Track and upgrade APISIX runtime to OpenResty / nginx 1.31.x to address open nginx security advisories

### Summary

APISIX currently bundles a runtime built on nginx 1.27.1, which is affected by multiple open nginx CVEs — several of which touch subsystems APISIX exercises heavily (rewrite, resolver, HTTP/2 proxy). This issue tracks upgrading the bundled runtime to nginx 1.31.x (via a new OpenResty 1.31-based `apisix-runtime` release).

### Current state

- `apache/apisix` master pins `APISIX_RUNTIME=1.3.5` (see `.requirements`).
- [`apisix-build-tools` `apisix-runtime/1.3.5`](https://github.com/api7/apisix-build-tools/blob/apisix-runtime/1.3.5/build-apisix-runtime.sh) sets `OPENRESTY_VERSION="1.27.1.2"`.
- OpenResty 1.27.1.2 is based on **nginx 1.27.1**.

### Upstream readiness signal

OpenResty's `lua-nginx-module` has just landed nginx 1.31.0 in its CI test matrix:

- Commit: [openresty/lua-nginx-module@02ec8a5](https://github.com/openresty/lua-nginx-module/commit/02ec8a56c41d62ae978ac669756d6bedc6aefd1d) — *"tests: update nginx to 1.31.0."* (2026-05-14)

This indicates the OpenResty ecosystem is moving toward nginx 1.31 compatibility. OpenResty itself has not yet shipped a 1.31-based bundled release (latest tag is `v1.27.1.2`).

### Proposal

1. **Track** OpenResty's 1.31-based release in `api7/apisix-build-tools`.
2. When available, cut a new `apisix-runtime` tag that:
   - Bumps `OPENRESTY_VERSION` to the OpenResty 1.31.x release.
   - Re-verifies `apisix-nginx-module`, `wasm-nginx-module`, and `lua-var-nginx-module` patches still apply cleanly on the 1.31 source tree.
3. Bump `APISIX_RUNTIME` in `apache/apisix` `.requirements` to that new tag and run the full CI matrix.
4. (Optional, interim) If the OpenResty 1.31 bundle is delayed, evaluate cherry-picking the upstream nginx patches (especially for `ngx_http_rewrite_module` and the resolver) into the current `apisix-runtime` patch set.

### Acceptance criteria

- [ ] `apisix-runtime` released with nginx ≥ 1.31.0.
- [ ] `apache/apisix` master upgraded to the new runtime, CI green.
- [ ] Open nginx CVEs no longer reported by image scanners against APISIX official images.

### References

- nginx security advisories: https://nginx.org/en/security_advisories.html
- lua-nginx-module nginx 1.31.0 CI update: https://github.com/openresty/lua-nginx-module/commit/02ec8a56c41d62ae978ac669756d6bedc6aefd1d
- Current pin: [`apache/apisix` `.requirements`](https://github.com/apache/apisix/blob/master/.requirements)
- Current OpenResty version: [`apisix-build-tools` `build-apisix-runtime.sh`](https://github.com/api7/apisix-build-tools/blob/apisix-runtime/1.3.5/build-apisix-runtime.sh)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Track and upgrade APISIX runtime to OpenResty / nginx 1.31.x to address open nginx security advisories #13374

Summary

Current state

Upstream readiness signal

Proposal

Acceptance criteria

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Track and upgrade APISIX runtime to OpenResty / nginx 1.31.x to address open nginx security advisories #13374

Description

Summary

Current state

Upstream readiness signal

Proposal

Acceptance criteria

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions