GitHub user potiuk edited a comment on the discussion: Vulnerable version of redoc package
I think if anyone wants to share every single of 70-0+ Python and about 1000+ of javascript dependencies of airflow would like to share it in discussions - then our discussions will be useless because we would have 10s of those a week. And vulnerebility scanners are available for everyone - I am not sure what value is with publicly stating public CVE in a dependency which no-one knows if it affects airflow or not. On the other hand, if you your company would like to invest time and effort in analysing if such vulnerability affects airflow and show a relevant scenario (and report it responsibly and privately), then yes, there is a huge value in it and we warmly welcome people who would like to give back for the free software they get from this community. When we make Airlfow releases - we regularly upgrade to latest possible non-vulnerable (hopefully) versions of dependencies usually when we release - so if you are worried about it, you should wait for next release (and in Airflow 3 I think we have no redoc at all, so you might just wait for Airlfow 3). If however you checked and found out that the vulnerability in a 3rd-party dependency actually "affects" airflow and can be exploited and is dangerous, we would definitely appreciate privately reporting it. Just reporing "there is a vulnerability somewhere and we have no idea if it affects you" in airflow repo makes very little sense, add noise and confusion. I woudl really appreciate if this is the default thiking here. Publishing "hey there is a vulnerability in this and that AND this is how you can exploit it" reported privately, rather than polluting our discussions with such posts. GitHub link: https://github.com/apache/airflow/discussions/46896#discussioncomment-12263530 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
