Dear Airflow community, Thank you. You are amazing. With all the upvotes and comments we had the contributor of connexion working on bringing Flask 2.3.3+ back to the upcoming Connexion release https://github.com/spec-first/connexion/pull/2058/
Particularly Kamil - thanks for the thoughtful comments and the diligent check on what Flask version we need. We are currently at 2.2 in Airflow 2.11 but I checked that if Connexion sets their limit to >=2.3.3, we should be able update to that version in 2.11 (and it's good in general as 2.3+ is now the only recommended branch still being "supported" for Flask 2 for security issues it seems. So we get additional benefit there that we will be less likely to hit similar issues until Airflow 2 EOL. J. On Wed, Jun 18, 2025 at 8:07 PM Jarek Potiuk <ja...@potiuk.com> wrote: > Thank you Kamil - that's very thoughtful and nice to see your message back > on the devlist :D > > On Wed, Jun 18, 2025 at 7:38 PM Kamil Breguła <dzaku...@gmail.com> wrote: > >> I proposed to split the new connexion release into two versions. First >> release one release that supports the new Werkzereg release, and then >> release a new Connexion release that supports Flask 3 only. This is not >> ideal, because Airflow 2 will still be on an unsupported version of >> Connexion, but we will have at least one release that has the new Werkzeug >> version and has a fix for the CVE bug. This might be easier to do, as I >> understand that connexion might not want to support Flask 2 if there is no >> specific end date for when other dependencies will support Flask 3, but it >> may still turn out to be enough for us. >> >> śr., 18 cze 2025 o 08:54 Jarek Potiuk <ja...@potiuk.com> napisał(a): >> >> > I WOULD LIKE TO TAP INTO POWER OF OUR COMMUNITY... PLEASE HELP. >> > >> > We again had another issue with FAB where the root cause was our old >> > Werkzeug version - that we cannot upgrade until now) - old Werkzeug does >> > not support `scrypt` hashing algorithm and latest FAB version defaulted >> > password hashing to scrypt - we have a workaround but we will have to >> make >> > a more complete fix with FAB provider. And I am sure Airflow 2 users >> will >> > have more and more problems as the time passes. >> > >> > I think there is a **real** chance with the Connexion team working on >> > 2.15.0 - https://pypi.org/project/connexion/2.15.0rc1/ that we can >> > finally >> > get rid of it - in Both Airflow 2 and Airflow 3. But we have one >> problem -> >> > Connexion 2.15.0rc1 seems to require Flask 3 where we cannot upgrade to >> > Flask 3 because of the FAB <3 limit. I started a discussion about it >> here: >> > >> https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 >> > and explained that it would be great if Connexion 2.15.0 supported still >> > flask 2. >> > >> > And it would be great if more people could support it and explain that >> this >> > would be a major win for the Airflow community if they could relax this. >> > >> > I do not think this is a big problem for them - the explanation we had >> from >> > them is "hey Flask 2 is really old" - but there is no "real" reason. >> > On the other hand migrating FAB to Flask 3 would like be a very complex >> and >> > risky thing (and Daniel already struggles with just SQLalchemy upgrade >> and >> > FAB 5 so it would be too much to put the pressure on him). >> > >> > Can you please help and upvote/comment on >> > >> https://github.com/spec-first/connexion/pull/1992#issuecomment-2976706491 >> > >> > I would (and the whole community) really, really appreciate it. >> > >> > J. >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > On Fri, Jun 13, 2025 at 11:16 AM Jarek Potiuk <ja...@potiuk.com> wrote: >> > >> > > Hello everyone, >> > > >> > > As you might know, Airflow 2 has a long-time issue with not being >> able to >> > > upgrade Werkzeug dependency to a non-vulnerable version and that >> raises a >> > > lot of alarms for users who run CVE checks on Airflow. >> > > >> > > We've been waiting for a long time for that - but it looks like there >> is >> > a >> > > light in a tunnel. We have two options that we can attempt: >> > > >> > > 1) Connexion 2.15.0.rc1 >> > > 2) Releasing a package that will patch Werkzeug 2.2.3 with backported >> CVE >> > > fixes >> > > >> > > Recently Google team attempted to back-port and test fixes to older >> > > version of Werkzeug and I helped to get through to the maintainers - >> > > https://github.com/pallets/werkzeug/discussions/3034 - however they >> are >> > > not really willing to make that into regular release - reasoning >> > explained >> > > in the discussion. >> > > >> > > However, after many months of discussions and at least 3 attempts to >> bump >> > > dependencies for Connexion - we seem to have an RC candidate >> (2.15.0rc1 >> > > https://pypi.org/project/connexion/2.15.0rc1/) that lifts the limit >> for >> > > Werkzeug (released 4 days ago). >> > > >> > > There were some breaking changes in Werkzeug that made it so long and >> > > difficult but I think we should be able to release a 2.11.1 version of >> > > Airflow with it >> > > >> > > I made first attempt to migrate - here: >> > > https://github.com/apache/airflow/pull/51681 and while I was able to >> > work >> > > out non-conflicting dependencies and bump Werkzeug, there are some >> things >> > > to be fixed with session handling and there is still one outstanding >> > > problem - FAB requires Flask < 3 and currently Connexion 2.0.15rc1 >> > requires >> > > flask >= 3 - which FAB (even upcoming FAB 5) does not support. And >> likely >> > > migrating to Flask 3 is **not** an option for us anyway. >> > > >> > > I started discussion here with those who worked on the Connexion patch >> > for >> > > Werkzeug to see if that is a "hard" limit..: >> > > >> > >> https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 >> > > >> > > Alternative option - patch package: >> > > >> > > We also have a "last-resort" approach that we are looking at with the >> > > Google team. We might want to release a "werkzeug-patch" package that >> > will >> > > apply the CVE patches to Werkzeug 2.2.3 >> > > >> > > Option 1) is not clear yet if it is possible due to Flask 3 / Flask >> 2 - >> > > and it would only work for 2.11.1 - we need to make some fixes and >> change >> > > dependencies for Airflow to make it work. >> > > >> > > Option 2) Is hacky (I am talking to Werkzeug maintainers what do they >> > > think about it as we would likely need to have at least a comment in >> the >> > > CVE advisory that this package fixes it as well) . But it has the >> benefit >> > > that it will **just work** by installing the patch on basically all >> past >> > > Airflow versions >> > > >> > > Just wanted to let everyone know it happens and ask if you have any >> > > opinions on those. >> > > >> > > J. >> > > >> > >> >
