potiuk commented on issue #25645: URL: https://github.com/apache/airflow/issues/25645#issuecomment-1210951079
This is something that shoudl be directed at flower not Airflow. Flower is an optional add-on and you can run Airflow easily without flower. We even disabled Flower by default. And you are quite wrong. The constraints are not "locking" flower, nor any other dependencies. Constraints are (Read the description of constraints in our docs and `pip` are just constraining you when you are runnig the installation - but they are not limiting you from upgrading dependencies to any version you want that is not limited by Airflow REQUIREMENTS (requirements != constraints). The constraints are "fixed" at the moment we release particular version and they are set of "knowing to be working" versions at the moment of release. No more, no less. So if your company scan detects that flower that you have is vulnerable, you are absolutely free to upgrade to a newer version of it - in fact if you are not doing it on your own, you are pretty much jeopardising your installation. Delegating that task to constraints which are serving completely different purpose is not a good idea. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
