I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. We again had another issue with FAB where the root cause was our old Werkzeug version - that we cannot upgrade until now) - old Werkzeug does not support `scrypt` hashing algorithm and latest FAB version defaulted password hashing to scrypt - we have a workaround but we will have to make a more complete fix with FAB provider. And I am sure Airflow 2 users will have more and more problems as the time passes.
I think there is a **real** chance with the Connexion team working on 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we can finally get rid of it - in Both Airflow 2 and Airflow 3. But we have one problem -> Connexion 2.15.0rc1 seems to require Flask 3 where we cannot upgrade to Flask 3 because of the FAB <3 limit. I started a discussion about it here: https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 and explained that it would be great if Connexion 2.15.0 supported still flask 2. And it would be great if more people could support it and explain that this would be a major win for the Airflow community if they could relax this. I do not think this is a big problem for them - the explanation we had from them is "hey Flask 2 is really old" - but there is no "real" reason. On the other hand migrating FAB to Flask 3 would like be a very complex and risky thing (and Daniel already struggles with just SQLalchemy upgrade and FAB 5 so it would be too much to put the pressure on him). Can you please help and upvote/comment on https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 I would (and the whole community) really, really appreciate it. J. On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <ja...@potiuk.com> wrote: > Hello everyone, > > As you might know, Airflow 2 has a long-time issue with not being able to > upgrade Werkzeug dependency to a non-vulnerable version and that raises a > lot of alarms for users who run CVE checks on Airflow. > > We've been waiting for a long time for that - but it looks like there is a > light in a tunnel. We have two options that we can attempt: > > 1) Connexion 2.15.0.rc1 > 2) Releasing a package that will patch Werkzeug 2.2.3 with backported CVE > fixes > > Recently Google team attempted to back-port and test fixes to older > version of Werkzeug and I helped to get through to the maintainers - > https://github.com/pallets/werkzeug/discussions/3034 - however they are > not really willing to make that into regular release - reasoning explained > in the discussion. > > However, after many months of discussions and at least 3 attempts to bump > dependencies for Connexion - we seem to have an RC candidate (2.15.0rc1 > https://pypi.org/project/connexion/2.15.0rc1/) that lifts the limit for > Werkzeug (released 4 days ago). > > There were some breaking changes in Werkzeug that made it so long and > difficult but I think we should be able to release a 2.11.1 version of > Airflow with it > > I made first attempt to migrate - here: > https://github.com/apache/airflow/pull/51681 and while I was able to work > out non-conflicting dependencies and bump Werkzeug, there are some things > to be fixed with session handling and there is still one outstanding > problem - FAB requires Flask < 3 and currently Connexion 2.0.15rc1 requires > flask >= 3 - which FAB (even upcoming FAB 5) does not support. And likely > migrating to Flask 3 is **not** an option for us anyway. > > I started discussion here with those who worked on the Connexion patch for > Werkzeug to see if that is a "hard" limit..: > https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 > > Alternative option - patch package: > > We also have a "last-resort" approach that we are looking at with the > Google team. We might want to release a "werkzeug-patch" package that will > apply the CVE patches to Werkzeug 2.2.3 > > Option 1) is not clear yet if it is possible due to Flask 3 / Flask 2 - > and it would only work for 2.11.1 - we need to make some fixes and change > dependencies for Airflow to make it work. > > Option 2) Is hacky (I am talking to Werkzeug maintainers what do they > think about it as we would likely need to have at least a comment in the > CVE advisory that this package fixes it as well) . But it has the benefit > that it will **just work** by installing the patch on basically all past > Airflow versions > > Just wanted to let everyone know it happens and ask if you have any > opinions on those. > > J. >
