chore(deps): bump the pip group across 19 directories with 11 updates
Type: Pull Request
State: Closed
Association: Unknown
Comments: 1
(3 months ago)
(3 months ago)
(3 months ago)
dependencies python
Bumps the pip group with 4 updates in the /composer/airflow_1_samples directory: flask, werkzeug, cryptography and protobuf.
Bumps the pip group with 8 updates in the /composer/cicd_sample directory:
| Package | From | To |
|---|---|---|
| apache-airflow | 2.6.3 |
3.2.0b1 |
| flask | 2.2.5 |
3.1.3 |
| werkzeug | 2.2.3 |
3.1.6 |
| black | 23.1a1 |
26.3.1 |
| cryptography | 40.0.2 |
46.0.6 |
| protobuf | 4.23.4 |
5.29.6 |
| requests | 2.31.0 |
2.33.0 |
| google-cloud-aiplatform | 1.27.1 |
1.133.0 |
Bumps the pip group with 1 update in the /composer/rest directory: requests.
Bumps the pip group with 8 updates in the /composer/workflows directory:
| Package | From | To |
|---|---|---|
| apache-airflow | 2.9.2 |
3.2.0b1 |
| flask | 2.2.5 |
3.1.3 |
| werkzeug | 2.2.3 |
3.1.6 |
| black | 24.4.2 |
26.3.1 |
| cryptography | 41.0.7 |
46.0.6 |
| protobuf | 4.25.3 |
5.29.6 |
| requests | 2.31.0 |
2.33.0 |
| google-cloud-aiplatform | 1.53.0 |
1.133.0 |
Bumps the pip group with 1 update in the /compute/auth directory: requests.
Bumps the pip group with 1 update in the /compute/client_library directory: black.
Bumps the pip group with 2 updates in the /compute/encryption directory: cryptography and requests.
Bumps the pip group with 1 update in the /compute/metadata directory: requests.
Bumps the pip group with 1 update in the /compute/oslogin directory: requests.
Bumps the pip group with 3 updates in the /dataflow/gemma directory: protobuf, google-cloud-aiplatform and keras.
Bumps the pip group with 1 update in the /dataflow/gemma-flex-template directory: google-cloud-aiplatform.
Bumps the pip group with 3 updates in the /dataflow/run-inference directory: google-cloud-aiplatform, torch and transformers.
Bumps the pip group with 1 update in the /dataflow/run_template directory: flask.
Bumps the pip group with 2 updates in the /datastore/cloud-ndb directory: flask and werkzeug.
Bumps the pip group with 2 updates in the /dialogflow directory: flask and werkzeug.
Bumps the pip group with 2 updates in the /dialogflow-cx directory: flask and werkzeug.
Bumps the pip group with 2 updates in the /gemma2 directory: protobuf and google-cloud-aiplatform.
Bumps the pip group with 4 updates in the /iap directory: flask, werkzeug, cryptography and requests.
Bumps the pip group with 1 update in the /media_cdn directory: cryptography.
Updates flask from 1.1.2 to 3.1.3
Release notes
Sourced from flask's releases.
3.1.3
This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3
- The session is marked as accessed for operations that only access the keys but not the values, such as
inandlen. GHSA-68rp-wp8r-47263.1.2
This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1
stream_with_contextdoes not fail inside async views. #5774- When using
follow_redirectsin the test client, the final state ofsessionis correct. #5786- Relax type hint for passing bytes IO to
send_file. #57763.1.1
This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1
- Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g- Fix type hint for
cli_runner.invoke. #5645flask --helploads the app and plugins first to make sure all commands are shown. #5673- Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #56593.1.0
This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1
- Drop support for Python 3.8. #5623
- Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
- Provide a configuration option to control automatic option responses. #5496
Flask.open_resource/open_instance_resourceandBlueprint.open_resourcetake anencodingparameter to use when opening in text mode. It defaults toutf-8. #5504Request.max_content_lengthcan be customized per-request instead of only through theMAX_CONTENT_LENGTHconfig. AddedMAX_FORM_MEMORY_SIZEandMAX_FORM_PARTSconfig. Added documentation about resource limits to the security page. #5625- Add support for the
Partitionedcookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONEDconfig. #5472-e pathtakes precedence over default.envand.flaskenvfiles.load_dotenvloads default files in addition to a path unlessload_defaults=Falseis passed. #5628- Support key rotation with the
SECRET_KEY_FALLBACKSconfig, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621- Fix how setting
host_matching=Trueorsubdomain_matching=Falseinteracts withSERVER_NAME. SettingSERVER_NAMEno longer restricts requests to only that domain. #5553Request.trusted_hostsis checked during routing, and can be set through theTRUSTED_HOSTSconfig. #56363.0.3
... (truncated)
Changelog
Sourced from flask's changelog.
