Closed
Description
The version of the rust sdk in the most recent release includes a version of the zip crate affected by CVE-2025-29787.
While I don't suspect from an application-usage perspective that the temporal core sdk is extracting untrusted zip files, automated vulnerability scanning tools still pick up on the vulnerable version and prompt us to respond in some form.
Current master of this repository already has the core sdk bumped to a version that is not vulnerable, there just hasn't been a release uploaded to pypi since it was patched. The zip patch was included with #802 I think just as a side-effect of the other work done in that change.