Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency apache-airflow to v2.7.1 [SECURITY] #663

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
apache-airflow (source, changelog) ==2.2.5 -> ==2.7.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-25695

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. The traceback contains information that might be useful for a potential attacker to better target their attack (Python/Airflow version, node name). This information should not be shown if traceback is shown to unauthenticated user.

CVE-2023-29247

Task instance details page in the UI is vulnerable to stored cross-site scripting. This issue affects Apache Airflow before 2.6.0.

CVE-2023-25754

Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow. This issue affects Apache Airflow: before 2.6.0.

CVE-2022-46651

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.

CVE-2023-22887

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected

CVE-2023-35908

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected

CVE-2023-36543

Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected

CVE-2023-39508

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0.

This issue affects Apache Airflow: before 2.6.0.

CVE-2023-40273

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).

With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.

Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.

CVE-2023-37379

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.

CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability.

The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.

Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability

CVE-2023-40611

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.

Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

CVE-2023-40712

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.


Release Notes

apache/airflow (apache-airflow)

v2.7.1

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

CronTriggerTimetable is now less aggressive when trying to skip a run (#​33404)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

When setting catchup=False, CronTriggerTimetable no longer skips a run if
the scheduler does not query the timetable immediately after the previous run
has been triggered.

This should not affect scheduling in most cases, but can change the behaviour if
a DAG is paused-unpaused to manually skip a run. Previously, the timetable (with
catchup=False) would only start a run after a DAG is unpaused, but with this
change, the scheduler would try to look at little bit back to schedule the
previous run that covers a part of the period when the DAG was paused. This
means you will need to keep a DAG paused longer (namely, for the entire cron
period to pass) to really skip a run.

Note that this is also the behaviour exhibited by various other cron-based
scheduling tools, such as anacron.

conf.set() becomes case insensitive to match conf.get() behavior (#​33452)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Also, conf.get() will now break if used with non-string parameters.

conf.set(section, key, value) used to be case sensitive, i.e. conf.set("SECTION", "KEY", value)
and conf.set("section", "key", value) were stored as two distinct configurations.
This was inconsistent with the behavior of conf.get(section, key), which was always converting the section and key to lower case.

As a result, configuration options set with upper case characters in the section or key were unreachable.
That's why we are now converting section and key to lower case in conf.set too.

We also changed a bit the behavior of conf.get(). It used to allow objects that are not strings in the section or key.
Doing this will now result in an exception. For instance, conf.get("section", 123) needs to be replaced with conf.get("section", "123").

Bug Fixes
"""""""""

  • Ensure that tasks wait for running indirect setup (#​33903)
  • Respect "soft_fail" for core async sensors (#​33403)
  • Differentiate 0 and unset as a default param values (#​33965)
  • Raise 404 from Variable PATCH API if variable is not found (#​33885)
  • Fix MappedTaskGroup tasks not respecting upstream dependency (#​33732)
  • Add limit 1 if required first value from query result (#​33672)
  • Fix UI DAG counts including deleted DAGs (#​33778)
  • Fix cleaning zombie RESTARTING tasks (#​33706)
  • SECURITY_MANAGER_CLASS should be a reference to class, not a string (#​33690)
  • Add back get_url_for_login in security manager (#​33660)
  • Fix 2.7.0 db migration job errors (#​33652)
  • Set context inside templates (#​33645)
  • Treat dag-defined access_control as authoritative if defined (#​33632)
  • Bind engine before attempting to drop archive tables (#​33622)
  • Add a fallback in case no first name and last name are set (#​33617)
  • Sort data before groupby in TIS duration calculation (#​33535)
  • Stop adding values to rendered templates UI when there is no dagrun (#​33516)
  • Set strict to True when parsing dates in webserver views (#​33512)
  • Use dialect.name in custom SA types (#​33503)
  • Do not return ongoing dagrun when a end_date is less than utcnow (#​33488)
  • Fix a bug in formatDuration method (#​33486)
  • Make conf.set case insensitive (#​33452)
  • Allow timetable to slightly miss catchup cutoff (#​33404)
  • Respect soft_fail argument when poke is called (#​33401)
  • Create a new method used to resume the task in order to implement specific logic for operators (#​33424)
  • Fix DagFileProcessor interfering with dags outside its processor_subdir (#​33357)
  • Remove the unnecessary <br> text in Provider's view (#​33326)
  • Respect soft_fail argument when ExternalTaskSensor runs in deferrable mode (#​33196)
  • Fix handling of default value and serialization of Param class (#​33141)
  • Check if the dynamically-added index is in the table schema before adding (#​32731)
  • Fix rendering the mapped parameters when using expand_kwargs method (#​32272)
  • Fix dependencies for celery and opentelemetry for Python 3.8 (#​33579)