Version 3.1.3
Released 2026-02-18
- The session is marked as accessed for operations that only access the keys but not the values, such as
inandlen. :ghsa:68rp-wp8r-4726Version 3.1.2
Released 2025-08-19
stream_with_contextdoes not fail inside async views. :issue:5774- When using
follow_redirectsin the test client, the final state ofsessionis correct. :issue:5786- Relax type hint for passing bytes IO to
send_file. :issue:5776Version 3.1.1
Released 2025-05-13
- Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g- Fix type hint for
cli_runner.invoke. :issue:5645flask --helploads the app and plugins first to make sure all commands are shown. :issue:5673- Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659Version 3.1.0
Released 2024-11-13
- Drop support for Python 3.8. :pr:
5623- Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:
5624,5633- Provide a configuration option to control automatic option responses. :pr:
5496Flask.open_resource/open_instance_resourceandBlueprint.open_resourcetake anencodingparameter to use when opening in text mode. It defaults toutf-8. :issue:5504Request.max_content_lengthcan be customized per-request instead of only through theMAX_CONTENT_LENGTHconfig. Added
... (truncated)
Commits
22d9247release version 3.1.3089cb86Merge commit from forkc17f379request context tracks session access27be933start version 3.1.34e652d3Abort if the instance folder cannot be created (#5903)3d03098Abort if the instance folder cannot be created407eb76document using gevent for async (#5900)ac5664ddocument using gevent for async4f79d5bIncrease required flit_core version to 3.11 (#5865)fe3b215Increase required flit_core version to 3.11- Additional commits viewable in compare view
Updates werkzeug from 0.16.1 to 3.1.6
Release notes
Sourced from werkzeug's releases.
3.1.6
This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6
safe_joinon Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x3.1.5
This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1
safe_joinon Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7- The multipart form parser handles a
\r\nsequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077- Fix
AttributeErrorwhen initializingDebuggedApplicationwithpin_security=False. #30753.1.4
This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1
safe_joinon Windows does not allow special device names. This prevents reading from these when usingsend_from_directory.secure_filenamealready prevented writing to these. ghsa-hgf8-39gv-g3f2- The debugger pin fails after 10 attempts instead of 11. #3020
- The multipart form parser handles a
\r\nsequence at a chunk boundary. #3065- Improve CPU usage during Watchdog reloader. #3054
Request.jsonannotation is more accurate. #3067- Traceback rendering handles when the line number is beyond the available source lines. #3044
HTTPException.get_responseannotation and doc better conveys the distinction between WSGI and sans-IO responses. #30563.1.3
This is the Werkzeug 3.1.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.
PyPI: https://pypi.org/project/Werkzeug/3.1.3/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-3 Milestone: https://github.com/pallets/werkzeug/milestone/41?closed=1
- Initial data passed to
MultiDictand similar interfaces only acceptslist,tuple, orsetwhen passing multiple values. It had been changed to accept anyCollection, but this matched types that should be treated as single values, such asbytes. #2994- When the
Hostheader is not set andRequest.hostfalls back to the WSGISERVER_NAMEvalue, if that value is an IPv6 address it is wrapped in[]to match theHostheader. #29933.1.2
This is the Werkzeug 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes vs 3.1.0.
PyPI: https://pypi.org/project/Werkzeug/3.1.2/ Changes: https://werkzeug.palletsprojects.com/en/stable/changes/#version-3-1-2
... (truncated)
Changelog
Sourced from werkzeug's changelog.
Version 3.1.6
Released 2026-02-19
safe_joinon Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6xResponse.make_conditionalsets theAccept-Rangesheader even if it is not a satisfiable range request. :issue:3108Version 3.1.5
Released 2026-01-08
safe_joinon Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7- The multipart form parser handles a
\r\nsequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065:issue:3077- Fix
AttributeErrorwhen initializingDebuggedApplicationwithpin_security=False. :issue:3075Version 3.1.4
Released 2025-11-28
safe_joinon Windows does not allow special device names. This prevents reading from these when usingsend_from_directory.secure_filenamealready prevented writing to these. :ghsa:hgf8-39gv-g3f2- The debugger pin fails after 10 attempts instead of 11. :pr:
3020- The multipart form parser handles a
\r\nsequence at a chunk boundary. :issue:3065- Improve CPU usage during Watchdog reloader. :issue:
3054Request.jsonannotation is more accurate. :issue:3067- Traceback rendering handles when the line number is beyond the available source lines. :issue:
3044HTTPException.get_responseannotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056Version 3.1.3
Released 2024-11-08
- Initial data passed to
MultiDictand similar interfaces only accepts
... (truncated)
Commits
04da1b5release version 3.1.6f407712Merge commit from forkf54fe98safe_join prevents Windows special device names in multi-segment pathsd005985start version 3.1.68565c2cdocument rule priority (#3102)3febc7edocument rule priority2525b82remove state machine docs4abfbd5rewrite build docstring (#3097)161c18brewrite build docstring86e11c2release version 3.1.5 (#3085)- Additional commits viewable in compare view
Updates cryptography from 3.2.1 to 46.0.6
Changelog
Sourced from cryptography's changelog.
46.0.6 - 2026-03-25
* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for reporting the issue. **CVE-2026-34073**.. _v46-0-5:
46.0.5 - 2026-02-10
- An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting the issue. CVE-2026-26007
- Support for
SECT*binary elliptic curves is deprecated and will be removed in the next release... v46-0-4:
46.0.4 - 2026-01-27
* `Dropped support for win_arm64 wheels`_. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5... _v46-0-3:
46.0.3 - 2025-10-15
- Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:
46.0.2 - 2025-09-30
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4... _v46-0-1:
46.0.1 - 2025-09-16
... (truncated)
Commits
91d7288Cherry-pick #14542 (#14543)06e120ebump version for 46.0.5 release (#14289)0eebb9dEC check key on cofactor > 1 (#14287)bedf6e1fix openssl version on 46 branch (#14220)e6f44fcbump for 46.0.4 and drop win arm64 due to CI issues (#14217)c0af4ddrelease 46.0.3 (#13681)99efe5abump version for 46.0.2 (#13531)e735cfcrelease 46.0.1 (#13450)4e457ffExplicitly specify python in mac uv build invocation (#13447)2726efdDepend on CFFI 2.0.0 or newer on Python > 3.8 (#13448)- Additional commits viewable in compare view
Updates protobuf from 3.14.0 to 5.29.6
Release notes
Sourced from protobuf's releases.
Protocol Buffers v34.0-rc1
Announcements
- This version includes breaking changes to: C++, Objective-C, PHP, Python.
- [Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb)
- [C++] Make generator headers private (https://github.com/protocolbuffers/protobuf/commit/3a2af3510f0d454dbe3e4dc281674b61c4d20b9e)
- [C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (https://github.com/protocolbuffers/protobuf/commit/7a7589823d2cfaaf7994b050e98d5d553bc9b1c1)
- [C++] Add [[nodiscard]] to many APIs. (https://github.com/protocolbuffers/protobuf/commit/a70115f33f9af2c4b2202c800b84837e7fe0d738)
- [C++] Make the arena-enabled constructors of
RepeatedField,RepeatedPtrField, andMapprivate. (https://github.com/protocolbuffers/protobuf/commit/ef890c3d0c79398c70e047fe5dd893f460ba2336)- [C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292)
- [C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (https://github.com/protocolbuffers/protobuf/commit/b115358c64127896fed88b8b5ef5d91d86d8cbae)
- [C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (https://github.com/protocolbuffers/protobuf/commit/68346ec9348e932664e58c3ecdcd1478f95233a8)
- [C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (https://github.com/protocolbuffers/protobuf/commit/837a2cd1d6c75402b2503ffe7cd8aeaf25868536)
- [C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (https://github.com/protocolbuffers/protobuf/commit/9dbc5d479a8e453921485d8d3de47fb3c005f1af)
- [C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00)
- [C++] All entity names have length limit (2afb0dc)
- [ObjC] Remove
generate_minimal_importsgeneration option warning (https://github.com/protocolbuffers/protobuf/commit/45b1297fdaad5a9436d0e207422168c38dc45ac4)- [ObjC] Fix nullability annotations on some
GPB*Dictionarytypes. (https://github.com/protocolbuffers/protobuf/commit/ea67d6d26a48478a567c404679e3bb99cf230d50)- [ObjC] Remove
-[GPBFieldDescriptor optional](https://github.com/protocolbuffers/protobuf/commit/3414dc151eb4dcbdb2ca952e2589993bf7af75c4)- [Other] Remove deprecated flag for enabling MSVC support (https://github.com/protocolbuffers/protobuf/commit/97c979be6e0907e1051bee62584dac4594e73fa7)
- [PHP] Remove deprecated PHP APIs (https://github.com/protocolbuffers/protobuf/commit/9c45014099a4f7004fab6dd1278de2f4f2a393c5)
- [PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345, https://github.com/protocolbuffers/protobuf/commit/cd76e675b14d00dda5623b30835d2bc7105fccc6, https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345)
- [PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (https://github.com/protocolbuffers/protobuf/commit/aee03b78929c02461a5f9d8e136a2a016359b0cd)
- [PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (https://github.com/protocolbuffers/protobuf/commit/b01099d56350551bae3da88b97bf3027274c9f17)
- [Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (https://github.com/protocolbuffers/protobuf/commit/5b116fe2f14f49dd0cc3b76089983717f211025c)
- [Python] Remove float_format/double_format from python proto text_format (https://github.com/protocolbuffers/protobuf/commit/e4854a186e0bfa867d5bfa5cd850608a948fd488)
- [Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (https://github.com/protocolbuffers/protobuf/commit/00aaca1b4d98954bc2933d7c8a5379ba6088124c)
- [Python] Remove float_precision from python proto json_format (https://github.com/protocolbuffers/protobuf/commit/f027f1fcd52b9d080b7ee79f4024f53cf54e0dc5)
- [Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292)
- [Python] Remove deprecated FieldDescriptor.label (https://github.com/protocolbuffers/protobuf/commit/0a8ff55518ea5874478ad5b26515b31d186045a9)
- [Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00)
- Protobuf News may include additional announcements or pre-announcements for upcoming changes.
- Migration Guide may include additional guidance for breaking changes.
Bazel
- Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (https://github.com/protocolbuffers/protobuf/commit/8c857c3a1c6a106b0a096f1c9fa504bfaca035a9)
- Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb)
- Feat(bazel): wire up prebuilt protoc toolchain (#24115) (https://github.com/protocolbuffers/protobuf/commit/cc23698b486e690ea2eb873cc7596a87c74a3ba6)
- Migrate
proto_descriptor_set(#23369) (https://github.com/protocolbuffers/protobuf/commit/8d4dfdd39a7a242a9ed631a6ab2192c57dd9b9c8)Compiler
- Ruby codegen: support generation of rbs files (#15633) (https://github.com/protocolbuffers/protobuf/commit/6ebdf851ba78728f0aa145d38454ed9a316fb08d)
- Avoid collision name problems between a message named
Xyzand a direct sibling enum namedXyzView(https://github.com/protocolbuffers/protobuf/commit/eba53e8f172b273d679759a72ce4250131ee3df1)- Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (https://github.com/protocolbuffers/protobuf/commit/ed3c57114d8e2b47cca7697ddaa50c1b3762a6b0)
- Fix a bug with custom features outside of the
pbpackage. (https://github.com/protocolbuffers/protobuf/commit/872d3ce7a4da00d7dcec33ced20cfe45235935e8)- Fix import option handling when include_imports isn't set. (https://github.com/protocolbuffers/protobuf/commit/9ef9e80afd9bc8379d578fe67e5ab0738728c04e)
- Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (https://github.com/protocolbuffers/protobuf/commit/1229d4adba24c0952ab85ce96bc7b7f8a1fe6d0f)
- Prevent accidental stripping of
debug_redactoptions via import option. (https://github.com/protocolbuffers/protobuf/commit/f58b098bffa7ca4045ef7773b09151a6af5d0c28)C++
- Add EnumerateEnumValues function. (https://github.com/protocolbuffers/protobuf/commit/397d5d99db274b379d1384814074bf7df39d32f7)
... (truncated)
Commits
- See full diff in compare view
Updates apache-airflow from 2.6.3 to 3.2.0b1
Release notes
Sourced from apache-airflow's releases.
