[GitHub] [airflow] potiuk commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

["potiuk (via GitHub)" <gi...@apache.org>]

potiuk commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1422827072

   We do not trust blindly security scans - following the ASF security tram recommendation. There are far too many false positives to accept a report which says 'those are all CVEs that our scanner found'. By default we simply drop such repoers
   
   Generally If you think there is an exploitable scenario for a CVE- you should report the issue responsibly (see our security policy -  via email and in private, rather than public issue, with reproducible scenario).
   
   But we treat security seriously. Generally almost never airflow releases old versions with implemented security fixes - we release any fixes in latest minor branch (so next wave of security fixes might be in 2.5.2 or 2.6.0 whichever comes first. And with few exceptions where our dependencies are fixed or upper-bound, our build / CI mechanism automatically upgrades dependencies to latest released compatible version - which handles a lot of vulnerabilities automatically.
   
   But setuptools is different - believe we fix setuptools in pyproject.toml to avoid surprises so likely it is worth to upgrade it. Then it will be used with next release.
   
   Feel free to open PR and updateitto the version that is good. Our CI will automatically run complete test harness if you open such PR so if it will be green - i am happy to approve it and add to the next release.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org