Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency pyarrow to v14 [SECURITY] #347

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency pyarrow to v14 [SECURITY] #347

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 10, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pyarrow ==8.0.0 -> ==14.0.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-47248

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, maintainers provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency pyarrow to v14 [SECURITY] Update dependency pyarrow to v14 [SECURITY] - autoclosed Nov 17, 2023
@renovate renovate bot closed this Nov 17, 2023
@renovate renovate bot deleted the renovate/pypi-pyarrow-vulnerability branch November 17, 2023 19:14
@renovate renovate bot changed the title Update dependency pyarrow to v14 [SECURITY] - autoclosed Update dependency pyarrow to v14 [SECURITY] Nov 17, 2023
@renovate renovate bot reopened this Nov 17, 2023
@renovate renovate bot restored the renovate/pypi-pyarrow-vulnerability branch November 17, 2023 21:59
@renovate renovate bot force-pushed the renovate/pypi-pyarrow-vulnerability branch from ad9e5a5 to 89c542e Compare November 17, 2023 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate/pyarrow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants