jscheffl opened a new pull request, #64786: URL: https://github.com/apache/airflow/pull/64786
To remove potential vulnerability as google-cloud-ai-platform optionally sources litellm, upgrade dependency to google package which prevents the vulnerable version to be used. Unfortunately I see no other way to enforce this as the transitive dependency is optional only and enforcing a specific version is only possible if we make the optional dependency mandatory. Unfortunately the google package only upper bounds the version to the last non-vulnerable version, hoping for an improvement as litellm==1.83.0 should actually fix it. PMC Only, see https://github.com/apache/airflow/security/dependabot/537 Google PR: https://github.com/googleapis/python-aiplatform/pull/6484 --- ##### Was generative AI tooling used to co-author this PR? <!-- If generative AI tooling has been used in the process of authoring this PR, please change below checkbox to `[X]` followed by the name of the tool, uncomment the "Generated-by". --> - [ ] Yes (please specify the tool below) <!-- Generated-by: [Tool Name] following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) --> --- * Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)** for more information. Note: commit author/co-author name and email in commits become permanently public when merged. * For fundamental code changes, an Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals)) is needed. * When adding dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). * For significant user-facing changes create newsfragment: `{pr_number}.significant.rst`, in [airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments). You can add this file in a follow-up commit after the PR is created so you know the PR number. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
