Flower is using old/vulnerable jQuery 1.7.2

[cconkrig]

Apache Airflow version

2.3.3

What happened

Tenable Nessus is flagging Flower running jQuery 1.7.2 (should be at least 3.5.0) with a score ranking of 6.1
['CVE-2020-11022', 'CVE-2020-11023']
Flower is locked in https://raw.githubusercontent.com/apache/airflow/constraints-2.3.3/constraints-3.7.txt

What you think should happen instead

Flower should be kept up to date or deprecated/removed.

How to reproduce

Install airflow.

Operating System

Ubuntu 20.04

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

No response

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[potiuk]

This is something that shoudl be directed at flower not Airflow. Flower is an optional add-on and you can run Airflow easily without flower. We even disabled Flower by default.

And you are quite wrong. The constraints are not "locking" flower, nor any other dependencies. Constraints are (Read the description of constraints in our docs and pip are just constraining you when you are runnig the installation - but they are not limiting you from upgrading dependencies to any version you want that is not limited by Airflow REQUIREMENTS (requirements != constraints). The constraints are "fixed" at the moment we release particular version and they are set of "knowing to be working" versions at the moment of release. No more, no less.

So if your company scan detects that flower that you have is vulnerable, you are absolutely free to upgrade to a newer version of it - in fact if you are not doing it on your own, you are pretty much jeopardising your installation. Delegating that task to constraints which are serving completely different purpose is not a good idea.

[potiuk]

And BTW. The [main](https://github.com/apache/airflow/tree/constraints-main) and [2-3](https://github.com/apache/airflow/blob/constraints-2-3/constraints-3.10.txt) version of constraints that are going to be used to release 2.4 and possibly 2.3.4 (if we release it) already use flower 1.2 which is relased few days ago. Those updates happen automatically, and as long as test passes, they get bumped automatically. So quite likely there will be no problems when you upgrade to 1.2 (and nothing prevents you from doing that now). Though this is always your responsiblity to test it.

And this is absolutely most we can do - if your reports will still show that 1.2 is a problem for you, then you need to raise issue to flower :)

[potiuk]

BTW. 2.3.4 is being voted right now - with flower 1.2.0 which is the latest version available #25846 It it is the latest available. If your scanner still detects any issues - you can raise it to flower.

[potiuk]

2.3.4 is released. Please double-check if it solves your problems.