Skip to content

Bump flask-appbuilder to 5.2.2 in FAB provider#69730

Open
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:upgrade-fab-provider-5-2-2
Open

Bump flask-appbuilder to 5.2.2 in FAB provider#69730
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:upgrade-fab-provider-5-2-2

Conversation

@potiuk

@potiuk potiuk commented Jul 10, 2026

Copy link
Copy Markdown
Member

Bumps the vendored Flask-AppBuilder dependency in the FAB provider from 5.2.1 to 5.2.2.

FAB 5.2.2 hardens the security manager (LDAP search-filter escaping, OAuth email-allowlist regex anchoring, API-login provider validation). Airflow's vendored security manager already escapes LDAP filters (and validates the search filter), and it inherits the OAuth allowlist matching from FAB's OAuth view via super().oauth_authorized(), so override.py needs no change; test_fab_alignment.py confirms the vendored code stays structurally in sync with 5.2.2.


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Opus 4.8)

Generated-by: Claude Code (Opus 4.8) following the guidelines

Flask-AppBuilder 5.2.2 ships security-manager hardening — LDAP
search-filter escaping, OAuth email-whitelist regex anchoring, and
API-login provider validation. Airflow's vendored security manager
already escapes LDAP filters (and validates the search filter), and it
inherits the OAuth whitelist matching from FAB's OAuth view via super(),
so these fixes land without any change to the vendored override; the FAB
alignment test confirms the vendored code stays structurally in sync
with the new release.
@vincbeck

Copy link
Copy Markdown
Contributor

Duplicate of #69706

@vincbeck vincbeck marked this as a duplicate of #69706 Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants