Happy to support testing as well as I was notified about a lot of alerts
from MS Defender scanning of the current 2.11.0 Docker Image and this
would relieve the pain! Would be great to get rid of the problems.
On 17.10.25 14:20, Pierre Jeambrun wrote:
Same here, happy to review PRs and provide insights. That would be super
helpful!
On Thu 16 Oct 2025 at 18:43, Vincent Beck <[email protected]> wrote:
+1 on this one. If someone is interested, that would be super helpful.
Very happy to help and reviews PRs, you will not be alone :)
On 2025/10/16 16:11:37 Jarek Potiuk wrote:
While I am working on updating Connexion to 2.15.0 in Airflow 2 + FAB
1.5,
I have another thing: We still use Connexion in FAB 2 provider (for
airflow
3) to handle the (very few) API endpoints FAB. Ideally we should get rid
of Connexion completely - this will make some of our dependencies "free"
to
upgrade as well.
We discussed it with Vincent and Pierre and I would love someone involved
in Fast API development who has some experience in this part could take
it
on and help.
That would be a really invaluable help. I created an issue for that
https://github.com/apache/airflow/issues/56730 - and we have a
#fab-upgrade
slack channel to discuss details. If one of the community members could
help with that - please let us know and we will be happy to collaborate
as
well.
J,
On Sun, Jun 22, 2025 at 8:55 AM Jarek Potiuk <[email protected]> wrote:
Good news. As a result of our request, Connection 2.15.0rc2 was
released
in PyPI this morning with Flask>3. I am running now tests with it
https://github.com/apache/airflow/pull/51681 and we **finally** have
non-conflicting dependencies in Airflow 2.11 with it.
It still fails - i.e. we will have to fix things with session handling
(we
knew we will have to do it because of flask-session upgrade) but this
is
something we are now unblocked with :).
Hopefully soon we will get rid of the Werkzeug drama.
root@a20ed58d4f59:/opt/airflow# pip freeze | grep lask
Flask==2.3.3
Flask-AppBuilder==4.5.2
Flask-Babel==2.0.0
Flask-Bcrypt==1.0.1
Flask-Caching==2.3.1
Flask-JWT-Extended==4.7.1
Flask-Limiter==3.11.0
Flask-Login==0.6.3
Flask-Session==0.8.0
Flask-SQLAlchemy==2.5.1
Flask-WTF==1.2.2
root@a20ed58d4f59:/opt/airflow# pip freeze | grep erkzeug
*Werkzeug==3.1.3*
root@a20ed58d4f59:/opt/airflow#
J.
On Thu, Jun 19, 2025 at 7:44 AM Jarek Potiuk <[email protected]> wrote:
Dear Airflow community,
Thank you. You are amazing. With all the upvotes and comments we had
the
contributor of connexion working on bringing Flask 2.3.3+ back to the
upcoming Connexion release
https://github.com/spec-first/connexion/pull/2058/
Particularly Kamil - thanks for the thoughtful comments and the
diligent check on what Flask version we need. We are currently at 2.2
in
Airflow 2.11 but I checked that if Connexion sets their limit to
=2.3.3,
we should be able update to that version in 2.11 (and it's good in
general
as 2.3+ is now the only recommended branch still being "supported" for
Flask 2 for security issues it seems. So we get additional benefit
there
that we will be less likely to hit similar issues until Airflow 2 EOL.
J.
On Wed, Jun 18, 2025 at 8:07 PM Jarek Potiuk <[email protected]>
wrote:
Thank you Kamil - that's very thoughtful and nice to see your message
back on the devlist :D
On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <[email protected]>
wrote:
I proposed to split the new connexion release into two versions.
First
release one release that supports the new Werkzereg release, and
then
release a new Connexion release that supports Flask 3 only. This is
not
ideal, because Airflow 2 will still be on an unsupported version of
Connexion, but we will have at least one release that has the new
Werkzeug
version and has a fix for the CVE bug. This might be easier to do,
as I
understand that connexion might not want to support Flask 2 if
there is
no
specific end date for when other dependencies will support Flask 3,
but
it
may still turn out to be enough for us.
śr., 18 cze 2025 o 08:54 Jarek Potiuk <[email protected]>
napisał(a):
I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP.
We again had another issue with FAB where the root cause was our
old
Werkzeug version - that we cannot upgrade until now) - old
Werkzeug
does
not support `scrypt` hashing algorithm and latest FAB version
defaulted
password hashing to scrypt - we have a workaround but we will
have to
make
a more complete fix with FAB provider. And I am sure Airflow 2
users
will
have more and more problems as the time passes.
I think there is a **real** chance with the Connexion team
working on
2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we
can
finally
get rid of it - in Both Airflow 2 and Airflow 3. But we have one
problem ->
Connexion 2.15.0rc1 seems to require Flask 3 where we cannot
upgrade
to
Flask 3 because of the FAB <3 limit. I started a discussion about
it
here:
https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491
and explained that it would be great if Connexion 2.15.0 supported
still
flask 2.
And it would be great if more people could support it and explain
that this
would be a major win for the Airflow community if they could relax
this.
I do not think this is a big problem for them - the explanation we
had from
them is "hey Flask 2 is really old" - but there is no "real"
reason.
On the other hand migrating FAB to Flask 3 would like be a very
complex and
risky thing (and Daniel already struggles with just SQLalchemy
upgrade and
FAB 5 so it would be too much to put the pressure on him).
Can you please help and upvote/comment on
https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491
I would (and the whole community) really, really appreciate it.
J.
On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <[email protected]>
wrote:
Hello everyone,
As you might know, Airflow 2 has a long-time issue with not
being
able to
upgrade Werkzeug dependency to a non-vulnerable version and that
raises a
lot of alarms for users who run CVE checks on Airflow.
We've been waiting for a long time for that - but it looks like
there is
a
light in a tunnel. We have two options that we can attempt:
1) Connexion 2.15.0.rc1
2) Releasing a package that will patch Werkzeug 2.2.3 with
backported CVE
fixes
Recently Google team attempted to back-port and test fixes to
older
version of Werkzeug and I helped to get through to the
maintainers -
https://github.com/pallets/werkzeug/discussions/3034 - however
they are
not really willing to make that into regular release - reasoning
explained
in the discussion.
However, after many months of discussions and at least 3
attempts
to bump
dependencies for Connexion - we seem to have an RC candidate
(2.15.0rc1
https://pypi.org/project/connexion/2.15.0rc1/) that lifts the
limit for
Werkzeug (released 4 days ago).
There were some breaking changes in Werkzeug that made it so
long
and
difficult but I think we should be able to release a 2.11.1
version
of
Airflow with it
I made first attempt to migrate - here:
https://github.com/apache/airflow/pull/51681 and while I was
able
to
work
out non-conflicting dependencies and bump Werkzeug, there are
some
things
to be fixed with session handling and there is still one
outstanding
problem - FAB requires Flask < 3 and currently Connexion
2.0.15rc1
requires
flask >= 3 - which FAB (even upcoming FAB 5) does not support.
And
likely
migrating to Flask 3 is **not** an option for us anyway.
I started discussion here with those who worked on the Connexion
patch
for
Werkzeug to see if that is a "hard" limit..:
https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640
Alternative option - patch package:
We also have a "last-resort" approach that we are looking at
with
the
Google team. We might want to release a "werkzeug-patch" package
that
will
apply the CVE patches to Werkzeug 2.2.3
Option 1) is not clear yet if it is possible due to Flask 3 /
Flask
2 -
and it would only work for 2.11.1 - we need to make some fixes
and
change
dependencies for Airflow to make it work.
Option 2) Is hacky (I am talking to Werkzeug maintainers what do
they
think about it as we would likely need to have at least a
comment
in the
CVE advisory that this package fixes it as well) . But it has
the
benefit
that it will **just work** by installing the patch on basically
all
past
Airflow versions
Just wanted to let everyone know it happens and ask if you have
any
opinions on those.
J.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
