Skip to content

fix(deps): Update dependency pyarrow to v14 [SECURITY] #15211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cq-bot wants to merge 1 commit into from
Closed

fix(deps): Update dependency pyarrow to v14 [SECURITY] #15211

cq-bot wants to merge 1 commit into from

Conversation

@cq-bot
Copy link
Contributor

@cq-bot cq-bot commented Nov 9, 2023

This PR contains the following updates:

Package Update Change
pyarrow (source) major ==13.0.0 -> ==14.0.1

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-47248

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, maintainers provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot requested a review from a team November 9, 2023 23:10
@cq-bot cq-bot added the security label Nov 9, 2023
@cq-bot cq-bot requested review from candiduslynx and removed request for a team November 9, 2023 23:10
@candiduslynx candiduslynx mentioned this pull request Nov 10, 2023
Merged
kodiakhq bot pushed a commit to cloudquery/plugin-sdk-python that referenced this pull request Nov 10, 2023
@candiduslynx
fix(deps): Update pyarrow to v14.0.1 [SECURITY] (#83)
36f52e3 
Required for cloudquery/cloudquery#15211
@candiduslynx
Copy link
Contributor

candiduslynx commented Nov 10, 2023

Will be done in #15213

@candiduslynx candiduslynx deleted the renovate/pypi-pyarrow-vulnerability branch November 10, 2023 09:31
@cq-bot
Copy link
Contributor Author

cq-bot commented Nov 10, 2023

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 14.x releases. But if you manually upgrade to 14.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

@candiduslynx candiduslynx Awaiting requested review from candiduslynx

Assignees

No one assigned

Labels

area/plugin/source/square area/plugin/source/typeform security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cq-bot @candiduslynx @renovate-bot