search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
35.34k stars 13.8k forks source link

Upgrade `gcloud-aio-auth` to 5.2.+ #39491

Open potiuk opened 2 months ago

potiuk commented 2 months ago

Body

The gcloud-aio-auth <5.0.0 limits cryptography to < 42..0.0 which has CVE-2023-50782 and it blocks airflow from upgrading to newer cryptography version.

Committer

potiuk commented 2 months ago

cc: @VladaZakharova - maybe your team could take a look at that one:

Here is a comment from provider.yaml

  # When upgrading the major version of gcloud-aio-auth we want to make sure to
  # 1. use at least version 5.2, which uses offset-aware datetime internally
  # 2. override Token's new `refresh` method instead of `acquire_access_token`, which allows us to avoid
  #    dealing with internals like `access_token_acquired_at`
  # 3. continue to `subclass gcloud.aio.auth.token.Token` instead of `BaseToken`, since instances of
  #    `_CredentialsToken` are instances of `Token` and used as such
  - gcloud-aio-auth>=4.0.0,<5.0.0
VladaZakharova commented 2 months ago

Hi! Yes, sure, thank you