-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flower is using old/vulnerable jQuery 1.7.2 #25645
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
This is something that shoudl be directed at flower not Airflow. Flower is an optional add-on and you can run Airflow easily without flower. We even disabled Flower by default. And you are quite wrong. The constraints are not "locking" flower, nor any other dependencies. Constraints are (Read the description of constraints in our docs and So if your company scan detects that flower that you have is vulnerable, you are absolutely free to upgrade to a newer version of it - in fact if you are not doing it on your own, you are pretty much jeopardising your installation. Delegating that task to constraints which are serving completely different purpose is not a good idea. |
And BTW. The And this is absolutely most we can do - if your reports will still show that 1.2 is a problem for you, then you need to raise issue to flower :) |
BTW. 2.3.4 is being voted right now - with flower 1.2.0 which is the latest version available #25846 It it is the latest available. If your scanner still detects any issues - you can raise it to flower. |
2.3.4 is released. Please double-check if it solves your problems. |
Apache Airflow version
2.3.3
What happened
Tenable Nessus is flagging Flower running jQuery 1.7.2 (should be at least 3.5.0) with a score ranking of 6.1
['CVE-2020-11022', 'CVE-2020-11023']
Flower is locked in https://raw.githubusercontent.com/apache/airflow/constraints-2.3.3/constraints-3.7.txt
What you think should happen instead
Flower should be kept up to date or deprecated/removed.
How to reproduce
Install airflow.
Operating System
Ubuntu 20.04
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else
No response
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: