FYI. I slowly progress - among other things - the 500 Error is fixed - now what are left are a few wrong responses https://github.com/apache/airflow/pull/51681 . I also noticed a weird behaviour with Postgres about some database size mismatch. I am at the Reproducible Build Summit next 2 days - not sure if I will have time to push a fix or two - but if someone would like to take a look (maybe at the postgres issue), it would be great.
It's actually very easy to test: * checkout my PR * uv tool install -e ./dev/breeze ---force (reinstall breeze from v2 branch) * breeze ci-image build * breeze start-airflow This branch has both FAB and Airflow 2.11.1 modifications so they can be changed and tested together Pushed fixups are most welcome :). On Fri, Oct 17, 2025 at 8:00 PM Jens Scheffler <[email protected]> wrote: > Happy to support testing as well as I was notified about a lot of alerts > from MS Defender scanning of the current 2.11.0 Docker Image and this > would relieve the pain! Would be great to get rid of the problems. > > On 17.10.25 14:20, Pierre Jeambrun wrote: > > Same here, happy to review PRs and provide insights. That would be super > > helpful! > > > > On Thu 16 Oct 2025 at 18:43, Vincent Beck <[email protected]> wrote: > > > >> +1 on this one. If someone is interested, that would be super helpful. > >> Very happy to help and reviews PRs, you will not be alone :) > >> > >> On 2025/10/16 16:11:37 Jarek Potiuk wrote: > >>> While I am working on updating Connexion to 2.15.0 in Airflow 2 + FAB > >> 1.5, > >>> I have another thing: We still use Connexion in FAB 2 provider (for > >> airflow > >>> 3) to handle the (very few) API endpoints FAB. Ideally we should get > rid > >>> of Connexion completely - this will make some of our dependencies > "free" > >> to > >>> upgrade as well. > >>> > >>> We discussed it with Vincent and Pierre and I would love someone > involved > >>> in Fast API development who has some experience in this part could take > >> it > >>> on and help. > >>> > >>> That would be a really invaluable help. I created an issue for that > >>> https://github.com/apache/airflow/issues/56730 - and we have a > >> #fab-upgrade > >>> slack channel to discuss details. If one of the community members could > >>> help with that - please let us know and we will be happy to collaborate > >> as > >>> well. > >>> > >>> J, > >>> > >>> > >>> On Sun, Jun 22, 2025 at 8:55 AM Jarek Potiuk <[email protected]> wrote: > >>> > >>>> Good news. As a result of our request, Connection 2.15.0rc2 was > >> released > >>>> in PyPI this morning with Flask>3. I am running now tests with it > >>>> https://github.com/apache/airflow/pull/51681 and we **finally** have > >>>> non-conflicting dependencies in Airflow 2.11 with it. > >>>> > >>>> It still fails - i.e. we will have to fix things with session handling > >> (we > >>>> knew we will have to do it because of flask-session upgrade) but this > >> is > >>>> something we are now unblocked with :). > >>>> > >>>> Hopefully soon we will get rid of the Werkzeug drama. > >>>> > >>>> root@a20ed58d4f59:/opt/airflow# pip freeze | grep lask > >>>> Flask==2.3.3 > >>>> Flask-AppBuilder==4.5.2 > >>>> Flask-Babel==2.0.0 > >>>> Flask-Bcrypt==1.0.1 > >>>> Flask-Caching==2.3.1 > >>>> Flask-JWT-Extended==4.7.1 > >>>> Flask-Limiter==3.11.0 > >>>> Flask-Login==0.6.3 > >>>> Flask-Session==0.8.0 > >>>> Flask-SQLAlchemy==2.5.1 > >>>> Flask-WTF==1.2.2 > >>>> root@a20ed58d4f59:/opt/airflow# pip freeze | grep erkzeug > >>>> *Werkzeug==3.1.3* > >>>> root@a20ed58d4f59:/opt/airflow# > >>>> > >>>> J. > >>>> > >>>> > >>>> > >>>> > >>>> On Thu, Jun 19, 2025 at 7:44 AM Jarek Potiuk <[email protected]> > wrote: > >>>> > >>>>> Dear Airflow community, > >>>>> > >>>>> Thank you. You are amazing. With all the upvotes and comments we had > >> the > >>>>> contributor of connexion working on bringing Flask 2.3.3+ back to the > >>>>> upcoming Connexion release > >>>>> https://github.com/spec-first/connexion/pull/2058/ > >>>>> > >>>>> Particularly Kamil - thanks for the thoughtful comments and the > >>>>> diligent check on what Flask version we need. We are currently at 2.2 > >> in > >>>>> Airflow 2.11 but I checked that if Connexion sets their limit to > >>> =2.3.3, > >>>>> we should be able update to that version in 2.11 (and it's good in > >> general > >>>>> as 2.3+ is now the only recommended branch still being "supported" > for > >>>>> Flask 2 for security issues it seems. So we get additional benefit > >> there > >>>>> that we will be less likely to hit similar issues until Airflow 2 > EOL. > >>>>> > >>>>> J. > >>>>> > >>>>> > >>>>> On Wed, Jun 18, 2025 at 8:07 PM Jarek Potiuk <[email protected]> > >> wrote: > >>>>>> Thank you Kamil - that's very thoughtful and nice to see your > message > >>>>>> back on the devlist :D > >>>>>> > >>>>>> On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <[email protected]> > >>>>>> wrote: > >>>>>> > >>>>>>> I proposed to split the new connexion release into two versions. > >> First > >>>>>>> release one release that supports the new Werkzereg release, and > >> then > >>>>>>> release a new Connexion release that supports Flask 3 only. This is > >> not > >>>>>>> ideal, because Airflow 2 will still be on an unsupported version of > >>>>>>> Connexion, but we will have at least one release that has the new > >>>>>>> Werkzeug > >>>>>>> version and has a fix for the CVE bug. This might be easier to do, > >> as I > >>>>>>> understand that connexion might not want to support Flask 2 if > >> there is > >>>>>>> no > >>>>>>> specific end date for when other dependencies will support Flask 3, > >> but > >>>>>>> it > >>>>>>> may still turn out to be enough for us. > >>>>>>> > >>>>>>> śr., 18 cze 2025 o 08:54 Jarek Potiuk <[email protected]> > >> napisał(a): > >>>>>>>> I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. > >>>>>>>> > >>>>>>>> We again had another issue with FAB where the root cause was our > >> old > >>>>>>>> Werkzeug version - that we cannot upgrade until now) - old > >> Werkzeug > >>>>>>> does > >>>>>>>> not support `scrypt` hashing algorithm and latest FAB version > >>>>>>> defaulted > >>>>>>>> password hashing to scrypt - we have a workaround but we will > >> have to > >>>>>>> make > >>>>>>>> a more complete fix with FAB provider. And I am sure Airflow 2 > >> users > >>>>>>> will > >>>>>>>> have more and more problems as the time passes. > >>>>>>>> > >>>>>>>> I think there is a **real** chance with the Connexion team > >> working on > >>>>>>>> 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we > >> can > >>>>>>>> finally > >>>>>>>> get rid of it - in Both Airflow 2 and Airflow 3. But we have one > >>>>>>> problem -> > >>>>>>>> Connexion 2.15.0rc1 seems to require Flask 3 where we cannot > >> upgrade > >>>>>>> to > >>>>>>>> Flask 3 because of the FAB <3 limit. I started a discussion about > >> it > >>>>>>> here: > >> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > >>>>>>>> and explained that it would be great if Connexion 2.15.0 supported > >>>>>>> still > >>>>>>>> flask 2. > >>>>>>>> > >>>>>>>> And it would be great if more people could support it and explain > >>>>>>> that this > >>>>>>>> would be a major win for the Airflow community if they could relax > >>>>>>> this. > >>>>>>>> I do not think this is a big problem for them - the explanation we > >>>>>>> had from > >>>>>>>> them is "hey Flask 2 is really old" - but there is no "real" > >> reason. > >>>>>>>> On the other hand migrating FAB to Flask 3 would like be a very > >>>>>>> complex and > >>>>>>>> risky thing (and Daniel already struggles with just SQLalchemy > >>>>>>> upgrade and > >>>>>>>> FAB 5 so it would be too much to put the pressure on him). > >>>>>>>> > >>>>>>>> Can you please help and upvote/comment on > >>>>>>>> > >> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > >>>>>>>> I would (and the whole community) really, really appreciate it. > >>>>>>>> > >>>>>>>> J. