shahar1 commented on PR #66952:
URL: https://github.com/apache/airflow/pull/66952#issuecomment-4918945757

   > hi all, Beam committer here.
   > 
   > > 2. My [PR](https://github.com/apache/beam/pull/39213) in Apache beam has 
been merged, so we should be able to unsuspend it in version > 2.75.
   > >    Let's keep watching until it is shipped, and then we'll be able to 
unsuspend it.
   > 
   > @shahar1 thanks for doing that.
   > 
   > Regarding betterproto dependency:
   > 
   > * the functionality where envoy-data-plane is used is an opt-in 
functionality of Beam that doesn't have significant usage atm
   > * While Betterproto doesn't have any recent releases: 
https://pypi.org/project/betterproto/#history, is there any concern as to this 
dependency having a vulnerability? It seems like we flagged it primarily due to 
beta in the naming, and then noticed that the codebase is old. Even if a 
project has recent releases, it can have codepaths that haven't been touched 
for years. Do we have any reason to be concerned beside the name ?
   > * As mentioned, Beam will drop the dependency on the envoy-data-plane in 
the next release, but using older version of Beam in my opinion causes more 
inconvenience in this case to airflow users than pulling an old dependency .
   
   Thanks for your comment!
   
   I reevaluated this:
   
   - The original suspension blocker (Beam's grpcio<1.66 pin) is resolved as of 
Beam 2.72.
   - There are no known vulnerabilities in Beam 2.72–2.75, nor in 
`betterproto==2.0.0b6` or `envoy-data-plane==1.0.3`.
   - `envoy-data-plane==1.0.3` is part of an opt-in Beam feature with little 
usage.
   - The dependency is already removed upstream (apache/beam#39213) and ships 
in Beam 2.76, expected in ~1–2 months. 
   
   Given the risk is known, bounded, and time-limited, I think unsuspending now 
is reasonable rather than keeping users on a suspended provider for another 
release cycle. We already accept unmaintained transitive dependencies elsewhere 
in the tree on a case-by-case basis; this one at least has a concrete removal 
date. Of course, if there's a vunlerability found and 2.76 is yet to be 
released - we could resume the suspension.
   
   @potiuk @eladkal WDYT?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to