alamb commented on PR #10128: URL: https://github.com/apache/arrow-datafusion/pull/10128#issuecomment-2063655318
Note that the security-audit CI check is failing https://github.com/apache/arrow-datafusion/actions/runs/8737098473/job/23973329903?pr=10128 ``` error: 1 vulnerability found! Crate: gix-transport Version: 0.39.0 Title: gix-transport indirect code execution via malicious username Date: 2024-04-[13](https://github.com/apache/arrow-datafusion/actions/runs/8737098473/job/23973329903?pr=10128#step:4:14) ID: RUSTSEC-2024-0335 URL: https://rustsec.org/advisories/RUSTSEC-2024-0335 Solution: Upgrade to >=0.42.0 Dependency tree: gix-transport 0.39.0 ├── gix-protocol 0.42.0 │ └── gix 0.56.0 │ └── cargo 0.77.0 │ └── datafusion 37.1.0 │ ├── datafusion-wasmtest 37.1.0 │ ├── datafusion-substrait 37.1.0 │ ├── datafusion-sqllogictest 37.1.0 │ ├── datafusion-proto 37.1.0 │ │ └── datafusion-benchmarks 37.1.0 │ ├── datafusion-examples 37.1.0 │ ├── datafusion-docs-tests 37.1.0 │ └── datafusion-benchmarks 37.1.0 └── gix 0.56.0 ``` This is due to a dev dependency on `cargo` in datafusion for the `depcheck` binary https://github.com/apache/arrow-datafusion/blob/d4eb72c30d45c0f3f359c64f41a6caed30abe750/datafusion/core/Cargo.toml#L133 We removed this dependency from main (38.0.0) but it is still on the `brach-37` https://github.com/apache/arrow-datafusion/pull/9865 Two options: 1. Merge the PR as is (with the CI check failure) 2. Remove the depcheck binary/ci/`cargo` dependnecy from the `branch-37` line to get CI passing cleanly -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