Apache Airflow 3.1.8
:package: PyPI: https://pypi.org/project/apache-airflow/3.1.8/ :books: Docs: https://airflow.apache.org/docs/apache-airflow/3.1.8/ :hammer_and_wrench: Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.8/release_notes.html :whale: Docker Image: "docker pull apache/airflow:3.1.8" :busstop: Constraints: https://github.com/apache/airflow/tree/constraints-3.1.8
Significant Changes
Backfill permissions are now handled via
DagAccessEntity.Run(#61456)
is_authorized_backfillof theBaseAuthManagerinterface has been removed. Core will no longer call this method and their provider counterpart implementation will be marked as deprecated. Permissions for backfill operations are now checked against theDagAccessEntity.Runpermission using the existingrequires_access_dagdecorator. In other words, if a user has permission to run a DAG, they can perform backfill operations on it.Please update your security policies to ensure that users who need to perform backfill operations have the appropriate
DagAccessEntity.Runpermissions. (Users having the Backfill permissions without having the DagRun ones will no longer be able to perform backfill operations without any update)Elasticsearch is now fully compatible with remote logging along (#62940)
Elasticsearch is now fully compatible with remote logging along side with
apache-airflow-providers-elasticsearch>=6.5.0. Please review elasticsearch provider release notes for more information https://airflow.apache.org/docs/apache-airflow-providers-elasticsearch/6.5.0/changelog.html (#62121) (#62940)Bug Fixes
- Fix SQLite migration disable
disable_sqlite_fkeysin revision509b94a1042d(#63256) (#63272)- Fix: 404 queued asset events from API server logs (#62934) (#62976)
- Fix: Always include kid in JWT header for symmetric key tokens (#62883) (#62943)
- Fix: Scope session token in cookie to base_url (#62771) (#62851)
- Fix: UI of Scope session token in cookie to base_url (#62771) (#62859)
- Fix: UI tasks log missing in UP_FOR_RETRY and UP_FOR_RESCHEDULE states (#54547) (#62862)
- Fix: Backfill permissions (#62856) (#62873)
- Fix: Use
useAssetServiceGetDagAssetQueuedEventsto get the correct number of ADRQs (#62868) (#62902)- Fix: Adds task instance validation for HITL (#62886) (#62909)
- Fix: Restore task_instance_history sequence on downgrade (#62759)
- Fix broken
dag_processing.total_parse_timemetric (#62128) (#62764)- Fix Trigger UI form rendering for null enum values (#62060) (#62767)
- Fix
timer.durationunit labels in logs (#61824) (#62757)- Fix XCom migration failing for NaN/Infinity float values (#62686) (#62760)
- Fix SQL not rendered in Rendered Templates view (#60739) (#62348)
- Fix missing DAG read permission checks on dependencies endpoint (#62046) (#62586)
- Changed
dag_bundle.signed_url_templatefromvarchar(200)totext(#61041) (#62568)- Fix WASB remote logging base path handling (#58946) (#61013) (#62456)
- Handle non-dictionary json payload during logging to avoid internal server error. (#62355) (#62367)
- Fix grid view crash when task converted to TaskGroup (#61208) (#61279) (#62181)
- Fix running task duration showing as null in UI (#61898) (#62136)
- Fix deferrable sensors not respecting soft_fail on timeout (#61132) (#61421)
- Fix task failure details being obscured by finalization errors (#62070) (#62113)
- Add missing ti.start and ti.finish metrics in Airflow 3 (#62019) (#62110)
- Fix DepContext mutation leak and restore reschedule-mode guard (#62089)
- Fix scheduler heartbeat misses caused by slow reschedule dependency check (#61983) (#62068)
- Flush in-memory OTEL metrics at process shutdown (#61808) (#61869)
... (truncated)
Changelog
Sourced from apache-airflow's changelog.
.. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
.. http://www.apache.org/licenses/LICENSE-2.0
.. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Dockerfile Changelog
The
Dockerfiledoes not strictly follow theSemVer <https://semver.org/>_ approach of Apache Airflow when it comes to features and backwards compatibility. While Airflow code strictly follows it, theDockerfileis really a way to give users a conveniently packaged Airflow using standard container approach, so occasionally there are some changes in the building process or in the entrypoint of the image that require slight adaptation of how it is used or built.The Changelog below describes the changes introduced in each version of the docker images released by the Airflow team.
