Skip to main content

Fire Arrow Server 1.7.0

· 2 min read
Till Gerken
Till Gerken
CTO

Fire Arrow Server 1.7.0 has been released.

  • (breaking) Task scheduling data now written to Task.restriction.period instead of Task.executionPeriod
  • (security) Update Next.js to 16.2.3 (CVE-2026-23869)

Task Scheduling Data in restriction.period

This release changes where the server persists planned scheduling data on materialized Tasks. Previously, the due date was written to executionPeriod.start and the deadline to executionPeriod.end. This overloaded fields that the FHIR R4 spec defines as actual execution times, and caused incorrect dependency propagation when ActivityCompletionService interpreted executionPeriod.end as the client-written completion time.

Starting with 1.7.0, server-managed scheduling data is written to Task.restriction.period:

  • restriction.period.start — the due date
  • restriction.period.end — the deadline

Task.executionPeriod is now exclusively client-written (actual start and end of execution). When resolving completion times for dependency propagation, the server uses a four-step fallback chain: executionPeriod.endrestriction.period.endexecutionPeriod.startrestriction.period.start.

The due-timestamp-field configuration toggle has been removed. Two new configuration options — auto-propagate-period-start and auto-propagate-period-end (both off by default) — allow headless clients that cannot write back execution periods to have the server propagate scheduling data automatically.

The fa-careplan-due-tasks SearchParameter has been updated to index Task.restriction.period.start (version bumped to 2.0.0, which triggers automatic reindexing on startup).

Breaking Change

Existing materialized Tasks still have due dates stored in executionPeriod. Affected deployments must regenerate their CarePlans after upgrading to ensure all Tasks use the new field mapping.

Security

Next.js updated to 16.2.3 (CVE-2026-23869)

The administration web UI's Next.js dependency has been updated from 16.2.1 to 16.2.3 to address CVE-2026-23869. A specially crafted HTTP request to an App Router Server Function endpoint could trigger excessive CPU usage, resulting in denial of service.