (#3365) - [`031fb867`](031fb86) refactor(DT-3906): Migrate stories to Svelte 5 syntax (#3366) - [`4eac9d2a`](4eac9d2) Scope group hover to tooltip component only (#3379) - [`eeace5c3`](eeace5c) chore: upgrade TypeScript to v6.0.3 (#3371) - [`cb80efdd`](cb80efd) refactor(DT-3906): More trivial migrations (#3367) - [`6cc395bf`](6cc395b) refactor(DT-3906): migrate holocene primitives + layout components to Svelte 5 runes (#3377) - [`40a029ea`](40a029e) refactor(DT-3906): UI Svelte 5 Migrations medium (#3368) - [`7dc29ba6`](7dc29ba) refactor(DT-3906): Delete unused Svelte 4 scaffolding (carved from #3370 - Part 1) (#3372) - [`34a8547e`](34a8547) refactor(DT-3906): Migrate workflow client-action modals to runes (carved from #3370 - Part 4) (#3375) - [`61090d7e`](61090d7) refactor(DT-3906): Migrate schedule view components to runes (carved from #3370 - Part 2) (#3373) - [`988e0479`](988e047) refactor(DT-3906): Migrate filter and input components to runes (carved from #3370 - Part 3) (#3374) - [`d8b78496`](d8b7849) refactor(DT-3906): Migrate workflows-summary table + relationships to runes (carved from #3370 - Part 5) (#3376) - [`ff86c004`](ff86c00) fix(DT-3968): Make Workflow Table Tooltips render in portal (#3383) - [`5e02642a`](5e02642) fix(DT-3967): Visibly toggle the view children button even with a parent has 0 (#3382) - [`1f2b1031`](1f2b103) Remove capability guard from Set Current Version menu item (#3386) - [`0d54dcb4`](0d54dcb) fix: portal maximizable to body to escape stacking context (#3385) - [`abf45438`](abf4543) chore(security): patch Dependabot alerts for axios, protobufjs, fast-uri, uuid, postcss, gomarkdown (#3388) - [`4500f5ea`](4500f5e) Upgrade GitHub actions (#3389) - [`4a8c0c5b`](4a8c0c5) fix(timeline): stabilize child workflow timeline width with scrollbar-gutter (#3329) - [`ead14c61`](ead14c6) Move Create Schedule button to header row (#3390) - [`e8638a2b`](e8638a2) Add top margin (#3392) - [`ef03dfce`](ef03dfc) refactor: replace PayloadDecoder and MetadataDecoder with unified Payload component (#3299) - [`89b9eafa`](89b9eaf) add loading state to payload code block (#3397) - [`ee3ae138`](ee3ae13) Update Schedules search attributes filter (#3396) - [`41fd4f1f`](41fd4f1) DT-3751 - download external payloads (#3345) - [`e4fee0b6`](e4fee0b) Fix codec server request URL (#3400) - [`966b3d0a`](966b3d0) Make input from schedule result actually a string and update tests (#3403) - [`48a014db`](48a014d) feat(history): show Nexus operation name in compact view (#3394) - [`9127c768`](9127c76) Refactor status counts and refresh button (#3402) - [`747ec109`](747ec10) Fix double loader button (#3407) - [`6ae961fc`](6ae961f) Payload rendering and error optimizations (#3401) - [`32c74a48`](32c74a4) add codec server error banner back to workflow layout (#3408) - [`f73c7ec9`](f73c7ec) Nxs operation/kt (#3406) - [`672bb04a`](672bb04) Bump Go 1.26.2→1.26.3, x/net v0.54.0, remove curl from runtime image (#3409) - [`1ee09fe3`](1ee09fe) chore(deps-dev): bump svelte from 5.55.1 to 5.55.7 (#3395) - [`565bb071`](565bb07) VLN-1352: remediate missing-dependency-cooldown (#3398) - [`25794ed8`](25794ed) Bump devalue to 5.8.1 (#3410) - [`b18d0060`](b18d006) Set color-scheme explicitly (#3358) - [`e7995b81`](e7995b8) chore: ensure the empty app.html respects the user's ligh/dark settings (#3353) - [`01d64038`](01d6403) fix: enable external payload download button with namespace level codec endpoint (#3420) - [`4cc44311`](4cc4431) Fix publicPath URL duplication when prefix appears as substring (#3393) Co-authored-by: laurakwhit <15069288+laurakwhit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was changed
Bumps Go toolchain and dependencies. Removed
curlfrom final stage.Why?
To clear 6 CVEs flagged against the
temporalio/ui-serverDocker image. None are exploitable in Temporal deployments, but they need to be fixed to avoid vulnerability scanner noise.Go toolchain (1.26.3):
NULbyte)net/http2: infinite loop onSETTINGS_MAX_FRAME_SIZE=0)LookupCNAMEwithcgoresolver)golang.org/x/netv0.54.0 (≥ v0.53.0):curlremoved from final runtime stage (kept in builder):Warning
Customers with custom Kubernetes manifests using
exec-based probes that shell out tocurlinside theui-servercontainer would break. This is not a pattern we document, and the official helm chart uses native Kubernetes probe types. But, it's possible someone does it. These users would need to switch tohttpGet/tcpSocketprobes, or addcurlback via a custom image layer.Additionally, with Alpine 3.23, it only ships
curl8.19.0, so upgradingcurlwithin the current Alpine release was not an option. Removal was the only way to clear the findings without bumping the Alpine major version, and gives us the benefit of reducing future vulnerability scanner noise.