While I am working on updating Connexion to 2.15.0 in Airflow 2 + FAB 1.5, I have another thing: We still use Connexion in FAB 2 provider (for airflow 3) to handle the (very few) API endpoints FAB. Ideally we should get rid of Connexion completely - this will make some of our dependencies "free" to upgrade as well.
We discussed it with Vincent and Pierre and I would love someone involved in Fast API development who has some experience in this part could take it on and help. That would be a really invaluable help. I created an issue for that https://github.com/apache/airflow/issues/56730 - and we have a #fab-upgrade slack channel to discuss details. If one of the community members could help with that - please let us know and we will be happy to collaborate as well. J, On Sun, Jun 22, 2025 at 8:55 AM Jarek Potiuk <[email protected]> wrote: > Good news. As a result of our request, Connection 2.15.0rc2 was released > in PyPI this morning with Flask>3. I am running now tests with it > https://github.com/apache/airflow/pull/51681 and we **finally** have > non-conflicting dependencies in Airflow 2.11 with it. > > It still fails - i.e. we will have to fix things with session handling (we > knew we will have to do it because of flask-session upgrade) but this is > something we are now unblocked with :). > > Hopefully soon we will get rid of the Werkzeug drama. > > root@a20ed58d4f59:/opt/airflow# pip freeze | grep lask > Flask==2.3.3 > Flask-AppBuilder==4.5.2 > Flask-Babel==2.0.0 > Flask-Bcrypt==1.0.1 > Flask-Caching==2.3.1 > Flask-JWT-Extended==4.7.1 > Flask-Limiter==3.11.0 > Flask-Login==0.6.3 > Flask-Session==0.8.0 > Flask-SQLAlchemy==2.5.1 > Flask-WTF==1.2.2 > root@a20ed58d4f59:/opt/airflow# pip freeze | grep erkzeug > *Werkzeug==3.1.3* > root@a20ed58d4f59:/opt/airflow# > > J. > > > > > On Thu, Jun 19, 2025 at 7:44 AM Jarek Potiuk <[email protected]> wrote: > >> Dear Airflow community, >> >> Thank you. You are amazing. With all the upvotes and comments we had the >> contributor of connexion working on bringing Flask 2.3.3+ back to the >> upcoming Connexion release >> https://github.com/spec-first/connexion/pull/2058/ >> >> Particularly Kamil - thanks for the thoughtful comments and the >> diligent check on what Flask version we need. We are currently at 2.2 in >> Airflow 2.11 but I checked that if Connexion sets their limit to >=2.3.3, >> we should be able update to that version in 2.11 (and it's good in general >> as 2.3+ is now the only recommended branch still being "supported" for >> Flask 2 for security issues it seems. So we get additional benefit there >> that we will be less likely to hit similar issues until Airflow 2 EOL. >> >> J. >> >> >> On Wed, Jun 18, 2025 at 8:07 PM Jarek Potiuk <[email protected]> wrote: >> >>> Thank you Kamil - that's very thoughtful and nice to see your message >>> back on the devlist :D >>> >>> On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <[email protected]> >>> wrote: >>> >>>> I proposed to split the new connexion release into two versions. First >>>> release one release that supports the new Werkzereg release, and then >>>> release a new Connexion release that supports Flask 3 only. This is not >>>> ideal, because Airflow 2 will still be on an unsupported version of >>>> Connexion, but we will have at least one release that has the new >>>> Werkzeug >>>> version and has a fix for the CVE bug. This might be easier to do, as I >>>> understand that connexion might not want to support Flask 2 if there is >>>> no >>>> specific end date for when other dependencies will support Flask 3, but >>>> it >>>> may still turn out to be enough for us. >>>> >>>> śr., 18 cze 2025 o 08:54 Jarek Potiuk <[email protected]> napisał(a): >>>> >>>> > I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. >>>> > >>>> > We again had another issue with FAB where the root cause was our old >>>> > Werkzeug version - that we cannot upgrade until now) - old Werkzeug >>>> does >>>> > not support `scrypt` hashing algorithm and latest FAB version >>>> defaulted >>>> > password hashing to scrypt - we have a workaround but we will have to >>>> make >>>> > a more complete fix with FAB provider. And I am sure Airflow 2 users >>>> will >>>> > have more and more problems as the time passes. >>>> > >>>> > I think there is a **real** chance with the Connexion team working on >>>> > 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we can >>>> > finally >>>> > get rid of it - in Both Airflow 2 and Airflow 3. But we have one >>>> problem -> >>>> > Connexion 2.15.0rc1 seems to require Flask 3 where we cannot upgrade >>>> to >>>> > Flask 3 because of the FAB <3 limit. I started a discussion about it >>>> here: >>>> > >>>> https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 >>>> > and explained that it would be great if Connexion 2.15.0 supported >>>> still >>>> > flask 2. >>>> > >>>> > And it would be great if more people could support it and explain >>>> that this >>>> > would be a major win for the Airflow community if they could relax >>>> this. >>>> > >>>> > I do not think this is a big problem for them - the explanation we >>>> had from >>>> > them is "hey Flask 2 is really old" - but there is no "real" reason. >>>> > On the other hand migrating FAB to Flask 3 would like be a very >>>> complex and >>>> > risky thing (and Daniel already struggles with just SQLalchemy >>>> upgrade and >>>> > FAB 5 so it would be too much to put the pressure on him). >>>> > >>>> > Can you please help and upvote/comment on >>>> > >>>> https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 >>>> > >>>> > I would (and the whole community) really, really appreciate it. >>>> > >>>> > J. >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <[email protected]> >>>> wrote: >>>> > >>>> > > Hello everyone, >>>> > > >>>> > > As you might know, Airflow 2 has a long-time issue with not being >>>> able to >>>> > > upgrade Werkzeug dependency to a non-vulnerable version and that >>>> raises a >>>> > > lot of alarms for users who run CVE checks on Airflow. >>>> > > >>>> > > We've been waiting for a long time for that - but it looks like >>>> there is >>>> > a >>>> > > light in a tunnel. We have two options that we can attempt: >>>> > > >>>> > > 1) Connexion 2.15.0.rc1 >>>> > > 2) Releasing a package that will patch Werkzeug 2.2.3 with >>>> backported CVE >>>> > > fixes >>>> > > >>>> > > Recently Google team attempted to back-port and test fixes to older >>>> > > version of Werkzeug and I helped to get through to the maintainers - >>>> > > https://github.com/pallets/werkzeug/discussions/3034 - however >>>> they are >>>> > > not really willing to make that into regular release - reasoning >>>> > explained >>>> > > in the discussion. >>>> > > >>>> > > However, after many months of discussions and at least 3 attempts >>>> to bump >>>> > > dependencies for Connexion - we seem to have an RC candidate >>>> (2.15.0rc1 >>>> > > https://pypi.org/project/connexion/2.15.0rc1/) that lifts the >>>> limit for >>>> > > Werkzeug (released 4 days ago). >>>> > > >>>> > > There were some breaking changes in Werkzeug that made it so long >>>> and >>>> > > difficult but I think we should be able to release a 2.11.1 version >>>> of >>>> > > Airflow with it >>>> > > >>>> > > I made first attempt to migrate - here: >>>> > > https://github.com/apache/airflow/pull/51681 and while I was able >>>> to >>>> > work >>>> > > out non-conflicting dependencies and bump Werkzeug, there are some >>>> things >>>> > > to be fixed with session handling and there is still one outstanding >>>> > > problem - FAB requires Flask < 3 and currently Connexion 2.0.15rc1 >>>> > requires >>>> > > flask >= 3 - which FAB (even upcoming FAB 5) does not support. And >>>> likely >>>> > > migrating to Flask 3 is **not** an option for us anyway. >>>> > > >>>> > > I started discussion here with those who worked on the Connexion >>>> patch >>>> > for >>>> > > Werkzeug to see if that is a "hard" limit..: >>>> > > >>>> > >>>> https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 >>>> > > >>>> > > Alternative option - patch package: >>>> > > >>>> > > We also have a "last-resort" approach that we are looking at with >>>> the >>>> > > Google team. We might want to release a "werkzeug-patch" package >>>> that >>>> > will >>>> > > apply the CVE patches to Werkzeug 2.2.3 >>>> > > >>>> > > Option 1) is not clear yet if it is possible due to Flask 3 / Flask >>>> 2 - >>>> > > and it would only work for 2.11.1 - we need to make some fixes and >>>> change >>>> > > dependencies for Airflow to make it work. >>>> > > >>>> > > Option 2) Is hacky (I am talking to Werkzeug maintainers what do >>>> they >>>> > > think about it as we would likely need to have at least a comment >>>> in the >>>> > > CVE advisory that this package fixes it as well) . But it has the >>>> benefit >>>> > > that it will **just work** by installing the patch on basically all >>>> past >>>> > > Airflow versions >>>> > > >>>> > > Just wanted to let everyone know it happens and ask if you have any >>>> > > opinions on those. >>>> > > >>>> > > J. >>>> > > >>>> > >>>> >>>
