moonming opened a new issue, #13374: URL: https://github.com/apache/apisix/issues/13374
### Summary APISIX currently bundles a runtime built on nginx 1.27.1, which is affected by multiple open nginx CVEs — several of which touch subsystems APISIX exercises heavily (rewrite, resolver, HTTP/2 proxy). This issue tracks upgrading the bundled runtime to nginx 1.31.x (via a new OpenResty 1.31-based `apisix-runtime` release). ### Current state - `apache/apisix` master pins `APISIX_RUNTIME=1.3.5` (see `.requirements`). - [`apisix-build-tools` `apisix-runtime/1.3.5`](https://github.com/api7/apisix-build-tools/blob/apisix-runtime/1.3.5/build-apisix-runtime.sh) sets `OPENRESTY_VERSION="1.27.1.2"`. - OpenResty 1.27.1.2 is based on **nginx 1.27.1**. ### Upstream readiness signal OpenResty's `lua-nginx-module` has just landed nginx 1.31.0 in its CI test matrix: - Commit: [openresty/lua-nginx-module@02ec8a5](https://github.com/openresty/lua-nginx-module/commit/02ec8a56c41d62ae978ac669756d6bedc6aefd1d) — *"tests: update nginx to 1.31.0."* (2026-05-14) This indicates the OpenResty ecosystem is moving toward nginx 1.31 compatibility. OpenResty itself has not yet shipped a 1.31-based bundled release (latest tag is `v1.27.1.2`). ### Proposal 1. **Track** OpenResty's 1.31-based release in `api7/apisix-build-tools`. 2. When available, cut a new `apisix-runtime` tag that: - Bumps `OPENRESTY_VERSION` to the OpenResty 1.31.x release. - Re-verifies `apisix-nginx-module`, `wasm-nginx-module`, and `lua-var-nginx-module` patches still apply cleanly on the 1.31 source tree. 3. Bump `APISIX_RUNTIME` in `apache/apisix` `.requirements` to that new tag and run the full CI matrix. 4. (Optional, interim) If the OpenResty 1.31 bundle is delayed, evaluate cherry-picking the upstream nginx patches (especially for `ngx_http_rewrite_module` and the resolver) into the current `apisix-runtime` patch set. ### Acceptance criteria - [ ] `apisix-runtime` released with nginx ≥ 1.31.0. - [ ] `apache/apisix` master upgraded to the new runtime, CI green. - [ ] Open nginx CVEs no longer reported by image scanners against APISIX official images. ### References - nginx security advisories: https://nginx.org/en/security_advisories.html - lua-nginx-module nginx 1.31.0 CI update: https://github.com/openresty/lua-nginx-module/commit/02ec8a56c41d62ae978ac669756d6bedc6aefd1d - Current pin: [`apache/apisix` `.requirements`](https://github.com/apache/apisix/blob/master/.requirements) - Current OpenResty version: [`apisix-build-tools` `build-apisix-runtime.sh`](https://github.com/api7/apisix-build-tools/blob/apisix-runtime/1.3.5/build-apisix-runtime.sh) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
