shahar1 opened a new pull request, #69706:
URL: https://github.com/apache/airflow/pull/69706

   ## Summary
   
   Upgrades Flask-AppBuilder from `5.2.1` to `5.2.2` (latest on PyPI, released 
2026-06-23). Follows the same shape as #66841.
   
   ## What 5.2.2 changes and how it maps to Airflow
   
   FAB 5.2.2 carries four security-relevant fixes to the security manager 
(parts of which Airflow vendors in `override.py`) plus a dependency-cap change:
   
   | FAB 5.2.2 change | Airflow impact |
   |---|---|
   | **#2465** — raise Flask-Limiter upper bound `<4` → `<5` | Unblocks 
Flask-Limiter 4.x. Airflow's own pin stays `>3`; `uv lock` keeps the resolved 
version at **3.12** (minimal resolution), so this PR does not actually move 
Flask-Limiter. See compatibility note below. |
   | **#2469** — escape LDAP filter metacharacters in `_search_ldap` | 
**Already present** in `override.py` (Airflow was ahead — it also validates 
balanced parentheses). No change. |
   | **#2435** — `add_register_user` uses `uuid4` instead of `uuid1` | 
**Already present** in `override.py`. No change. |
   | **#2470** — anchor OAuth email-whitelist regex to end of string | Lives in 
FAB's `AuthOAuthView.oauth_authorized`, which Airflow's `CustomAuthOAuthView` 
calls via `super()`. **Inherited automatically.** No change. |
   | **#2468** — warn when Azure OAuth JWT signature verification is disabled | 
See follow-up below. |
   
   No new **public** FAB security-manager methods were added, so 
`test_fab_alignment.py` passes with only the `EXPECTED_FAB_VERSION` bump.
   
   ## Flask-Limiter compatibility note
   
   FAB lifting its cap merely *unblocks* Flask-Limiter 4.x; `uv lock` keeps 
3.12. To be safe I verified Airflow's vendored Flask-Limiter usage in 
`providers/fab/src/airflow/providers/fab/www/security_manager.py` against 
Flask-Limiter **4.1.1**:
   
   - `from flask_limiter import Limiter` and `from flask_limiter.util import 
get_remote_address` — both still valid (4.0 prefixed *internal* submodules with 
`_`, but `util` remains public).
   - `Limiter(key_func=...)`, `limiter.init_app(...)`, and `limiter.limit(...)` 
with all the kwargs Airflow passes (`per_method`, `methods`, `error_message`, 
`exempt_when`, `override_defaults`, `deduct_when`, `on_breach`, `cost`) — all 
present in 4.1.1.
   
   So even if a future resolution picks Flask-Limiter 4.x, no vendored-code 
change is required.
   
   ## Changes
   
   - `providers/fab/pyproject.toml` — `flask-appbuilder==5.2.1` → `==5.2.2`
   - 
`providers/fab/tests/unit/fab/auth_manager/security_manager/test_fab_alignment.py`
 — `EXPECTED_FAB_VERSION` → `"5.2.2"`
   - `uv.lock` — re-resolved (flask-appbuilder only; Flask-Limiter stays 3.12)
   - `generated/provider_dependencies.json` (+ `.sha256sum`), 
`providers/fab/README.rst`, `providers/fab/docs/index.rst` — regenerated by 
prek (the docs-index regeneration also dropped a stale release-time-only tail 
block that had drifted on `main`)
   
   ## Validation
   
   - `test_fab_alignment.py` — all 7 alignment tests pass with 
`flask-appbuilder==5.2.2` installed.
   - `providers/fab/tests/unit/fab/auth_manager/security_manager/` — all 40 
unit tests pass.
   - `override.py` and the vendored `www` security manager import cleanly under 
FAB 5.2.2.
   - Full `pre-commit` prek stage green.
   
   ## Follow-up (not in this PR)
   
   FAB #2468 adds a `log.warning` when Azure OAuth JWT signature verification 
is disabled. Airflow's `_decode_and_validate_azure_jwt` deliberately deviates 
from FAB (manual base64 payload decode; `verify_signature` defaults to 
`False`), and FAB's warning text references FAB's own roadmap ("a future major 
release will change the default to `True`"), which doesn't fit Airflow's 
deviation. Whether Airflow should emit its own equivalent warning — arguably 
more important here since verification is off by default — is a behavioral 
security change that belongs in a focused change, not this dependency bump.
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Code (Opus 4.8)
   
   Generated-by: Claude Code (Opus 4.8) following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to