hughlunnon commented on issue #28381: URL: https://github.com/apache/airflow/issues/28381#issuecomment-1373596682
@potiuk I don't personally have an issue with the risk inherant in the dependency - however in our environment (and it appears @JGoldman110 has the same issue) we are now blocked from using airflow in any form due to the automatic vulnerability scanners we have in place. I imagine this will also affect other consumers of the app. Swagger UI 2.2.10 was last touched (by swagger) 6 years ago - there's no need for it as newer versions (the other bundled version is 3.52.0, but 4.15.5 is also available) also support OAS2.0 spec. > connexion is already using 3.52.0 as we are using openapi version [3.0.3](https://github.com/apache/airflow/blob/2.5.0/airflow/api_connexion/openapi/v1.yaml#L18), so I am unsure if this vulnerability is still executable if we are using swagger-ui 3.52.0, but the 2.2.10 version is present? I think (from reading the connexion code) that 2.x is the default, and I can't find anywhere its being over-written, but I may be wrong? https://github.com/spec-first/connexion/blob/cdc8af157dd55cd40b9d60643416ba168ca12b86/connexion/options.py#L26 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
