GitHub user jskalasariya created a discussion: Concern about PLY dependency being quarantined due to vulnerabilities – blocking Airflow installation
We are currently facing an issue related to the PLY Python package, which is a dependency of Apache Airflow. Recently, several PyPI packages have been quarantined in our Nexus repository due to known security vulnerabilities. While most of these packages could be resolved by upgrading to a newer minor or patch version, PLY appears to be an exception. Key points: - PLY latest available version is 3.11, last released in 2018 - There is no newer version available with vulnerability fixes - PLY is a required dependency for Airflow, including the latest Airflow versions Because of this, we are currently unable to install Airflow in environments with strict security policies Wanted to ask the community: - Is there any planned effort to replace or remove PLY as a dependency? - Are there any recommended workarounds or officially supported approaches for handling this in security-restricted environments? - Has this been discussed previously, or is there an existing proposal we can follow? Any guidance or direction would be greatly appreciated. Thanks in advance! GitHub link: https://github.com/apache/airflow/discussions/61714 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
