GitHub user potiuk edited a comment on the discussion: Multiple vulnerabilities in Airflow dependencies
Because it's you to take care about your deployment security when new versions of dependencies are releaed. The CVE and new release of the dependency happened yesterday. And yes you should upgrade as soon as possible if you are worrried, it's your responsibility to keep your deployment secure. As explained here https://airflow.apache.org/docs/docker-stack/index.html#fixing-images-at-release-time - we are fixing our images using constraint at release time, and it's up to deployment managers to update new dependencies between releases. We even explain how to do it (follow links there). Also you are completely mistaken about constraints. They are not pinning the dependencies. Constraints are exclusively done in order to allow reproducible installs (**reproducible** not **latest security dependencies fixed**). Except cases where airflow stops installing because of external dependency got some really weird problems, we are not updating constraints for released versions - and leave it up to the users to upgrade airflow dependencies with security fixes **without** using constraints. You can read more here: https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#why-we-need-constraints . Constraints are "constraints" and not "requirements" - precisely because they allow you to upgrade dependencies (after initial installation that is reproducible) with newly released dependencies, where it is possible. You should not expect constraints for relased version of Airlfow to be updated ever, it happend maybe 3 times in the past when setuptools and others similar weird issues happend that prevented installing airlfow with newer `pip` or newer `setuptools` installed. As you can see our "main" version of constraints - which wil be used when we release next version of Airlfow already bumped Flask-Caching to 2.3.1 https://github.com/apache/airflow/commit/2a4362346132951dccacf96e2ef75b62a1174b44 pretty much immediately after it's been released (we have automation of those upgrades), so I don't think there should be any blocker for you to upgrade. So summarizing: yes good call about the CVE (It's cool that you are watching them and reacting so quickly), and yes it's totally on you to upgrade and build your own process of updating the dependencies in the way that such upgrades are accounted for - and you have good deal of material, docs, instructions and examples to do so. You can also watch my talk from the airflow summit where I explain how constraints, incrementdal upgrades work and how you should approach this. Might be useful for you to build your process https://www.youtube.com/watch?v=zPjIQjjjyHI Also Airlfow Summit is coming in October to Seattle. Good way to learn more about airlfow. I hope that clarifies it. GitHub link: https://github.com/apache/airflow/discussions/24055#discussioncomment-12302800 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
