Releasing security patches¶
Apache Airflow™ uses a consistent and predictable approach for releasing security patches - both for the Apache Airflow package and Apache Airflow providers (security patches in providers are treated separately from security patches in Airflow core package).
Releasing Airflow with security patches¶
Apache Airflow uses a strict SemVer versioning policy, which means that we strive for
any release of a given MAJOR
Version (version “2” currently) to be backwards compatible. When we
release a MINOR
version, the development continues in the main
branch where we prepare the next
MINOR
version, but we release PATCHLEVEL
releases with selected bugfixes (including security
bugfixes) cherry-picked to the latest released MINOR
line of Apache Airflow. At the moment, when we
release a new MINOR
version, we stop releasing PATCHLEVEL
releases for the previous MINOR
version.
For example, once we released 2.6.0
version on April 30, 2023 all the security patches will be cherry-picked and released in 2.6.*
versions until we release 2.7.0
version. There will be no
2.5.*
versions released after 2.6.0
has been released.
This means that in order to apply security fixes in Apache Airflow, you
MUST upgrade to the latest MINOR
and PATCHLEVEL
version of Airflow.
Releasing Airflow providers with security patches¶
Similarly to Airflow, providers uses a strict SemVer versioning policy, and the same
policies apply for providers as for Airflow itself. This means that you need to upgrade to the latest
MINOR
and PATCHLEVEL
version of the provider to get the latest security fixes.
Airflow providers are released independently from Airflow itself and the information about vulnerabilities
is published separately. You can upgrade providers independently from Airflow itself, following the
instructions found in Managing providers separately from Airflow core.