Add description on how 3rd-party dependency security issues are handled#61956
Merged
potiuk merged 3 commits intoapache:mainfrom Feb 16, 2026
Merged
Conversation
boring-cyborg
bot
added
area:production-image
potiuk
requested review from
amoghrajesh,
aritra24,
ashb,
bugraoz93,
eladkal,
ephraimbuddy,
hussein-awala,
jedcunningham,
jscheffl,
kaxil and
vincbeck
jscheffl
reviewed
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
jscheffl
approved these changes
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Show resolved
Hide resolved
aritra24
approved these changes
Feb 15, 2026
Collaborator
aritra24
left a comment
aritra24
left a comment
There was a problem hiding this comment.
A few typos/sentence restructuring. Lgtm in general
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
potiuk
commented
Feb 15, 2026
potiuk
commented
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
potiuk
commented
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
potiuk
commented
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
Member
Author
|
Applied all comments - also added a more detailed information on how to look at some dependency issues. Not many people know that we have great tool that can aid with finding out what is holding some dependencies: breeze release-management constraints-version-check --python 3.10 --package PACKAGE_NAME --explain-whyThis one can be used by whoever wants to look at specific dependency to know why it cannot be upgraded - and while its pretty technical, it's a goog start to make our users engaged in solving the issues - if they will open the discussion where they will run the tool and submit the output - even if they wont' be the able to understand exactly why - we can explain them and ask them to work on fixing it. |
potiuk
force-pushed
the
add-description-on-handling-3rd-party-dependencies
branch
from
261bc69 to
a4be6ca
Compare
aritra24
approved these changes
Feb 15, 2026
Collaborator
aritra24
left a comment
aritra24
left a comment
There was a problem hiding this comment.
Looks good to me, a good addition to get the community engaged in the right direction!
Member
Author
|
Also .. it turned out that we have very similar (but more generic) approach ASF-wide https://security.apache.org/report-dependency/ (I did not know) I will refer to it :) |
Our users seem to not have a good idea on how 3rd-party dependencies are handled and how they should approach it and open issues that are often closed and we need to explain them what is expected of them - they have pretty unrealistic expecations that every single CVE in every single dependency will be addressed when they open an issue. This description clarifies how handling of 3rd-party dependency issues should be done and what are responsibilities and expectations of the users, and what they can expect from the maintainers. This will help us to direct such users to this process without spending our time on explaining it over and over again. Apply suggestions from code review Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com>
potiuk
force-pushed
the
add-description-on-handling-3rd-party-dependencies
branch
from
a4be6ca to
fcecb1f
Compare
shahar1
approved these changes
Feb 15, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Show resolved
Hide resolved
…encies.rst Co-authored-by: Shahar Epstein <60007259+shahar1@users.noreply.github.com>
amoghrajesh
approved these changes
Feb 16, 2026
airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst
Outdated
Show resolved
Hide resolved
…encies.rst Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>
potiuk
deleted the
add-description-on-handling-3rd-party-dependencies
branch
potiuk
added a commit
that referenced
this pull request
Feb 16, 2026
…ed (#61956) * Add description on how 3rd-party dependency security issues are handled Our users seem to not have a good idea on how 3rd-party dependencies are handled and how they should approach it and open issues that are often closed and we need to explain them what is expected of them - they have pretty unrealistic expecations that every single CVE in every single dependency will be addressed when they open an issue. This description clarifies how handling of 3rd-party dependency issues should be done and what are responsibilities and expectations of the users, and what they can expect from the maintainers. This will help us to direct such users to this process without spending our time on explaining it over and over again. Apply suggestions from code review Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> * Update airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst Co-authored-by: Shahar Epstein <60007259+shahar1@users.noreply.github.com> * Update airflow-core/docs/security/vulnerabilities-in-3rd-party-dependencies.rst Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com> --------- Co-authored-by: Jens Scheffler <95105677+jscheffl@users.noreply.github.com> Co-authored-by: Shahar Epstein <60007259+shahar1@users.noreply.github.com> Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com> (cherry picked from commit caa02fd)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Our users seem to not have a good idea on how 3rd-party dependencies are handled and how they should approach it and open issues that are often closed and we need to explain them what is expected of them - they have pretty unrealistic expecations that every single CVE in every single dependency will be addressed when they open an issue.
This description clarifies how handling of 3rd-party dependency issues should be done and what are responsibilities and expectations of the users, and what they can expect from the maintainers.
This will help us to direct such users to this process without spending our time on explaining it over and over again.
Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.