Skip to content

Update dependency pyarrow to v14 [SECURITY] #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency pyarrow to v14 [SECURITY] #538

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Nov 12, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pyarrow (source) ==6.0.1 -> ==14.0.1 age adoption passing confidence
pyarrow (source) ==5.0.0 -> ==14.0.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-47248

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, maintainers provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Release Notes

apache/arrow (pyarrow)

v14.0.1

v14.0.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@guardrails GuardRails
Copy link

guardrails bot commented Nov 12, 2023

⚠️ We detected 21 security issues in this pull request:

Vulnerable Libraries (21)
Severity Details
Medium pkg:pypi/flask-security@3.0.0 (t) - no patch available
High pkg:pypi/flask@2.0.3 (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
N/A pkg:pypi/gitpython@3.1.27 (t) upgrade to: 3.1.32
High pkg:pypi/pillow@9.0.1 (t) upgrade to: 26.2.1,10.0.1,0.2.6,0.1.8,0.9.3,24.8.3,2.88.6,22.3.24,25.8.1,27.0.0-beta.2
High pkg:pypi/werkzeug@2.0.3 (t) upgrade to: 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1,2.2.3
High pkg:pypi/flask@2.0.3 (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
N/A pkg:pypi/gitpython@3.1.27 (t) upgrade to: ca965ecc81853bca7675261729143f54e5bf4cdd,3.1.32
High pkg:pypi/pillow@9.0.1 (t) upgrade to: 0.9.3,24.8.3,10.0.1,0.2.6,0.1.8,22.3.24,25.8.1,26.2.1,27.0.0-beta.2,2.88.6
High pkg:pypi/werkzeug@2.0.3 (t) upgrade to: 517cac5a804e8c4dc4ed038bb20dacd038e7a9f1,2.2.3
High pkg:pypi/flask@2.0.3 (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
N/A pkg:pypi/gitpython@3.1.27 (t) upgrade to: 3.1.32
High pkg:pypi/mako@1.1.6 (t) upgrade to: 925760291d6efec64fda6e9dd1fd9cfbd5be068c,1.2.2
High pkg:pypi/pillow@9.0.1 (t) upgrade to: 26.2.1,0.2.6,0.9.3,22.3.24,24.8.3,25.8.1,27.0.0-beta.2,2.88.6,10.0.1,0.1.8
High pkg:pypi/pyjwt@1.7.1 (t) upgrade to: 2.4.0
Critical pkg:pypi/werkzeug@2.0.3 (t) upgrade to: 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85,2.1.1
High pkg:pypi/flask@2.0.3 (t) upgrade to: 2.3.2,70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5
N/A pkg:pypi/gitpython@3.1.27 (t) upgrade to: 3.1.32
High pkg:pypi/mako@1.1.6 (t) upgrade to: 925760291d6efec64fda6e9dd1fd9cfbd5be068c,1.2.2
High pkg:pypi/pillow@9.0.1 (t) upgrade to: 0.9.3,25.8.1,27.0.0-beta.2,2.88.6,10.0.1,0.2.6,0.1.8,22.3.24,24.8.3,26.2.1
High pkg:pypi/pyjwt@1.7.1 (t) upgrade to: 2.4.0
Critical pkg:pypi/werkzeug@2.0.3 (t) upgrade to: 2.1.1,9a3a981d70d2e9ec3344b5192f86fcaf3210cd85

More info on how to fix Vulnerable Libraries in Python.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2024

Stale pull request message

@github-actions github-actions bot closed this Feb 10, 2024
@renovate Renovate
Copy link
Author

renovate bot commented Feb 10, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 14.x releases. But if you manually upgrade to 14.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/pypi-pyarrow-vulnerability branch February 10, 2024 02:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no-pr-activity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants