Same here, happy to review PRs and provide insights. That would be super helpful!
On Thu 16 Oct 2025 at 18:43, Vincent Beck <[email protected]> wrote: > +1 on this one. If someone is interested, that would be super helpful. > Very happy to help and reviews PRs, you will not be alone :) > > On 2025/10/16 16:11:37 Jarek Potiuk wrote: > > While I am working on updating Connexion to 2.15.0 in Airflow 2 + FAB > 1.5, > > I have another thing: We still use Connexion in FAB 2 provider (for > airflow > > 3) to handle the (very few) API endpoints FAB. Ideally we should get rid > > of Connexion completely - this will make some of our dependencies "free" > to > > upgrade as well. > > > > We discussed it with Vincent and Pierre and I would love someone involved > > in Fast API development who has some experience in this part could take > it > > on and help. > > > > That would be a really invaluable help. I created an issue for that > > https://github.com/apache/airflow/issues/56730 - and we have a > #fab-upgrade > > slack channel to discuss details. If one of the community members could > > help with that - please let us know and we will be happy to collaborate > as > > well. > > > > J, > > > > > > On Sun, Jun 22, 2025 at 8:55 AM Jarek Potiuk <[email protected]> wrote: > > > > > Good news. As a result of our request, Connection 2.15.0rc2 was > released > > > in PyPI this morning with Flask>3. I am running now tests with it > > > https://github.com/apache/airflow/pull/51681 and we **finally** have > > > non-conflicting dependencies in Airflow 2.11 with it. > > > > > > It still fails - i.e. we will have to fix things with session handling > (we > > > knew we will have to do it because of flask-session upgrade) but this > is > > > something we are now unblocked with :). > > > > > > Hopefully soon we will get rid of the Werkzeug drama. > > > > > > root@a20ed58d4f59:/opt/airflow# pip freeze | grep lask > > > Flask==2.3.3 > > > Flask-AppBuilder==4.5.2 > > > Flask-Babel==2.0.0 > > > Flask-Bcrypt==1.0.1 > > > Flask-Caching==2.3.1 > > > Flask-JWT-Extended==4.7.1 > > > Flask-Limiter==3.11.0 > > > Flask-Login==0.6.3 > > > Flask-Session==0.8.0 > > > Flask-SQLAlchemy==2.5.1 > > > Flask-WTF==1.2.2 > > > root@a20ed58d4f59:/opt/airflow# pip freeze | grep erkzeug > > > *Werkzeug==3.1.3* > > > root@a20ed58d4f59:/opt/airflow# > > > > > > J. > > > > > > > > > > > > > > > On Thu, Jun 19, 2025 at 7:44 AM Jarek Potiuk <[email protected]> wrote: > > > > > >> Dear Airflow community, > > >> > > >> Thank you. You are amazing. With all the upvotes and comments we had > the > > >> contributor of connexion working on bringing Flask 2.3.3+ back to the > > >> upcoming Connexion release > > >> https://github.com/spec-first/connexion/pull/2058/ > > >> > > >> Particularly Kamil - thanks for the thoughtful comments and the > > >> diligent check on what Flask version we need. We are currently at 2.2 > in > > >> Airflow 2.11 but I checked that if Connexion sets their limit to > >=2.3.3, > > >> we should be able update to that version in 2.11 (and it's good in > general > > >> as 2.3+ is now the only recommended branch still being "supported" for > > >> Flask 2 for security issues it seems. So we get additional benefit > there > > >> that we will be less likely to hit similar issues until Airflow 2 EOL. > > >> > > >> J. > > >> > > >> > > >> On Wed, Jun 18, 2025 at 8:07 PM Jarek Potiuk <[email protected]> > wrote: > > >> > > >>> Thank you Kamil - that's very thoughtful and nice to see your message > > >>> back on the devlist :D > > >>> > > >>> On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <[email protected]> > > >>> wrote: > > >>> > > >>>> I proposed to split the new connexion release into two versions. > First > > >>>> release one release that supports the new Werkzereg release, and > then > > >>>> release a new Connexion release that supports Flask 3 only. This is > not > > >>>> ideal, because Airflow 2 will still be on an unsupported version of > > >>>> Connexion, but we will have at least one release that has the new > > >>>> Werkzeug > > >>>> version and has a fix for the CVE bug. This might be easier to do, > as I > > >>>> understand that connexion might not want to support Flask 2 if > there is > > >>>> no > > >>>> specific end date for when other dependencies will support Flask 3, > but > > >>>> it > > >>>> may still turn out to be enough for us. > > >>>> > > >>>> śr., 18 cze 2025 o 08:54 Jarek Potiuk <[email protected]> > napisał(a): > > >>>> > > >>>> > I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. > > >>>> > > > >>>> > We again had another issue with FAB where the root cause was our > old > > >>>> > Werkzeug version - that we cannot upgrade until now) - old > Werkzeug > > >>>> does > > >>>> > not support `scrypt` hashing algorithm and latest FAB version > > >>>> defaulted > > >>>> > password hashing to scrypt - we have a workaround but we will > have to > > >>>> make > > >>>> > a more complete fix with FAB provider. And I am sure Airflow 2 > users > > >>>> will > > >>>> > have more and more problems as the time passes. > > >>>> > > > >>>> > I think there is a **real** chance with the Connexion team > working on > > >>>> > 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we > can > > >>>> > finally > > >>>> > get rid of it - in Both Airflow 2 and Airflow 3. But we have one > > >>>> problem -> > > >>>> > Connexion 2.15.0rc1 seems to require Flask 3 where we cannot > upgrade > > >>>> to > > >>>> > Flask 3 because of the FAB <3 limit. I started a discussion about > it > > >>>> here: > > >>>> > > > >>>> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > > >>>> > and explained that it would be great if Connexion 2.15.0 supported > > >>>> still > > >>>> > flask 2. > > >>>> > > > >>>> > And it would be great if more people could support it and explain > > >>>> that this > > >>>> > would be a major win for the Airflow community if they could relax > > >>>> this. > > >>>> > > > >>>> > I do not think this is a big problem for them - the explanation we > > >>>> had from > > >>>> > them is "hey Flask 2 is really old" - but there is no "real" > reason. > > >>>> > On the other hand migrating FAB to Flask 3 would like be a very > > >>>> complex and > > >>>> > risky thing (and Daniel already struggles with just SQLalchemy > > >>>> upgrade and > > >>>> > FAB 5 so it would be too much to put the pressure on him). > > >>>> > > > >>>> > Can you please help and upvote/comment on > > >>>> > > > >>>> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > > >>>> > > > >>>> > I would (and the whole community) really, really appreciate it. > > >>>> > > > >>>> > J. > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > > > >>>> > On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <[email protected]> > > >>>> wrote: > > >>>> > > > >>>> > > Hello everyone, > > >>>> > > > > >>>> > > As you might know, Airflow 2 has a long-time issue with not > being > > >>>> able to > > >>>> > > upgrade Werkzeug dependency to a non-vulnerable version and that > > >>>> raises a > > >>>> > > lot of alarms for users who run CVE checks on Airflow. > > >>>> > > > > >>>> > > We've been waiting for a long time for that - but it looks like > > >>>> there is > > >>>> > a > > >>>> > > light in a tunnel. We have two options that we can attempt: > > >>>> > > > > >>>> > > 1) Connexion 2.15.0.rc1 > > >>>> > > 2) Releasing a package that will patch Werkzeug 2.2.3 with > > >>>> backported CVE > > >>>> > > fixes > > >>>> > > > > >>>> > > Recently Google team attempted to back-port and test fixes to > older > > >>>> > > version of Werkzeug and I helped to get through to the > maintainers - > > >>>> > > https://github.com/pallets/werkzeug/discussions/3034 - however > > >>>> they are > > >>>> > > not really willing to make that into regular release - reasoning > > >>>> > explained > > >>>> > > in the discussion. > > >>>> > > > > >>>> > > However, after many months of discussions and at least 3 > attempts > > >>>> to bump > > >>>> > > dependencies for Connexion - we seem to have an RC candidate > > >>>> (2.15.0rc1 > > >>>> > > https://pypi.org/project/connexion/2.15.0rc1/) that lifts the > > >>>> limit for > > >>>> > > Werkzeug (released 4 days ago). > > >>>> > > > > >>>> > > There were some breaking changes in Werkzeug that made it so > long > > >>>> and > > >>>> > > difficult but I think we should be able to release a 2.11.1 > version > > >>>> of > > >>>> > > Airflow with it > > >>>> > > > > >>>> > > I made first attempt to migrate - here: > > >>>> > > https://github.com/apache/airflow/pull/51681 and while I was > able > > >>>> to > > >>>> > work > > >>>> > > out non-conflicting dependencies and bump Werkzeug, there are > some > > >>>> things > > >>>> > > to be fixed with session handling and there is still one > outstanding > > >>>> > > problem - FAB requires Flask < 3 and currently Connexion > 2.0.15rc1 > > >>>> > requires > > >>>> > > flask >= 3 - which FAB (even upcoming FAB 5) does not support. > And > > >>>> likely > > >>>> > > migrating to Flask 3 is **not** an option for us anyway. > > >>>> > > > > >>>> > > I started discussion here with those who worked on the Connexion > > >>>> patch > > >>>> > for > > >>>> > > Werkzeug to see if that is a "hard" limit..: > > >>>> > > > > >>>> > > > >>>> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 > > >>>> > > > > >>>> > > Alternative option - patch package: > > >>>> > > > > >>>> > > We also have a "last-resort" approach that we are looking at > with > > >>>> the > > >>>> > > Google team. We might want to release a "werkzeug-patch" package > > >>>> that > > >>>> > will > > >>>> > > apply the CVE patches to Werkzeug 2.2.3 > > >>>> > > > > >>>> > > Option 1) is not clear yet if it is possible due to Flask 3 / > Flask > > >>>> 2 - > > >>>> > > and it would only work for 2.11.1 - we need to make some fixes > and > > >>>> change > > >>>> > > dependencies for Airflow to make it work. > > >>>> > > > > >>>> > > Option 2) Is hacky (I am talking to Werkzeug maintainers what do > > >>>> they > > >>>> > > think about it as we would likely need to have at least a > comment > > >>>> in the > > >>>> > > CVE advisory that this package fixes it as well) . But it has > the > > >>>> benefit > > >>>> > > that it will **just work** by installing the patch on basically > all > > >>>> past > > >>>> > > Airflow versions > > >>>> > > > > >>>> > > Just wanted to let everyone know it happens and ask if you have > any > > >>>> > > opinions on those. > > >>>> > > > > >>>> > > J. > > >>>> > > > > >>>> > > > >>>> > > >>> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