:note: The Changelog below concerns only the convenience production images released at
Airflow DockerHub <https://hub.docker.com/r/apache/airflow>_ . The images that are released there are usually built using theDockerfilereleased together with Airflow. However, you are free to take latest releasedDockerfilefrom Airflow and use it to build an image for any Airflow version from theAirflow 2line. There is no guarantee that it will work, but if it does, then you can use latest features from that image to build images for previous Airflow versions.Airflow 3.1.4
In Airflow 3.1.4, the images are build without removing of .pyc and .pyo files when Python is built. This increases the size of the image slightly (<0.5%), but improves performance of Python in the container because Python does not need to recompile the files on the first run but more importantly, if you use ``exec`` to run Health Checks, removed .pyc files caused a small but ever growing memory leak in the Unix kernel connected to negative ``dentries`` created when .pyc files were attempted to be compiled and failed. This over time could lead to out-of-memory issues on the host running the container.More information about
dentriescan be found inthis article <https://lwn.net/Articles/814535/>_.Airflow 3.1.0
... (truncated)
Commits
7989f25update release notes for 3.2.0346f332Add 3.2.0 release notes6661a58Update version to 3.2.00a82c31updated versions in README.md21f5a37Pin Task-SDK for Airflow meta package4c87c4cUpdate default branches for 3-2d42623eFixObjectStoragePathto excludeconn_idfrom storage options passed to f...77c38f3docs(asset-partition): add example Dag (#62491)05ea74aPrepare provider's documentation 2026-03-03 (#62752)1199dc5ConsolidateSkipMixinimports throughcommon-compatlayer (#62776)- Additional commits viewable in compare view
Updates flask from 2.2.5 to 3.1.3
Release notes
Sourced from flask's releases.
3.1.3
This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3
- The session is marked as accessed for operations that only access the keys but not the values, such as
inandlen. GHSA-68rp-wp8r-47263.1.2
This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1
stream_with_contextdoes not fail inside async views. #5774- When using
follow_redirectsin the test client, the final state ofsessionis correct. #5786- Relax type hint for passing bytes IO to
send_file. #57763.1.1
This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.
PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1
- Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g- Fix type hint for
cli_runner.invoke. #5645flask --helploads the app and plugins first to make sure all commands are shown. #5673- Mark sans-io base class as being able to handle views that return
AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #56593.1.0
This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1
- Drop support for Python 3.8. #5623
- Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
- Provide a configuration option to control automatic option responses. #5496
Flask.open_resource/open_instance_resourceandBlueprint.open_resourcetake anencodingparameter to use when opening in text mode. It defaults toutf-8. #5504Request.max_content_lengthcan be customized per-request instead of only through theMAX_CONTENT_LENGTHconfig. AddedMAX_FORM_MEMORY_SIZEandMAX_FORM_PARTSconfig. Added documentation about resource limits to the security page. #5625- Add support for the
Partitionedcookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONEDconfig. #5472-e pathtakes precedence over default.envand.flaskenvfiles.load_dotenvloads default files in addition to a path unlessload_defaults=Falseis passed. #5628- Support key rotation with the
SECRET_KEY_FALLBACKSconfig, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621- Fix how setting
host_matching=Trueorsubdomain_matching=Falseinteracts withSERVER_NAME. SettingSERVER_NAMEno longer restricts requests to only that domain. #5553Request.trusted_hostsis checked during routing, and can be set through theTRUSTED_HOSTSconfig. #56363.0.3
... (truncated)
Changelog
Sourced from flask's changelog.
Version 3.1.3
Released 2026-02-18
- The session is marked as accessed for operations that only access the keys but not the values, such as
inandlen. :ghsa:68rp-wp8r-4726Version 3.1.2
Released 2025-08-19
stream_with_contextdoes not fail inside async views. :issue:5774- When using
follow_redirectsin the test client, the final state ofsessionis correct. :issue:5786- Relax type hint for passing bytes IO to
send_file. :issue:5776Version 3.1.1
Released 2025-05-13
- Fix signing key selection order when key rotation is enabled via
SECRET_KEY_FALLBACKSDescription has been truncated
Package Dependencies
Security Advisories
Flask uses fallback key instead of current signing key
Werkzeug safe_join() allows Windows special device names
Werkzeug safe_join() allows Windows special device names with compound extensions
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
Flask session does not add `Vary: Cookie` header when accessed in some ways
Werkzeug safe_join() allows Windows special device names
cryptography has incomplete DNS name constraint enforcement on peer names
Technical Details
| ID: | 15139989 |
| UUID: | 4222436319 |
| Node ID: | PR_kwDOQYU5AM7QtUHO |
| Host: | GitHub |
| Repository: | CVSz/python-docs-samples |