Thank you Kamil - that's very thoughtful and nice to see your message back on the devlist :D
On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <dzaku...@gmail.com> wrote: > I proposed to split the new connexion release into two versions. First > release one release that supports the new Werkzereg release, and then > release a new Connexion release that supports Flask 3 only. This is not > ideal, because Airflow 2 will still be on an unsupported version of > Connexion, but we will have at least one release that has the new Werkzeug > version and has a fix for the CVE bug. This might be easier to do, as I > understand that connexion might not want to support Flask 2 if there is no > specific end date for when other dependencies will support Flask 3, but it > may still turn out to be enough for us. > > śr., 18 cze 2025 o 08:54 Jarek Potiuk <ja...@potiuk.com> napisał(a): > > > I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. > > > > We again had another issue with FAB where the root cause was our old > > Werkzeug version - that we cannot upgrade until now) - old Werkzeug does > > not support `scrypt` hashing algorithm and latest FAB version defaulted > > password hashing to scrypt - we have a workaround but we will have to > make > > a more complete fix with FAB provider. And I am sure Airflow 2 users will > > have more and more problems as the time passes. > > > > I think there is a **real** chance with the Connexion team working on > > 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we can > > finally > > get rid of it - in Both Airflow 2 and Airflow 3. But we have one problem > -> > > Connexion 2.15.0rc1 seems to require Flask 3 where we cannot upgrade to > > Flask 3 because of the FAB <3 limit. I started a discussion about it > here: > > > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > > and explained that it would be great if Connexion 2.15.0 supported still > > flask 2. > > > > And it would be great if more people could support it and explain that > this > > would be a major win for the Airflow community if they could relax this. > > > > I do not think this is a big problem for them - the explanation we had > from > > them is "hey Flask 2 is really old" - but there is no "real" reason. > > On the other hand migrating FAB to Flask 3 would like be a very complex > and > > risky thing (and Daniel already struggles with just SQLalchemy upgrade > and > > FAB 5 so it would be too much to put the pressure on him). > > > > Can you please help and upvote/comment on > > > https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 > > > > I would (and the whole community) really, really appreciate it. > > > > J. > > > > > > > > > > > > > > > > > > > > > > On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > Hello everyone, > > > > > > As you might know, Airflow 2 has a long-time issue with not being able > to > > > upgrade Werkzeug dependency to a non-vulnerable version and that > raises a > > > lot of alarms for users who run CVE checks on Airflow. > > > > > > We've been waiting for a long time for that - but it looks like there > is > > a > > > light in a tunnel. We have two options that we can attempt: > > > > > > 1) Connexion 2.15.0.rc1 > > > 2) Releasing a package that will patch Werkzeug 2.2.3 with backported > CVE > > > fixes > > > > > > Recently Google team attempted to back-port and test fixes to older > > > version of Werkzeug and I helped to get through to the maintainers - > > > https://github.com/pallets/werkzeug/discussions/3034 - however they > are > > > not really willing to make that into regular release - reasoning > > explained > > > in the discussion. > > > > > > However, after many months of discussions and at least 3 attempts to > bump > > > dependencies for Connexion - we seem to have an RC candidate (2.15.0rc1 > > > https://pypi.org/project/connexion/2.15.0rc1/) that lifts the limit > for > > > Werkzeug (released 4 days ago). > > > > > > There were some breaking changes in Werkzeug that made it so long and > > > difficult but I think we should be able to release a 2.11.1 version of > > > Airflow with it > > > > > > I made first attempt to migrate - here: > > > https://github.com/apache/airflow/pull/51681 and while I was able to > > work > > > out non-conflicting dependencies and bump Werkzeug, there are some > things > > > to be fixed with session handling and there is still one outstanding > > > problem - FAB requires Flask < 3 and currently Connexion 2.0.15rc1 > > requires > > > flask >= 3 - which FAB (even upcoming FAB 5) does not support. And > likely > > > migrating to Flask 3 is **not** an option for us anyway. > > > > > > I started discussion here with those who worked on the Connexion patch > > for > > > Werkzeug to see if that is a "hard" limit..: > > > > > > https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 > > > > > > Alternative option - patch package: > > > > > > We also have a "last-resort" approach that we are looking at with the > > > Google team. We might want to release a "werkzeug-patch" package that > > will > > > apply the CVE patches to Werkzeug 2.2.3 > > > > > > Option 1) is not clear yet if it is possible due to Flask 3 / Flask 2 > - > > > and it would only work for 2.11.1 - we need to make some fixes and > change > > > dependencies for Airflow to make it work. > > > > > > Option 2) Is hacky (I am talking to Werkzeug maintainers what do they > > > think about it as we would likely need to have at least a comment in > the > > > CVE advisory that this package fixes it as well) . But it has the > benefit > > > that it will **just work** by installing the patch on basically all > past > > > Airflow versions > > > > > > Just wanted to let everyone know it happens and ask if you have any > > > opinions on those. > > > > > > J. > > > > > >
