potiuk commented on issue #25645:
URL: https://github.com/apache/airflow/issues/25645#issuecomment-1210951079

   This is something that shoudl be directed at flower not Airflow. Flower is 
an optional add-on and you can run Airflow easily without flower. We even 
disabled Flower by default. 
   
   And you are quite wrong. The constraints are not "locking" flower, nor any 
other dependencies. Constraints are (Read the description of constraints in our 
docs and `pip` are just constraining you when you are runnig the installation - 
but they are not limiting you from upgrading dependencies to any version you 
want that is not limited by Airflow REQUIREMENTS (requirements != constraints). 
 The constraints are "fixed" at the moment we release particular version and 
they are set of "knowing to be working" versions at the moment of release. No 
more, no less. 
   
   So if your company scan detects that flower that you have is vulnerable, you 
are absolutely free to upgrade to a newer version of it - in fact if you are 
not doing it on your own, you are pretty much jeopardising your installation. 
Delegating that task to constraints which are serving completely different 
purpose is not a good idea.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to