[Security] Bump apache-airflow from 1.10.14 to 2.0.2

[dependabot-preview[bot]]

Bumps apache-airflow from 1.10.14 to 2.0.2.

Release notes

Sourced from apache-airflow's releases.

2.0.2

Bug Fixes

• Bugfix: TypeError when Serializing & sorting iterable properties of DAGs (#15395)
• Fix missing on_load trigger for folder-based plugins (#15208)
• kubernetes cleanup-pods subcommand will only clean up Airflow-created Pods (#15204)
• Fix password masking in CLI action_logging (#15143)
• Fix url generation for TriggerDagRunOperatorLink (#14990)
• Restore base lineage backend (#14146)
• Unable to trigger backfill or manual jobs with Kubernetes executor. (#14160)
• Bugfix: Task docs are not shown in the Task Instance Detail View (#15191)
• Bugfix: Fix overriding pod_template_file in KubernetesExecutor (#15197)
• Bugfix: resources in executor_config breaks Graph View in UI (#15199)
• Fix celery executor bug trying to call len on map (#14883)
• Fix bug in airflow.stats timing that broke dogstatsd mode (#15132)
• Avoid scheduler/parser manager deadlock by using non-blocking IO (#15112)
• Re-introduce dagrun.schedule_delay metric (#15105)
• Compare string values, not if strings are the same object in Kube executor(#14942)
• Pass queue to BaseExecutor.execute_async like in airflow 1.10 (#14861)
• Scheduler: Remove TIs from starved pools from the critical path. (#14476)
• Remove extra/needless deprecation warnings from airflow.contrib module (#15065)
• Fix support for long dag_id and task_id in KubernetesExecutor (#14703)
• Sort lists, sets and tuples in Serialized DAGs (#14909)
• Simplify cleaning string passed to origin param (#14738) (#14905)
• Fix error when running tasks with Sentry integration enabled. (#13929)
• Webserver: Sanitize string passed to origin param (#14738)
• Fix losing duration < 1 secs in tree (#13537)
• Pin SQLAlchemy to <1.4 due to breakage of sqlalchemy-utils (#14812)
• Fix KubernetesExecutor issue with deleted pending pods (#14810)
• Default to Celery Task model when backend model does not exist (#14612)
• Bugfix: Plugins endpoint was unauthenticated (#14570)
• BugFix: fix DAG doc display (especially for TaskFlow DAGs) (#14564)
• BugFix: TypeError in airflow.kubernetes.pod_launcher's monitor_pod (#14513)
• Bugfix: Fix wrong output of tags and owners in dag detail API endpoint (#14490)
• Fix logging error with task error when JSON logging is enabled (#14456)
• Fix statsd metrics not sending when using daemon mode (#14454)
• Gracefully handle missing start_date and end_date for DagRun (#14452)
• BugFix: Serialize max_retry_delay as a timedelta (#14436)
• Fix crash when user clicks on "Task Instance Details" caused by start_date being None (#14416)
• BugFix: Fix TaskInstance API call fails if a task is removed from running DAG (#14381)
• Scheduler should not fail when invalid executor_config is passed (#14323)
• Fix bug allowing task instances to survive when dagrun_timeout is exceeded (#14321)
• Fix bug where DAG timezone was not always shown correctly in UI tooltips (#14204)
• Use Lax for cookie_samesite when empty string is passed (#14183)
• [AIRFLOW-6076] fix dag.cli() KeyError (#13647)
• Fix running child tasks in a subdag after clearing a successful subdag (#14776)

Improvements

• Remove unused JS packages causing false security alerts (#15383)

... (truncated)

Changelog

Sourced from apache-airflow's changelog.

