GitHub user potiuk edited a comment on the discussion: CVE-2024-49767
Airflow 3 is moving away from flask and Werkzeug (and Connexion 2 that is blocking is from releasing to later version of Werkzeug). That's the plan. And as explained before several times - you can still do a lot of stuff on your own and invest your money and time and energy (yes also yours @lewijw and your company) to do something about it. Airlfow is generally upgrading to latest versions of dependencies with every new release - unless it's blocked by something - like this is the case. Also Airflow is run by volunters and deliver their software under the umbrella of Apache Software Foundation (Opsn Source Steward) for free without any guarantees (please read the ASF 2 licence). And even according to planned regulations that are coming - CRA - it's the commercial users of Airlfow (those who put the software on the market) are responsible to check and verify if the software they release is bug free. We are a good steward - we are following pretty much absolutely best practices for security out there. We are following very well established and governed procesesto make airlfow non-vulnerable and we do reasonable efforts there, but there are certain situations where others should take action. Especially if they want to make sure that the "scans" of all the dependencies they have does not contain any vulnerabilities. This is very clearly stated in our [Security Policy]( https://github.com/apache/airflow/security/policy#what-should-be-and-should-not-be-reported-) - please read the policy. You (not us - we already made our decision to get rid of the dependencies that are problematic - i.e. Connexion 2 - in Airflow 3) can do a number of things there, if you - commercial users of Airlfow - believe that Airflow is vulnerable (we don't think so) - you have several options where you can spend your time and energy (and eventually possibly help other commercial users of Airflow and have better certainty about this particular issue. 1) you can spend your efforts, time, energy and money to try to reproduce the issue show how it impacsts Airflow and report it privately following our security policy. 2) you can also pay some security researchers to produce an in-depth analysis on why Airlfow is not vulnerable and publish results here. That would ba a nice way how you can make others more certain that they can "tick-off" that report and say "not vulnerable". 3) you can raise simiilar issue to Connexion. The Connexion 2 is the one that is blocking us from upgrading Werkzeug. We attempted to migrate to Connexion 3 (https://github.com/apache/airflow/pull/39055) - but this has proven to be very problematic and not-sustainable, so for Airlfow 3 we are getting rid of whole set of dependencies that are main reason of these problems (we are replacing Connexion with Fast API which is much better maintained and future-proof). This is the course of action we can do as maintainers So you are absolutely not blocked here: you can do 1) 2) or 3) - depending when you want to spend your time energy and money to get that question answered. @lewijw as you are the one who created the issue, I guess you are really vested into knowing the answer, so in the spirit of community, giving back and contributing back, I think this might be a good idea that you take the lead on that. Also @Uditmittal -> if you would like to take on any of those tasks, feel free. GitHub link: https://github.com/apache/airflow/discussions/44865#discussioncomment-11656354 ---- This is an automatically sent email for commits@airflow.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@airflow.apache.org