search

WordPress / openverse

Openverse is a search engine for openly-licensed media. This monorepo includes all application code.
https://openverse.org
MIT License
254 stars 203 forks source link

Update dependency apache-airflow to v2.10.3 [SECURITY] #5154

Closed openverse-bot closed 1 week ago

openverse-bot commented 1 week ago

This PR contains the following updates:

Package Update Change
apache-airflow (changelog) patch ==2.10.2 -> ==2.10.3

GitHub Vulnerability Alerts

CVE-2024-50378

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

Release Notes

apache/airflow (apache-airflow) ### [`v2.10.3`](https://redirect.github.com/apache/airflow/blob/HEAD/RELEASE_NOTES.rst#Airflow-2103-2024-11-05) [Compare Source](https://redirect.github.com/apache/airflow/compare/2.10.2...2.10.3) Significant Changes ^^^^^^^^^^^^^^^^^^^ No significant changes. Bug Fixes """"""""" - Improves the handling of value masking when setting Airflow variables for enhanced security. ([#​43123](https://redirect.github.com/apache/airflow/issues/43123)) ([#​43278](https://redirect.github.com/apache/airflow/issues/43278)) - Adds support for task_instance_mutation_hook to handle mapped operators with index 0. ([#​42661](https://redirect.github.com/apache/airflow/issues/42661)) ([#​43089](https://redirect.github.com/apache/airflow/issues/43089)) - Fixes executor cleanup to properly handle zombie tasks when task instances are terminated. ([#​43065](https://redirect.github.com/apache/airflow/issues/43065)) - Adds retry logic for HTTP 502 and 504 errors in internal API calls to handle webserver startup issues. ([#​42994](https://redirect.github.com/apache/airflow/issues/42994)) ([#​43044](https://redirect.github.com/apache/airflow/issues/43044)) - Restores the use of separate sessions for writing and deleting RTIF data to prevent StaleDataError. ([#​42928](https://redirect.github.com/apache/airflow/issues/42928)) ([#​43012](https://redirect.github.com/apache/airflow/issues/43012)) - Fixes PythonOperator error by replacing hyphens with underscores in DAG names. ([#​42993](https://redirect.github.com/apache/airflow/issues/42993)) - Improving validation of task retries to handle None values ([#​42532](https://redirect.github.com/apache/airflow/issues/42532)) ([#​42915](https://redirect.github.com/apache/airflow/issues/42915)) - Fixes error handling in dataset managers when resolving dataset aliases into new datasets ([#​42733](https://redirect.github.com/apache/airflow/issues/42733)) - Enables clicking on task names in the DAG Graph View to correctly select the corresponding task. ([#​38782](https://redirect.github.com/apache/airflow/issues/38782)) ([#​42697](https://redirect.github.com/apache/airflow/issues/42697)) - Prevent redirect loop on /home with tags/last run filters ([#​42607](https://redirect.github.com/apache/airflow/issues/42607)) ([#​42609](https://redirect.github.com/apache/airflow/issues/42609)) ([#​42628](https://redirect.github.com/apache/airflow/issues/42628)) - Support of host.name in OTEL metrics and usage of OTEL_RESOURCE_ATTRIBUTES in metrics ([#​42428](https://redirect.github.com/apache/airflow/issues/42428)) ([#​42604](https://redirect.github.com/apache/airflow/issues/42604)) - Reduce eyestrain in dark mode with reduced contrast and saturation ([#​42567](https://redirect.github.com/apache/airflow/issues/42567)) ([#​42583](https://redirect.github.com/apache/airflow/issues/42583)) - Handle ENTER key correctly in trigger form and allow manual JSON ([#​42525](https://redirect.github.com/apache/airflow/issues/42525)) ([#​42535](https://redirect.github.com/apache/airflow/issues/42535)) - Ensure DAG trigger form submits with updated parameters upon keyboard submit ([#​42487](https://redirect.github.com/apache/airflow/issues/42487)) ([#​42499](https://redirect.github.com/apache/airflow/issues/42499)) - Do not attempt to provide not `stringified` objects to UI via xcom if pickling is active ([#​42388](https://redirect.github.com/apache/airflow/issues/42388)) ([#​42486](https://redirect.github.com/apache/airflow/issues/42486)) - Fix the span link of task instance to point to the correct span in the scheduler_job_loop ([#​42430](https://redirect.github.com/apache/airflow/issues/42430)) ([#​42480](https://redirect.github.com/apache/airflow/issues/42480)) - Bugfix task execution from runner in Windows ([#​42426](https://redirect.github.com/apache/airflow/issues/42426)) ([#​42478](https://redirect.github.com/apache/airflow/issues/42478)) - Allows overriding the hardcoded OTEL_SERVICE_NAME with an environment variable ([#​42242](https://redirect.github.com/apache/airflow/issues/42242)) ([#​42441](https://redirect.github.com/apache/airflow/issues/42441)) - Improves trigger performance by using `selectinload` instead of `joinedload` ([#​40487](https://redirect.github.com/apache/airflow/issues/40487)) ([#​42351](https://redirect.github.com/apache/airflow/issues/42351)) - Suppress warnings when masking sensitive configs ([#​43335](https://redirect.github.com/apache/airflow/issues/43335)) ([#​43337](https://redirect.github.com/apache/airflow/issues/43337)) - Masking configuration values irrelevant to DAG author ([#​43040](https://redirect.github.com/apache/airflow/issues/43040)) ([#​43336](https://redirect.github.com/apache/airflow/issues/43336)) - Execute templated bash script as file in BashOperator ([#​43191](https://redirect.github.com/apache/airflow/issues/43191)) - Fixes schedule_downstream_tasks to include upstream tasks for one_success trigger rule ([#​42582](https://redirect.github.com/apache/airflow/issues/42582)) ([#​43299](https://redirect.github.com/apache/airflow/issues/43299)) - Add retry logic in the scheduler for updating trigger timeouts in case of deadlocks. ([#​41429](https://redirect.github.com/apache/airflow/issues/41429)) ([#​42651](https://redirect.github.com/apache/airflow/issues/42651)) - Mark all tasks as skipped when failing a dag_run manually ([#​43572](https://redirect.github.com/apache/airflow/issues/43572)) - Fix `TrySelector` for Mapped Tasks in Logs and Details Grid Panel ([#​43566](https://redirect.github.com/apache/airflow/issues/43566)) - Conditionally add OTEL events when processing executor events ([#​43558](https://redirect.github.com/apache/airflow/issues/43558)) ([#​43567](https://redirect.github.com/apache/airflow/issues/43567)) - Fix broken stat `scheduler_loop_duration` ([#​42886](https://redirect.github.com/apache/airflow/issues/42886)) ([#​43544](https://redirect.github.com/apache/airflow/issues/43544)) - Ensure total_entries in /api/v1/dags ([#​43377](https://redirect.github.com/apache/airflow/issues/43377)) ([#​43429](https://redirect.github.com/apache/airflow/issues/43429)) - Include limit and offset in request body schema for List task instances (batch) endpoint ([#​43479](https://redirect.github.com/apache/airflow/issues/43479)) - Don't raise a warning in ExecutorSafeguard when execute is called from an extended operator ([#​42849](https://redirect.github.com/apache/airflow/issues/42849)) ([#​43577](https://redirect.github.com/apache/airflow/issues/43577)) Miscellaneous """"""""""""" - Deprecate session auth backend ([#​42911](https://redirect.github.com/apache/airflow/issues/42911)) - Removed unicodecsv dependency for providers with Airflow version 2.8.0 and above ([#​42765](https://redirect.github.com/apache/airflow/issues/42765)) ([#​42970](https://redirect.github.com/apache/airflow/issues/42970)) - Remove the referrer from Webserver to Scarf ([#​42901](https://redirect.github.com/apache/airflow/issues/42901)) ([#​42942](https://redirect.github.com/apache/airflow/issues/42942)) - Bump `dompurify` from 2.2.9 to 2.5.6 in /airflow/www ([#​42263](https://redirect.github.com/apache/airflow/issues/42263)) ([#​42270](https://redirect.github.com/apache/airflow/issues/42270)) - Correct docstring format in \_get_template_context ([#​42244](https://redirect.github.com/apache/airflow/issues/42244)) ([#​42272](https://redirect.github.com/apache/airflow/issues/42272)) - Backport: Bump Flask-AppBuilder to `4.5.2` ([#​43309](https://redirect.github.com/apache/airflow/issues/43309)) ([#​43318](https://redirect.github.com/apache/airflow/issues/43318)) - Check python version that was used to install pre-commit venvs ([#​43282](https://redirect.github.com/apache/airflow/issues/43282)) ([#​43310](https://redirect.github.com/apache/airflow/issues/43310)) - Resolve warning in Dataset Alias migration ([#​43425](https://redirect.github.com/apache/airflow/issues/43425)) Doc Only Changes """""""""""""""" - Clarifying PLUGINS_FOLDER permissions by DAG authors ([#​43022](https://redirect.github.com/apache/airflow/issues/43022)) ([#​43029](https://redirect.github.com/apache/airflow/issues/43029)) - Add templating info to TaskFlow tutorial ([#​42992](https://redirect.github.com/apache/airflow/issues/42992)) - Airflow local settings no longer importable from dags folder ([#​42231](https://redirect.github.com/apache/airflow/issues/42231)) ([#​42603](https://redirect.github.com/apache/airflow/issues/42603)) - Fix documentation for cpu and memory usage ([#​42147](https://redirect.github.com/apache/airflow/issues/42147)) ([#​42256](https://redirect.github.com/apache/airflow/issues/42256)) - Fix instruction for docker compose ([#​43119](https://redirect.github.com/apache/airflow/issues/43119)) ([#​43321](https://redirect.github.com/apache/airflow/issues/43321)) - Updates documentation to reflect that dag_warnings is returned instead of import_errors. ([#​42858](https://redirect.github.com/apache/airflow/issues/42858)) ([#​42888](https://redirect.github.com/apache/airflow/issues/42888))

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.