Releasing security patches¶
Apache Airflow™ uses a consistent and predictable approach for releasing security patches - both for the Apache Airflow package and Apache Airflow providers (security patches in providers are treated separately from security patches in Airflow core package).
Releasing Airflow with security patches¶
Apache Airflow uses a strict [SemVer](https://semver.org) versioning policy, which means that we strive for
any release of a given
MAJOR Version (version “2” currently) to be backwards compatible. When we
MINOR version, the development continues in the
main branch where we prepare the next
MINOR version, but we release
PATCHLEVEL releases with selected bugfixes (including security
bugfixes) cherry-picked to the latest released
MINOR line of Apache Airflow. At the moment, when we
release a new
MINOR version, we stop releasing
PATCHLEVEL releases for the previous
For example, once we released
2.6.0 version on April 30, 2023 all the security patches will be cherry-picked and released in
2.6.* versions until we release
2.7.0 version. There will be no
2.5.* versions released after
2.6.0 has been released.
This means that in order to apply security fixes in Apache Airflow, you
MUST upgrade to the latest
PATCHLEVEL version of Airflow.
Releasing Airflow providers with security patches¶
Similarly to Airflow, providers uses a strict SemVer versioning policy, and the same
policies apply for providers as for Airflow itself. This means that you need to upgrade to the latest
PATCHLEVEL version of the provider to get the latest security fixes.
Airflow providers are released independently from Airflow itself and the information about vulnerabilities
is published separately. You can upgrade providers independently from Airflow itself, following the
instructions found in Managing providers separately from Airflow core.