/
Sunflower (R1 2025) Critical Service Patch #5 - Modules release deadline: Jan 20 | GA date: Feb 11

Sunflower (R1 2025) Critical Service Patch #5 - Modules release deadline: Jan 20 | GA date: Feb 11

mod release deadline jan 20

to be Released at FEb 11 Dashboard

Approval Log

key summary priority CSP Request Details CSP Approved
Refresh

Tickets list

key summary type assignee priority resolution reporter Development Team
Refresh

Tickets List Breakdown by Areas (expand each section to see list)

type key summary assignee reporter priority status resolution created updated due
Refresh

 

 

type key summary assignee reporter priority status resolution created updated due
Refresh

type key summary assignee reporter priority status resolution created updated due
Refresh

type key summary assignee reporter priority status resolution created updated due
Refresh

 

Modules list

Release tag

 

https://github.com/folio-org/platform-lsp/releases/tag/R1-2025-csp-5

https://github.com/folio-org/platform-complete/releases/tag/R1-2025-okapi-csp-5-1

Infrastructure

PostgreSQL

Bump the PostgreSQL minor version to fix security issues, for details see https://www.postgresql.org/support/security/ and/or https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-versions.html.

If using 16 upgrade to >= 16.11. FOLIO officially supports 16 only; however, there are no known incompatibilities with 17 and 18.

If using 17 upgrade to >= 17.7.

If using 18 upgrade to >= 18.1.

MinIO

If using MinIO upgrade to latest version to fix security vulnerabilities.

Upgrade to >= RELEASE.2025-10-15T17-29-55Z.

One container download option is https://hub.docker.com/r/cleanstart/minio.

Elasticsearch

If using Elasticseach upgrade to the latest patch version to fix security vulnerabilities, for details see https://www.elastic.co/blog/category/releases

Upgrade to >= 8.19.11.

OpenSearch

If using OpenSearch upgrade to the latest patch version to fix security vulnerabilities, for details see https://docs.opensearch.org/latest/version-history/

Upgrade to >= 2.19.4.

folio-kong

If using folio-kong upgrade folio-kong to latest version to fix security vulnerabilities: https://github.com/folio-org/folio-kong/releases

Upgrade to >= 3.9.2.

folio-keycloak

If using folio-keycloak upgrade folio-keycloak to latest version to fix security vulnerabilities: https://github.com/folio-org/folio-keycloak/releases

Upgrade to >= 26.5.1.

Okapi

If using Okapi upgrade Okapi to the latest patch version to fix security vulnerabilities, for details see https://github.com/folio-org/okapi/releases.

Upgrade to >= 7.0.2 (Trillium version, but also works with Sunflower), or >= 6.2.6 (Sunflower version).

Configuration

Functional Area

Change or Additions

Considerations

Action timing,
Action required

Comments

Contact person,
Related JIRAs

Functional Area

Change or Additions

Considerations

Action timing,
Action required

Comments

Contact person,
Related JIRAs

folio-module-sidecar

TOKEN_CACHE_REFRESH_PRIOR_EXPIRATION

New Environment Variable

 

Default value: 60

Specifies the amount of seconds for a cache entry invalidation prior to the token expiration.

 

MODSIDECAR-171: Sidecar: Authorization failed: io.quarkus.security.UnauthorizedException: UnauthorizedClosed

folio-module-sidecar

TOKEN_CACHE_RETRIEVAL_TIMEOUT

New Environment Variable

 

Default value: 30

Timeout in seconds for token retrieval operations from Keycloak during cache loading.

MODSIDECAR-171: Sidecar: Authorization failed: io.quarkus.security.UnauthorizedException: UnauthorizedClosed

mod-scheduler

Adjustments to the cache configuration were made in the module’s application.yml file which is baked into the docker image. These shouldn’t need to be adjusted or overridden. See MODSCHED-50: Sunflower SP#5 - Timers creation fails on Rancher environmentsClosed

 

 

image-20260114-215436.png

 

edge-patron (LoC only)

Update the edge-patron “KC_URL” environment variable to link it with the Locate Keycloak URL instead of the Folio cluster Keycloak URL. This change is necessary for the VIP patron flow in the secure tenant to successfully parse the JWT token for users stored in Locate Keycloak. For example, for the sebftls cluster, set the following value:
 {"name": "KC_URL","value": "https://keycloak-ltihls.int.locate.ebsco.com"}

 

 

 

 

mod-tlr (LoC)

Set ecsTlrFeatureEnabled to true in ALL tenants.
In the Central tenant this can be done via UI (Settings > Circulation > Consortium title level requests (TLR)). In member tenants, make this api API call:

URL:
PUT /tlr/settings

Body:
{"ecsTlrFeatureEnabled": true}

Ignore the error, but please check that the value has been updated: GET /tlr/settings.

Note: After ecsTlrFeatureEnabled is enabled, disabling via UI should be avoided because it'll only affect the Central tenant. If disabling is required, in addition to the UI change, ecsTlrFeatureEnabled setting needs to be reverted back to false in all member tenants.