maxburke commented on PR #6074: URL: https://github.com/apache/arrow-rs/pull/6074#issuecomment-2258887810
@alamb We use `cargo audit` to report on vulnerabilities in our dependency chain. It doesn't know enough to know if the afflicted code paths are used by us or not. The result though is all of our Rust builds are on hold because there's a CVE reported against the versions of `object_store` on which we and our dependencies (both `datafusion` and `lancedb`) are using, and because of that our CI pipeline is failing. The Cargo version resolution rules do not accept 0.10 as being a compatible update for 0.9; I don't think releasing an incompatible version that fixes the issue is acceptable. I also do not believe it is onerous to ask the package maintainers to release a _compatible patch_ for something serious enough to warrant a CVE number. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
