Werkzeug package cannot be upgraded to >=3.0 version with even the airflow version i.e. 2.10.5

[ajitraj88]

Apache Airflow version

2.10.5

If "Other Airflow 2 version" selected, which one?

No response

What happened?

We are currently using airflow version 2.10.5 which uses Werkzeug version 2.2.3. We have got the security findings(https://nvd.nist.gov/vuln/detail/CVE-2024-49767) for this Werkzeug version and the recommendation is to use Werkzeug version >= 3.0.

But when we try to update werkzeug to version 3.0.1 in the constraints file, we are getting the below error:

ERROR: Cannot install apache-airflow==2.10.5 because these package versions have conflicting dependencies.
The conflict is caused by:
    apache-airflow 2.10.5 depends on werkzeug<3 and >=2.0
    The user requested (constraint) werkzeug==3.0.1

Which implies that Airflow version 2.10.5 is not compatible with Werkzeug version >= 3.0.

Can you provide us with the solution

What you think should happen instead?

No response

How to reproduce

1. In the constraints file(https://github.com/apache/airflow/blob/constraints-2.10.5/constraints-3.9.txt) of ariflow version 2.10.5 change the airflow version to 3.0.1.
2. The build will fail with the below error:

ERROR: Cannot install apache-airflow==2.10.5 because these package versions have conflicting dependencies.
The conflict is caused by:
    apache-airflow 2.10.5 depends on werkzeug<3 and >=2.0
    The user requested (constraint) werkzeug==3.0.1

Operating System

NAME="Oracle Linux Server" VERSION="8.10"

Versions of Apache Airflow Providers

No response

Deployment

Other Docker-based deployment

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[dominikhei]

There currently is work on this #52018 @potiuk Can probably give some more insight on this and whether it will also allow an upgrade of werkzeug for 2.10.5

[potiuk]

There currently is work on this #52018 @potiuk Can probably give some more insight on this and whether it will also allow an upgrade of werkzeug for 2.10.5

No. you will have to upgrade to 2.11.1 when we complete the work and release it. We have no plans (nor need) to back-port it to 2.10. The Werkzeug vulnerabilities are likely not affecting Airflow (because they are in functionality at least airflow does not us) - but of course if you do find how to exploit it in airlfow - then follow our security process and report it to us responsibly. But other than that, except some security reports you run that show that some dependency is vulnerable, there is no indication this vulnerabilty affects airflow users.

But - once we complete #52018 and we release 2.11.1 with it - you will be able to upgrade to 2.11.1 at your leisure.

Also - you can also upgrade to Airflow 3.0.2 even today - without waiting, there Werkzeug limitation does not apply. You are also completely free to upgrade to it any time.

Closing as invalid.

[OmarElHrr]

hello @potiuk

We tried upgrading directly to Airflow 3.0.6 and updating Werkzeug to 3.x, but this does not work in our setup because Flask-AppBuilder authentication is still tightly coupled to Werkzeug 2.x. Upgrading Werkzeug breaks the FAB auth manager.

Is there any way to resolve this without switching to the SimpleAuth manager?

[potiuk]

1. You can use KeyCloak Auth Manager

2. Also there is a work in progress to remove last dependencies on conexion from FAB provider:

#56730 -> One last PR is #57480 - one of the ways to complete it (since apparently contributor who worked on it does not respond) is to take over the PR from the contributor and complete it - that's the most certain way to remove the dependency and free FAB provider from Connexion/Werkzeug.

You are most welcome to help .