potiuk commented on issue #29428: URL: https://github.com/apache/airflow/issues/29428#issuecomment-1422827072
We do not trust blindly security scans - following the ASF security tram recommendation. There are far too many false positives to accept a report which says 'those are all CVEs that our scanner found'. By default we simply drop such repoers Generally If you think there is an exploitable scenario for a CVE- you should report the issue responsibly (see our security policy - via email and in private, rather than public issue, with reproducible scenario). But we treat security seriously. Generally almost never airflow releases old versions with implemented security fixes - we release any fixes in latest minor branch (so next wave of security fixes might be in 2.5.2 or 2.6.0 whichever comes first. And with few exceptions where our dependencies are fixed or upper-bound, our build / CI mechanism automatically upgrades dependencies to latest released compatible version - which handles a lot of vulnerabilities automatically. But setuptools is different - believe we fix setuptools in pyproject.toml to avoid surprises so likely it is worth to upgrade it. Then it will be used with next release. Feel free to open PR and updateitto the version that is good. Our CI will automatically run complete test harness if you open such PR so if it will be green - i am happy to approve it and add to the next release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