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <[email protected]> > >>>>>>> wrote: > >>>>>>>>> Hello everyone, > >>>>>>>>> > >>>>>>>>> As you might know, Airflow 2 has a long-time issue with not > >> being > >>>>>>> able to > >>>>>>>>> upgrade Werkzeug dependency to a non-vulnerable version and that > >>>>>>> raises a > >>>>>>>>> lot of alarms for users who run CVE checks on Airflow. > >>>>>>>>> > >>>>>>>>> We've been waiting for a long time for that - but it looks like > >>>>>>> there is > >>>>>>>> a > >>>>>>>>> light in a tunnel. We have two options that we can attempt: > >>>>>>>>> > >>>>>>>>> 1) Connexion 2.15.0.rc1 > >>>>>>>>> 2) Releasing a package that will patch Werkzeug 2.2.3 with > >>>>>>> backported CVE > >>>>>>>>> fixes > >>>>>>>>> > >>>>>>>>> Recently Google team attempted to back-port and test fixes to > >> older > >>>>>>>>> version of Werkzeug and I helped to get through to the > >> maintainers - > >>>>>>>>> https://github.com/pallets/werkzeug/discussions/3034 - however > >>>>>>> they are > >>>>>>>>> not really willing to make that into regular release - reasoning > >>>>>>>> explained > >>>>>>>>> in the discussion. > >>>>>>>>> > >>>>>>>>> However, after many months of discussions and at least 3 > >> attempts > >>>>>>> to bump > >>>>>>>>> dependencies for Connexion - we seem to have an RC candidate > >>>>>>> (2.15.0rc1 > >>>>>>>>> https://pypi.org/project/connexion/2.15.0rc1/) that lifts the > >>>>>>> limit for > >>>>>>>>> Werkzeug (released 4 days ago). > >>>>>>>>> > >>>>>>>>> There were some breaking changes in Werkzeug that made it so > >> long > >>>>>>> and > >>>>>>>>> difficult but I think we should be able to release a 2.11.1 > >> version > >>>>>>> of > >>>>>>>>> Airflow with it > >>>>>>>>> > >>>>>>>>> I made first attempt to migrate - here: > >>>>>>>>> https://github.com/apache/airflow/pull/51681 and while I was > >> able > >>>>>>> to > >>>>>>>> work > >>>>>>>>> out non-conflicting dependencies and bump Werkzeug, there are > >> some > >>>>>>> things > >>>>>>>>> to be fixed with session handling and there is still one > >> outstanding > >>>>>>>>> problem - FAB requires Flask < 3 and currently Connexion > >> 2.0.15rc1 > >>>>>>>> requires > >>>>>>>>> flask >= 3 - which FAB (even upcoming FAB 5) does not support. > >> And > >>>>>>> likely > >>>>>>>>> migrating to Flask 3 is **not** an option for us anyway. > >>>>>>>>> > >>>>>>>>> I started discussion here with those who worked on the Connexion > >>>>>>> patch > >>>>>>>> for > >>>>>>>>> Werkzeug to see if that is a "hard" limit..: > >>>>>>>>> > >> > https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 > >>>>>>>>> Alternative option - patch package: > >>>>>>>>> > >>>>>>>>> We also have a "last-resort" approach that we are looking at > >> with > >>>>>>> the > >>>>>>>>> Google team. We might want to release a "werkzeug-patch" package > >>>>>>> that > >>>>>>>> will > >>>>>>>>> apply the CVE patches to Werkzeug 2.2.3 > >>>>>>>>> > >>>>>>>>> Option 1) is not clear yet if it is possible due to Flask 3 / > >> Flask > >>>>>>> 2 - > >>>>>>>>> and it would only work for 2.11.1 - we need to make some fixes > >> and > >>>>>>> change > >>>>>>>>> dependencies for Airflow to make it work. > >>>>>>>>> > >>>>>>>>> Option 2) Is hacky (I am talking to Werkzeug maintainers what do > >>>>>>> they > >>>>>>>>> think about it as we would likely need to have at least a > >> comment > >>>>>>> in the > >>>>>>>>> CVE advisory that this package fixes it as well) . But it has > >> the > >>>>>>> benefit > >>>>>>>>> that it will **just work** by installing the patch on basically > >> all > >>>>>>> past > >>>>>>>>> Airflow versions > >>>>>>>>> > >>>>>>>>> Just wanted to let everyone know it happens and ask if you have > >> any > >>>>>>>>> opinions on those. > >>>>>>>>> > >>>>>>>>> J. > >>>>>>>>> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
