potiuk opened a new pull request, #401: URL: https://github.com/apache/airflow-steward/pull/401
## Summary Per Arnout Engelen's 2026-05-29 review on CVE-2026-33264 — *"If you haven't checked if versions before 2.10.5 are affected, the conservative choice is to mark them affected. That's what you should do unless that version line is EOL."* Adds the rule in two places: 1. **New Step 1d signal row** — fires when the Affected versions field carries a lower-bounded range (\`>= X.Y.Z, < A.B.C\`) AND the rollup / body / linked PR text does not contain explicit evidence that earlier versions were verified non-vulnerable (\`introduced in <version>\`, \`regression from <version>\`, \`<X-line> is EOL\`). Proposes widening to \`< A.B.C\`. 2. **New seventh pre-push hygiene gate** in Step 5b 1b — refuses any push whose JSON carries a lower-bounded \`affected[].versions[]\` entry without that evidence. ### Why Operators tend to default-narrow the affected range to match the fix PR's target branch (which is wrong: the fix PR's target branch is the *fix-shipping* version, not the *vulnerability-introduction* version). This under-reports affected versions in the published advisory. ### When the lower bound stays The proposal includes both shapes so the operator can override by replying with introducing-version evidence (next sync pass picks it up from the rollup) instead of just accepting the widening. Concrete keep-cases: - The rollup / body / commit history names the introducing PR or commit (\`introduced in X.Y.Z by [apache/upstream#NNNN](...)\`) - The lower-bound version is at or below a documented EOL boundary per \`<project-config>/release-trains.md\` ## Test plan - [x] SKILL.md updated in both Step 1d (proposal-time signal) and Step 5b 1b (pre-push gate) - [ ] Next sync pass on any tracker with a narrow lower-bounded range surfaces the widening proposal correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
