jorisvandenbossche commented on issue #35846: URL: https://github.com/apache/arrow/issues/35846#issuecomment-1571460465
Indeed, it is up to applications and end users to ensure they use a newer numpy version in case those security reports are relevant for them (for many users scripting locally, it is not relevant at all), and not for libraries starting to limit allowed versions. https://github.com/numpy/numpy/issues/19038 is also an interesting read, and essentially disputes the vulnerability, quoting: > Not a meaningful vulnerability because triggering the issue seems only plausible if the malicious party already has the privilege to run NumPy commands. Thus, while a bug, it does not present an escalation of privilege. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