Airflow 2.0.2, 2021-04-19

Bug Fixes """""""""

• Bugfix: TypeError when Serializing & sorting iterable properties of DAGs (#15395)
• Fix missing on_load trigger for folder-based plugins (#15208)
• kubernetes cleanup-pods subcommand will only clean up Airflow-created Pods (#15204)
• Fix password masking in CLI action_logging (#15143)
• Fix url generation for TriggerDagRunOperatorLink (#14990)
• Restore base lineage backend (#14146)
• Unable to trigger backfill or manual jobs with Kubernetes executor. (#14160)
• Bugfix: Task docs are not shown in the Task Instance Detail View (#15191)
• Bugfix: Fix overriding pod_template_file in KubernetesExecutor (#15197)
• Bugfix: resources in executor_config breaks Graph View in UI (#15199)
• Fix celery executor bug trying to call len on map (#14883)
• Fix bug in airflow.stats timing that broke dogstatsd mode (#15132)
• Avoid scheduler/parser manager deadlock by using non-blocking IO (#15112)
• Re-introduce dagrun.schedule_delay metric (#15105)
• Compare string values, not if strings are the same object in Kube executor(#14942)
• Pass queue to BaseExecutor.execute_async like in airflow 1.10 (#14861)
• Scheduler: Remove TIs from starved pools from the critical path. (#14476)
• Remove extra/needless deprecation warnings from airflow.contrib module (#15065)
• Fix support for long dag_id and task_id in KubernetesExecutor (#14703)
• Sort lists, sets and tuples in Serialized DAGs (#14909)
• Simplify cleaning string passed to origin param (#14738) (#14905)
• Fix error when running tasks with Sentry integration enabled. (#13929)
• Webserver: Sanitize string passed to origin param (#14738)
• Fix losing duration < 1 secs in tree (#13537)
• Pin SQLAlchemy to <1.4 due to breakage of sqlalchemy-utils (#14812)
• Fix KubernetesExecutor issue with deleted pending pods (#14810)
• Default to Celery Task model when backend model does not exist (#14612)
• Bugfix: Plugins endpoint was unauthenticated (#14570)
• BugFix: fix DAG doc display (especially for TaskFlow DAGs) (#14564)
• BugFix: TypeError in airflow.kubernetes.pod_launcher's monitor_pod (#14513)
• Bugfix: Fix wrong output of tags and owners in dag detail API endpoint (#14490)
• Fix logging error with task error when JSON logging is enabled (#14456)
• Fix statsd metrics not sending when using daemon mode (#14454)
• Gracefully handle missing start_date and end_date for DagRun (#14452)
• BugFix: Serialize max_retry_delay as a timedelta (#14436)
• Fix crash when user clicks on "Task Instance Details" caused by start_date being None (#14416)
• BugFix: Fix TaskInstance API call fails if a task is removed from running DAG (#14381)
• Scheduler should not fail when invalid executor_config is passed (#14323)
• Fix bug allowing task instances to survive when dagrun_timeout is exceeded (#14321)
• Fix bug where DAG timezone was not always shown correctly in UI tooltips (#14204)
• Use Lax for cookie_samesite when empty string is passed (#14183)
• [AIRFLOW-6076] fix dag.cli() KeyError (#13647)
• Fix running child tasks in a subdag after clearing a successful subdag (#14776)

... (truncated)

Commits

• 10023fd Update version in docs/start/docker*
• e494306 Update version to 2.0.2
• 62b5835 Add changelog for what will become 2.0.2 (#15380)
• a46e809 Fixes pushing constraints (#15243)
• 3369e2f Do not remove 'full-tests-needed' when approval missing (#15175)
• 3e3e450 Don't try to push the python build image when building on release branches (#...
• 0e0dc73 Bugfix: TypeError when Serializing & sorting iterables (#15395)
• 2221e71 Avoids error on pushing PROD image as cache (#15321)
• 39593f9 Fix "leaking" log driver in tests
• 1366d65 Remove unused JS packages (#15383)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Cross-site scripting in Apache airflow

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.14. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.

Affected versions: ["< 1.10.15"]