chore(deps): [database-archival] Update dependency apache-airflow to v2.10.3 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
apache-airflow (changelog)	==2.10.1 -> ==2.10.3

GitHub Vulnerability Alerts

CVE-2024-50378

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

---

Release Notes

apache/airflow (apache-airflow)

v2.10.3

Compare Source

Significant Changes
^^^^^^^^^^^^^^^^^^^

No significant changes.

Bug Fixes
"""""""""

• Improves the handling of value masking when setting Airflow variables for enhanced security. (#​43123) (#​43278)
• Adds support for task_instance_mutation_hook to handle mapped operators with index 0. (#​42661) (#​43089)
• Fixes executor cleanup to properly handle zombie tasks when task instances are terminated. (#​43065)
• Adds retry logic for HTTP 502 and 504 errors in internal API calls to handle webserver startup issues. (#​42994) (#​43044)
• Restores the use of separate sessions for writing and deleting RTIF data to prevent StaleDataError. (#​42928) (#​43012)
• Fixes PythonOperator error by replacing hyphens with underscores in DAG names. (#​42993)
• Improving validation of task retries to handle None values (#​42532) (#​42915)
• Fixes error handling in dataset managers when resolving dataset aliases into new datasets (#​42733)
• Enables clicking on task names in the DAG Graph View to correctly select the corresponding task. (#​38782) (#​42697)
• Prevent redirect loop on /home with tags/last run filters (#​42607) (#​42609) (#​42628)
• Support of host.name in OTEL metrics and usage of OTEL_RESOURCE_ATTRIBUTES in metrics (#​42428) (#​42604)
• Reduce eyestrain in dark mode with reduced contrast and saturation (#​42567) (#​42583)
• Handle ENTER key correctly in trigger form and allow manual JSON (#​42525) (#​42535)
• Ensure DAG trigger form submits with updated parameters upon keyboard submit (#​42487) (#​42499)
• Do not attempt to provide not stringified objects to UI via xcom if pickling is active (#​42388) (#​42486)
• Fix the span link of task instance to point to the correct span in the scheduler_job_loop (#​42430) (#​42480)
• Bugfix task execution from runner in Windows (#​42426) (#​42478)
• Allows overriding the hardcoded OTEL_SERVICE_NAME with an environment variable (#​42242) (#​42441)
• Improves trigger performance by using selectinload instead of joinedload (#​40487) (#​42351)
• Suppress warnings when masking sensitive configs (#​43335) (#​43337)
• Masking configuration values irrelevant to DAG author (#​43040) (#​43336)
• Execute templated bash script as file in BashOperator (#​43191)
• Fixes schedule_downstream_tasks to include upstream tasks for one_success trigger rule (#​42582) (#​43299)
• Add retry logic in the scheduler for updating trigger timeouts in case of deadlocks. (#​41429) (#​42651)
• Mark all tasks as skipped when failing a dag_run manually (#​43572)
• Fix TrySelector for Mapped Tasks in Logs and Details Grid Panel (#​43566)
• Conditionally add OTEL events when processing executor events (#​43558) (#​43567)
• Fix broken stat scheduler_loop_duration (#​42886) (#​43544)
• Ensure total_entries in /api/v1/dags (#​43377) (#​43429)
• Include limit and offset in request body schema for List task instances (batch) endpoint (#​43479)
• Don't raise a warning in ExecutorSafeguard when execute is called from an extended operator (#​42849) (#​43577)

Miscellaneous
"""""""""""""

• Deprecate session auth backend (#​42911)
• Removed unicodecsv dependency for providers with Airflow version 2.8.0 and above (#​42765) (#​42970)
• Remove the referrer from Webserver to Scarf (#​42901) (#​42942)
• Bump dompurify from 2.2.9 to 2.5.6 in /airflow/www (#​42263) (#​42270)
• Correct docstring format in _get_template_context (#​42244) (#​42272)
• Backport: Bump Flask-AppBuilder to 4.5.2 (#​43309) (#​43318)
• Check python version that was used to install pre-commit venvs (#​43282) (#​43310)
• Resolve warning in Dataset Alias migration (#​43425)

Doc Only Changes
""""""""""""""""

• Clarifying PLUGINS_FOLDER permissions by DAG authors (#​43022) (#​43029)
• Add templating info to TaskFlow tutorial (#​42992)
• Airflow local settings no longer importable from dags folder (#​42231) (#​42603)
• Fix documentation for cpu and memory usage (#​42147) (#​42256)
• Fix instruction for docker compose (#​43119) (#​43321)
• Updates documentation to reflect that dag_warnings is returned instead of import_errors. (#​42858) (#​42888)

v2.10.2: Apache Airflow 2.10.2

Compare Source

Significant Changes

No significant changes.

Bug Fixes

• Revert "Fix: DAGs are not marked as stale if the dags folder change" (#​42220, #​42217)
• Add missing open telemetry span and correct scheduled slots documentation (#​41985)
• Fix require_confirmation_dag_change (#​42063) (#​42211)
• Only treat null/undefined as falsy when rendering XComEntry (#​42199) (#​42213)
• Add extra and renderedTemplates as keys to skip camelCasing (#​42206) (#​42208)
• Do not camelcase xcom entries (#​42182) (#​42187)
• Fix task_instance and dag_run links from list views (#​42138) (#​42143)
• Support multi-line input for Params of type string in trigger UI form (#​40414) (#​42139)
• Fix details tab log url detection (#​42104) (#​42114)
• Add new type of exception to catch timeout (#​42064) (#​42078)
• Rewrite how DAG to dataset / dataset alias are stored (#​41987) (#​42055)
• Allow dataset alias to add more than one dataset events (#​42189) (#​42247)

Miscellaneous

• Limit universal-pathlib below 0.2.4 as it breaks our integration (#​42101)
• Auto-fix default deferrable with LibCST (#​42089)
• Deprecate --tree flag for tasks list cli command (#​41965)

Doc Only Changes

• Update security_model.rst to clear unauthenticated endpoints exceptions (#​42085)
• Add note about dataclasses and attrs to XComs page (#​42056)
• Improve docs on markdown docs in DAGs (#​42013)
• Add warning that listeners can be dangerous (#​41968)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[code-review-assist]

Hi team,

I'm currently reviewing this pull request and will provide my feedback shortly. In the meantime, here's a summary of the changes for you and other reviewers to get up to speed quickly:

This pull request, submitted by Renovate Bot, updates the apache-airflow dependency in the database-archival project from version 2.10.1 to 2.10.3. This is a security update addressing CVE-2024-50378, a vulnerability that could allow authenticated users with audit log access to view sensitive data.

Key Changes:

• Updated pyproject.toml: The apache-airflow dependency version has been updated to 2.10.3.
• Updated requirements.txt: The apache-airflow dependency version has been updated to 2.10.3, including updated SHA256 hashes.

Detailed Changes (from the apache-airflow changelog):

The upgrade includes numerous bug fixes, improvements to value masking for enhanced security, and miscellaneous changes. Specific bug fixes include:

• Improved handling of value masking when setting Airflow variables.
• Fixes related to task instance handling, executor cleanup, and error handling in various components.
• UI improvements and performance enhancements.

The full changelog for Apache Airflow 2.10.3 is available in the pull request description.

I'll have a more detailed review shortly. Thanks!

---

A little poem to lighten the mood:

Code flows like a river,
Fixes merge, a gentle stream,
Security's bright sun.

[code-review-assist]

This pull request updates the Apache Airflow dependency to v2.10.3, which addresses a security vulnerability (CVE-2024-50378). Upgrading to address this vulnerability is important. The PR is well-formatted and provides a good amount of information regarding the changes introduced in this update.