You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2023/01/06 07:06:39 UTC

[GitHub] [airflow] potiuk commented on issue #28761: CVE-2022-24439 & CVE-2022-23491

potiuk commented on issue #28761:
URL: https://github.com/apache/airflow/issues/28761#issuecomment-1373225954

   We are not going to do anything about it for 2.5.0. This is not how Airflow constraints work.
   
   The constraints are frozen at the moment of release. If you wish to upgrade to new version of those dependencies, you are perfectly fine to do so. The constraint mechanism we have is only for initial installation of Airflow to be consistent, and our build and release process works in the way that we upgrade to latest versions automatically: for example https://github.com/apache/airflow/blob/constraints-main/constraints-3.7.txt are already pointed to latest versions of both gitpython and certifi and Airflow 2.5.1 will use those. 
   
   You are free to manually upgrade those dependencies if you are concerned about it (Airflow does not prevent you from doing so) or wait until Airflow 2.5.1 is released.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org