Skip to content

Bump paramiko dependency to version 4.0.0#64898

Closed
rawwar wants to merge 2 commits into
apache:mainfrom
rawwar:kalyan/paramiko
Closed

Bump paramiko dependency to version 4.0.0#64898
rawwar wants to merge 2 commits into
apache:mainfrom
rawwar:kalyan/paramiko

Conversation

@rawwar

@rawwar rawwar commented Apr 8, 2026

Copy link
Copy Markdown
Contributor

closes #54079

Made-with: Cursor


Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

Comment thread providers/sftp/docs/changelog.rst Outdated
Comment thread providers/ssh/docs/changelog.rst
Comment thread providers/ssh/docs/changelog.rst Outdated
@rawwar

rawwar commented Apr 8, 2026

Copy link
Copy Markdown
Contributor Author

Thank you for your comments, @potiuk , @eladkal . I kept this in draft as i haven't reviewed this one yet. I'll fix things and mark it ready for review once i reviewed the changes(currently, its completely generated by claude)

@kaxil kaxil requested a review from Copilot April 10, 2026 19:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the SSH/SFTP providers to require Paramiko 4.x and removes/guards usage of deprecated DSS/DSA key support, adding explicit errors and documentation for the breaking change.

Changes:

  • Bump paramiko minimum version to >=4.0.0 (and update type stubs accordingly).
  • Remove DSS/DSA key loader/mapping usage and add explicit ValueError for ssh-dss/unsupported host key algorithms.
  • Add/adjust tests and documentation/changelog entries describing the breaking change and migration path.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
providers/ssh/src/airflow/providers/ssh/hooks/ssh.py Removes DSS support and adds explicit validation/errors for host key algorithms; updates private-key error text.
providers/ssh/tests/unit/ssh/hooks/test_ssh.py Adds unit tests asserting failures for ssh-dss and unknown host key algorithms.
providers/ssh/pyproject.toml Bumps Paramiko requirement to >=4.0.0.
providers/ssh/docs/index.rst Updates documented Paramiko requirement to >=4.0.0.
providers/ssh/docs/connections/ssh.rst Documents supported host_key types and DSS/DSA removal rationale.
providers/ssh/docs/changelog.rst Adds a breaking-changes entry describing DSS/DSA removal and migration steps.
providers/ssh/README.rst Updates documented Paramiko requirement to >=4.0.0.
providers/sftp/pyproject.toml Bumps Paramiko requirement to >=4.0.0.
providers/sftp/docs/index.rst Updates documented Paramiko requirement to >=4.0.0.
providers/sftp/docs/changelog.rst Adds a breaking-changes entry describing DSS/DSA removal and migration steps.
providers/sftp/README.rst Updates documented Paramiko requirement to >=4.0.0.
devel-common/pyproject.toml Bumps types-paramiko to a 4.x-compatible version.

Comment thread providers/ssh/src/airflow/providers/ssh/hooks/ssh.py Outdated
Comment thread providers/ssh/docs/connections/ssh.rst Outdated
Comment on lines +577 to +601
@mock.patch.object(SSHHook, "get_connection")
def test_dss_host_key_in_connection_extra_raises(self, mock_get_connection):
mock_get_connection.return_value = Connection(
conn_id="ssh_dss_host_key",
conn_type="ssh",
host="remote_host",
login="user",
extra=json.dumps({"host_key": "ssh-dss AAAAB3NzaC1kc3MAAA==", "no_host_key_check": False}),
)
with pytest.raises(ValueError, match="DSA/DSS host keys"):
SSHHook(ssh_conn_id="ssh_dss_host_key")

@mock.patch.object(SSHHook, "get_connection")
def test_unsupported_host_key_algorithm_raises(self, mock_get_connection):
mock_get_connection.return_value = Connection(
conn_id="ssh_fake_alg",
conn_type="ssh",
host="remote_host",
login="user",
extra=json.dumps(
{"host_key": "ssh-fake AAAAB3NzaC1yc2EAAAADAQABAA==", "no_host_key_check": False}
),
)
with pytest.raises(ValueError, match=r"Unsupported SSH host key algorithm 'fake'"):
SSHHook(ssh_conn_id="ssh_fake_alg")

Copilot AI Apr 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests cover the new failure paths, but there’s no unit test asserting acceptance/selection of supported host key types. Adding a focused test that validates host_key parsing/constructor selection for at least one supported type (notably an ECDSA ecdsa-sha2-nistp256 token) would prevent regressions and would catch the current mis-detection behavior; you can avoid needing real key material by patching the relevant Paramiko key class/constructor and asserting it was chosen.

Copilot uses AI. Check for mistakes.
@rbilkevic-hostinger

Copy link
Copy Markdown

@rawwar Are you planning to resume work on this some time soon?

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Comment on lines +113 to +116
_SUPPORTED_HOST_KEY_TYPES_MSG = (
"ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 "
"(bare base64 is treated as ssh-rsa)"
)
Comment on lines +424 to +426
key_constructor, key_data = cls._parse_host_key(host_key)
decoded_host_key = decodebytes(key_data.encode("utf-8"))
return key_constructor(data=decoded_host_key)
@rawwar rawwar closed this Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remove/Replace DSSKey references from Airflow

5 participants