chore(deps): update dependency apache-airflow-providers-http to v6 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
apache-airflow-providers-http (changelog)	==4.4.2 → ==6.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-69219

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.

Users should upgrade to version 6.0.0 of the provider to avoid even that risk.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the apache-airflow-providers-http dependency to its latest version, 6.0.0, primarily to incorporate a critical security fix. The update mitigates a vulnerability related to potential code execution through crafted database entries, enhancing the overall security posture of the application.

Highlights

• Dependency Update: Updated the apache-airflow-providers-http dependency from version 4.4.2 to 6.0.0.
• Security Fix: This update addresses CVE-2025-69219, a vulnerability that could allow code execution on the Airflow Triggerer via crafted database entries, enhancing the application's security.

Changelog

• composer/blog/gcp-tech-blog/data-orchestration-with-composer/requirements.txt
  • Updated apache-airflow-providers-http from 4.4.2 to 6.0.0.

Activity

• The pull request was automatically generated by Renovate Bot to update a dependency.
• Automerge is currently disabled, requiring manual merging.
• A security vulnerability (CVE-2025-69219) is highlighted as a reason for this update.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates apache-airflow-providers-http to version 6.0.0 to address a security vulnerability. However, this major version upgrade introduces a breaking change that will cause the SlackWebhookOperator to fail, as it now requires a JSON response which Slack's API does not provide. To resolve this, apache-airflow-providers-slack must also be upgraded to version 8.0.0 or newer. Furthermore, the constraints.txt file needs to be updated to reflect the new versions of both dependencies to ensure consistency.

_{Note: Security Review has been skipped due to the limited scope of the PR.}

[gemini-code-assist]

Updating apache-airflow-providers-http to version 6.0.0 introduces a breaking change that will cause the SlackWebhookOperator used in the sample DAG to fail.

Version 6.0.0 of the HTTP provider now strictly expects a JSON response from HTTP calls made via HttpHook, and will raise an exception if the response is not valid JSON. The Slack webhook API returns a simple ok text response, which will cause a JSONDecodeError and break the failure notification mechanism.

This issue is resolved in apache-airflow-providers-slack version 8.0.0 and later. To fix this, you must also upgrade apache-airflow-providers-slack to a compatible version (e.g., 8.0.0).

Additionally, as noted in the comment at the top of this file, the corresponding constraints.txt file must be updated to reflect the new versions for both apache-airflow-providers-http and apache-airflow-providers-slack.