Misc/Internal
"""""""""""""

Doc only changes
"""""""""""""""""

  • Add documentation explaining template_ext (and how to override it) (#​33735)
  • Explain how users can check if python code is top-level (#​34006)
  • Clarify that DAG authors can also run code in DAG File Processor (#​33920)
  • Fix broken link in Modules Management page (#​33499)
  • Fix secrets backend docs (#​33471)
  • Fix config description for base_log_folder (#​33388)

v2.7.0

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

Remove Python 3.7 support (#​30963)
""""""""""""""""""""""""""""""""""
As of now, Python 3.7 is no longer supported by the Python community.
Therefore, to use Airflow 2.7.0, you must ensure your Python version is
either 3.8, 3.9, 3.10, or 3.11.

Old Graph View is removed (#​32958)
""""""""""""""""""""""""""""""""""
The old Graph View is removed. The new Graph View is the default view now.

The trigger UI form is skipped in web UI if no parameters are defined in a DAG (#​33351)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

If you are using dag_run.conf dictionary and web UI JSON entry to run your DAG you should either:

  • Add params to your DAG <https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/params.html#use-params-to-provide-a-trigger-ui-form>_
  • Enable the new configuration show_trigger_form_if_no_params to bring back old behaviour

The "db init", "db upgrade" commands and "[database] load_default_connections" configuration options are deprecated (#​33136).
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Instead, you should use "airflow db migrate" command to create or upgrade database. This command will not create default connections.
In order to create default connections you need to run "airflow connections create-default-connections" explicitly,
after running "airflow db migrate".

In case of SMTP SSL connection, the context now uses the "default" context (#​33070)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The "default" context is Python's default_ssl_contest instead of previously used "none". The
default_ssl_context provides a balance between security and compatibility but in some cases,
when certificates are old, self-signed or misconfigured, it might not work. This can be configured
by setting "ssl_context" in "email" configuration of Airflow.

Setting it to "none" brings back the "none" setting that was used in Airflow 2.6 and before,
but it is not recommended due to security reasons ad this setting disables validation of certificates and allows MITM attacks.

Disable default allowing the testing of connections in UI, API and CLI(#​32052)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
For security reasons, the test connection functionality is disabled by default across Airflow UI,
API and CLI. The availability of the functionality can be controlled by the
test_connection flag in the core section of the Airflow
configuration (airflow.cfg). It can also be controlled by the
environment variable AIRFLOW__CORE__TEST_CONNECTION.

The following values are accepted for this config param:

  1. Disabled: Disables the test connection functionality and
    disables the Test Connection button in the UI.

This is also the default value set in the Airflow configuration.
2. Enabled: Enables the test connection functionality and
activates the Test Connection button in the UI.

  1. Hidden: Disables the test connection functionality and
    hides the Test Connection button in UI.

For more information on capabilities of users, see the documentation:
https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html#capabilities-of-authenticated-ui-users
It is strongly advised to not enable the feature until you make sure that only
highly trusted UI/API users have "edit connection" permissions.

The xcomEntries API disables support for the deserialize flag by default (#​32176)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
For security reasons, the /dags/*/dagRuns/*/taskInstances/*/xcomEntries/*
API endpoint now disables the deserialize option to deserialize arbitrary
XCom values in the webserver. For backward compatibility, server admins may set
the [api] enable_xcom_deserialize_support config to True to enable the
flag and restore backward compatibility.

However, it is strongly advised to not enable the feature, and perform
deserialization at the client side instead.

Change of the default Celery application name (#​32526)
""""""""""""""""""""""""""""""""""""""""""""""""""""""
Default name of the Celery application changed from airflow.executors.celery_executor to airflow.providers.celery.executors.celery_executor.

You should change both your configuration and Health check command to use the new name:

  • in configuration (celery_app_name configuration in celery section) use airflow.providers.celery.executors.celery_executor
  • in your Health check command use airflow.providers.celery.executors.celery_executor.app

The default value for scheduler.max_tis_per_query is changed from 512 to 16 (#​32572)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
This change is expected to make the Scheduler more responsive.

scheduler.max_tis_per_query needs to be lower than core.parallelism.
If both were left to their default value previously, the effective default value of scheduler.max_tis_per_query was 32
(because it was capped at core.parallelism).

To keep the behavior as close as possible to the old config, one can set scheduler.max_tis_per_query = 0,
in which case it'll always use the value of core.parallelism.

Some executors have been moved to corresponding providers (#​32767)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
In order to use the executors, you need to install the providers:

  • for Celery executors you need to install apache-airflow-providers-celery package >= 3.3.0
  • for Kubernetes executors you need to install apache-airflow-providers-cncf-kubernetes package >= 7.4.0
  • For Dask executors you need to install apache-airflow-providers-daskexecutor package in any version

You can achieve it also by installing airflow with [celery], [cncf.kubernetes], [daskexecutor] extras respectively.

Users who base their images on the apache/airflow reference image (not slim) should be unaffected - the base
reference image comes with all the three providers installed.

Improvement Changes
^^^^^^^^^^^^^^^^^^^

PostgreSQL only improvement: Added index on taskinstance table (#​30762)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
This index seems to have great positive effect in a setup with tens of millions such rows.

New Features
""""""""""""

  • Add OpenTelemetry to Airflow (AIP-49 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-49+milestone%3A%22Airflow+2.7.0%22>_)
  • Trigger Button - Implement Part 2 of AIP-50 (#​31583)
  • Removing Executor Coupling from Core Airflow (AIP-51 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-51+milestone%3A%22Airflow+2.7.0%22>_)
  • Automatic setup and teardown tasks (AIP-52 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-52+milestone%3A%22Airflow+2.7.0%22>_)
  • OpenLineage in Airflow (AIP-53 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+milestone%3A%22Airflow+2.7.0%22+label%3Aprovider%3Aopenlineage>_)
  • Experimental: Add a cache to Variable and Connection when called at dag parsing time (#​30259)
  • Enable pools to consider deferred tasks (#​32709)
  • Allows to choose SSL context for SMTP connection (#​33070)
  • New gantt tab (#​31806)
  • Load plugins from providers (#​32692)
  • Add BranchExternalPythonOperator (#​32787, #​33360)
  • Add option for storing configuration description in providers (#​32629)
  • Introduce Heartbeat Parameter to Allow Per-LocalTaskJob Configuration (#​32313)
  • Add Executors discovery and documentation (#​32532)
  • Add JobState for job state constants (#​32549)
  • Add config to disable the 'deserialize' XCom API flag (#​32176)
  • Show task instance in web UI by custom operator name (#​31852)
  • Add default_deferrable config (#​31712)
  • Introducing AirflowClusterPolicySkipDag exception (#​32013)
  • Use reactflow for datasets graph (#​31775)
  • Add an option to load the dags from db for command tasks run (#​32038)
  • Add version of chain which doesn't require matched lists (#​31927)
  • Use operator_name instead of task_type in UI (#​31662)
  • Add --retry and --retry-delay to airflow db check (#​31836)
  • Allow skipped task state task_instance_schema.py (#​31421)
  • Add a new config for celery result_backend engine options (#​30426)
  • UI Add Cluster Activity Page (#​31123, #​32446)
  • Adding keyboard shortcuts to common actions (#​30950)
  • Adding more information to kubernetes executor logs (#​29929)
  • Add support for configuring custom alembic file (#​31415)
  • Add running and failed status tab for DAGs on the UI (#​30429)
  • Add multi-select, proposals and labels for trigger form (#​31441)
  • Making webserver config customizable (#​29926)
  • Render DAGCode in the Grid View as a tab (#​31113)
  • Add rest endpoint to get option of configuration (#​31056)
  • Add section query param in get config rest API (#​30936)
  • Create metrics to track Scheduled->Queued->Running task state transition times (#​30612)
  • Mark Task Groups as Success/Failure (#​30478)
  • Add CLI command to list the provider trigger info (#​30822)
  • Add Fail Fast feature for DAGs (#​29406)

Improvements
""""""""""""

  • Improve graph nesting logic (#​33421)
  • Configurable health check threshold for triggerer (#​33089, #​33084)
  • add dag_run_ids and task_ids filter for the batch task instance API endpoint (#​32705)
  • Ensure DAG-level references are filled on unmap (#​33083)
  • Add support for arrays of different data types in the Trigger Form UI (#​32734)
  • Always show gantt and code tabs (#​33029)
  • Move listener success hook to after SQLAlchemy commit (#​32988)
  • Rename db upgrade to db migrate and add connections create-default-connections (#​32810, #​33136)
  • Remove old gantt chart and redirect to grid views gantt tab (#​32908)
  • Adjust graph zoom based on selected task (#​32792)
  • Call listener on_task_instance_running after rendering templates (#​32716)
  • Display execution_date in graph view task instance tooltip. (#​32527)
  • Allow configuration to be contributed by providers (#​32604, #​32755, #​32812)
  • Reduce default for max TIs per query, enforce <= parallelism (#​32572)
  • Store config description in Airflow configuration object (#​32669)
  • Use isdisjoint instead of not intersection (#​32616)
  • Speed up calculation of leaves and roots for task groups (#​32592)
  • Kubernetes Executor Load Time Optimizations (#​30727)
  • Save DAG parsing time if dag is not schedulable (#​30911)
  • Updates health check endpoint to include dag_processor status. (#​32382)
  • Disable default allowing the testing of connections in UI, API and CLI (#​32052, #​33342)
  • Fix config var types under the scheduler section (#​32132)
  • Allow to sort Grid View alphabetically (#​32179)
  • Add hostname to triggerer metric [triggers.running] (#​32050)
  • Improve DAG ORM cleanup code (#​30614)
  • TriggerDagRunOperator: Add wait_for_completion to template_fields (#​31122)
  • Open links in new tab that take us away from Airflow UI (#​32088)
  • Only show code tab when a task is not selected (#​31744)
  • Add descriptions for celery and dask cert configs (#​31822)
  • PythonVirtualenvOperator termination log in alert (#​31747)
  • Migration of all DAG details to existing grid view dag details panel (#​31690)
  • Add a diagram to help visualize timer metrics (#​30650)
  • Celery Executor load time optimizations (#​31001)
  • Update code style for airflow db commands to SQLAlchemy 2.0 style (#​31486)
  • Mark uses of md5 as "not-used-for-security" in FIPS environments (#​31171)
  • Add pydantic support to serde (#​31565)
  • Enable search in note column in DagRun and TaskInstance (#​31455)
  • Save scheduler execution time by adding new Index idea for dag_run (#​30827)
  • Save scheduler execution time by caching dags (#​30704)
  • Support for sorting DAGs by Last Run Date in the web UI (#​31234)
  • Better typing for Job and JobRunners (#​31240)
  • Add sorting logic by created_date for fetching triggers (#​31151)
  • Remove DAGs.can_create on access control doc, adjust test fixture (#​30862)
  • Split Celery logs into stdout/stderr (#​30485)
  • Decouple metrics clients and validators into their own modules (#​30802)
  • Description added for pagination in get_log api (#​30729)
  • Optimize performance of scheduling mapped tasks (#​30372)
  • Add sentry transport configuration option (#​30419)
  • Better message on deserialization error (#​30588)

Bug Fixes
"""""""""

  • Remove user sessions when resetting password (#​33347)
  • Gantt chart: Use earliest/oldest ti dates if different than dag run start/end (#​33215)
  • Fix virtualenv detection for Python virtualenv operator (#​33223)
  • Correctly log when there are problems trying to chmod airflow.cfg (#​33118)
  • Pass app context to webserver_config.py (#​32759)
  • Skip served logs for non-running task try (#​32561)
  • Fix reload gunicorn workers (#​32102)
  • Fix future DagRun rarely triggered by race conditions when max_active_runs reached its upper limit. (#​31414)
  • Fix BaseOperator get_task_instances query (#​33054)
  • Fix issue with using the various state enum value in logs (#​33065)
  • Use string concatenation to prepend base URL for log_url (#​33063)
  • Update graph nodes with operator style attributes (#​32822)
  • Affix webserver access_denied warning to be configurable (#​33022)
  • Only load task action modal if user can edit (#​32992)
  • OpenAPI Spec fix nullable alongside $ref (#​32887)
  • Make the decorators of PythonOperator sub-classes extend its decorator (#​32845)
  • Fix check if virtualenv is installed in PythonVirtualenvOperator (#​32939)
  • Unwrap Proxy before checking __iter__ in is_container() (#​32850)
  • Override base log folder by using task handler's base_log_folder (#​32781)
  • Catch arbitrary exception from run_job to prevent zombie scheduler (#​32707)
  • Fix depends_on_past work for dynamic tasks (#​32397)
  • Sort extra_links for predictable order in UI. (#​32762)
  • Fix prefix group false graph (#​32764)
  • Fix bad delete logic for dagruns (#​32684)
  • Fix bug in prune_dict where empty dict and list would be removed even in strict mode (#​32573)
  • Add explicit browsers list and correct rel for blank target links (#​32633)
  • Handle returned None when multiple_outputs is True (#​32625)
  • Fix returned value when ShortCircuitOperator condition is falsy and there is not downstream tasks (#​32623)
  • Fix returned value when ShortCircuitOperator condition is falsy (#​32569)
  • Fix rendering of dagRunTimeout (#​32565)
  • Fix permissions on /blocked endpoint (#​32571)
  • Bugfix, prevent force of unpause on trigger DAG (#​32456)
  • Fix data interval in cli.dags.trigger command output (#​32548)
  • Strip whitespaces from airflow connections form (#​32292)
  • Add timedelta support for applicable arguments of sensors (#​32515)
  • Fix incorrect default on readonly property in our API (#​32510)
  • Add xcom map_index as a filter to xcom endpoint (#​32453)
  • Fix CLI commands when custom timetable is used (#​32118)
  • Use WebEncoder to encode DagRun.conf in DagRun's list view (#​32385)
  • Fix logic of the skip_all_except method (#​31153)
  • Ensure dynamic tasks inside dynamic task group only marks the (#​32354)
  • Handle the cases that webserver.expose_config is set to non-sensitive-only instead of boolean value (#​32261)
  • Add retry functionality for handling process termination caused by database network issues (#​31998)
  • Adapt Notifier for sla_miss_callback (#​31887)
  • Fix XCOM view (#​31807)
  • Fix for "Filter dags by tag" flickering on initial load of dags.html (#​31578)
  • Fix where expanding resizer would not expanse grid view (#​31581)
  • Fix MappedOperator-BaseOperator attr sync check (#​31520)
  • Always pass named type_ arg to drop_constraint (#​31306)
  • Fix bad drop_constraint call in migrations (#​31302)
  • Resolving problems with redesigned grid view (#​31232)
  • Support requirepass redis sentinel (#​30352)
  • Fix webserver crash when calling get /config (#​31057)

Misc/Internal
"""""""""""""

Docs only changes
"""""""""""""""""

  • Clarify UI user types in security model (#​33021)
  • Add links to DAGRun / DAG / Task in templates-ref.rst (#​33013)
  • Add docs of how to test for DAG Import Errors (#​32811)
  • Clean-up of our new security page (#​32951)
  • Cleans up Extras reference page (#​32954)
  • Update Dag trigger API and command docs (#​32696)
  • Add deprecation info to the Airflow modules and classes docstring (#​32635)
  • Formatting installation doc to improve readability (#​32502)
  • Fix triggerer HA doc (#​32454)
  • Add type annotation to code examples (#​32422)
  • Document cron and delta timetables (#​32392)
  • Update index.rst doc to correct grammar (#​32315)
  • Fixing small typo in python.py (#​31474)
  • Separate out and clarify policies for providers (#​30657)
  • Fix docs: add an "apache" prefix to pip install (#​30681)

v2.6.3

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

Default allowed pattern of a run_id has been changed to ^[A-Za-z0-9_.~:+-]+$ (#​32293).
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Previously, there was no validation on the run_id string. There is now a validation regex that
can be set by configuring allowed_run_id_pattern in scheduler section.

Bug Fixes
"""""""""

  • Use linear time regular expressions (#​32303)
  • Fix triggerers alive check and add a new conf for triggerer heartbeat rate (#​32123)
  • Catch the exception that triggerer initialization failed (#​31999)
  • Hide sensitive values from extra in connection edit form (#​32309)
  • Sanitize DagRun.run_id and allow flexibility (#​32293)
  • Add triggerer canceled log (#​31757)
  • Fix try number shown in the task view (#​32361)
  • Retry transactions on occasional deadlocks for rendered fields (#​32341)
  • Fix behaviour of LazyDictWithCache when import fails (#​32248)
  • Remove executor_class from Job - fixing backfill for custom executors (#​32219)
  • Fix bugged singleton implementation (#​32218)
  • Use mapIndex to display extra links per mapped task. (#​32154)
  • Ensure that main triggerer thread exits if the async thread fails (#​32092)
  • Use re2 for matching untrusted regex (#​32060)
  • Render list items in rendered fields view (#​32042)
  • Fix hashing of dag_dependencies in serialized dag (#​32037)
  • Return None if an XComArg fails to resolve in a multiple_outputs Task (#​32027)
  • Check for DAG ID in query param from url as well as kwargs (#​32014)
  • Flash an error message instead of failure in rendered-templates when map index is not found (#​32011)
  • Fix ExternalTaskSensor when there is no task group TIs for the current execution date (#​32009)
  • Fix number param html type in trigger template (#​31980, #​31946)
  • Fix masking nested variable fields (#​31964)
  • Fix operator_extra_links property serialization in mapped tasks (#​31904)
  • Decode old-style nested Xcom value (#​31866)
  • Add a check for trailing slash in webserver base_url (#​31833)
  • Fix connection uri parsing when the host includes a scheme (#​31465)
  • Fix database session closing with xcom_pull and inlets (#​31128)
  • Fix DAG's on_failure_callback is not invoked when task failed during testing dag. (#​30965)
  • Fix airflow module version check when using ExternalPythonOperator and debug logging level (#​30367)

Misc/Internal
"""""""""""""

  • Fix task.sensor annotation in type stub (#​31954)
  • Limit Pydantic to < 2.0.0 until we solve 2.0.0 incompatibilities (#​32312)
  • Fix Pydantic 2 pickiness about model definition (#​32307)

Doc only changes
""""""""""""""""

  • Add explanation about tag creation and cleanup (#​32406)
  • Minor updates to docs (#​32369, #​32315, #​32310, #​31794)
  • Clarify Listener API behavior (#​32269)
  • Add information for users who ask for requirements (#​32262)
  • Add links to DAGRun / DAG / Task in Templates Reference (#​32245)
  • Add comment to warn off a potential wrong fix (#​32230)
  • Add a note that we'll need to restart triggerer to reflect any trigger change (#​32140)
  • Adding missing hyperlink to the tutorial documentation (#​32105)
  • Added difference between Deferrable and Non-Deferrable Operators (#​31840)
  • Add comments explaining need for special "trigger end" log message (#​31812)
  • Documentation update on Plugin updates. (#​31781)
  • Fix SemVer link in security documentation (#​32320)
  • Update security model of Airflow (#​32098)
  • Update references to restructured documentation from Airflow core (#​32282)
  • Separate out advanced logging configuration ([#​3213

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@forking-renovate forking-renovate bot added the dependencies Dependency changes and updates label Oct 1, 2023
@forking-renovate
Copy link

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock
installing v2 tool python v3.8.12
[15:23:36.302] INFO (8): Installing tool python v3.8.12...
linking tool python v3.8.12
Python 3.8.12
pip 23.2.1 from /opt/containerbase/tools/python/3.8.12/lib/python3.8/site-packages/pip (python 3.8)
[15:23:43.204] INFO (8): Installed tool python in 6.9s.
[15:23:43.557] INFO (171): Installing tool poetry v1.2.2...
installing v2 tool poetry v1.2.2
linking tool poetry v1.2.2
Poetry (version 1.2.2)
[15:23:51.856] INFO (171): Installed tool poetry in 8.2s.
Creating virtualenv cloud-datasets-owy6ExrU-py3.8 in /home/ubuntu/.cache/pypoetry/virtualenvs
Updating dependencies
Resolving dependencies...


Because cloud-datasets depends on apache-airflow (==2.7.1) which depends on sqlalchemy (>=1.4.24,<2.0), sqlalchemy is required.
So, because cloud-datasets depends on SQLAlchemy (==1.3.24), version solving failed.

@renovate-bot renovate-bot deleted the renovate/pypi-apache-airflow-vulnerability branch November 1, 2023 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Dependency changes and updates
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant