arpitjain099 commented on PR #49965: URL: https://github.com/apache/arrow/pull/49965#issuecomment-4443199234
@raulcd answers to each: 1. Yes, dependabot. The alert is [GHSA-fpfv-jqm9-f5jm / CVE-2021-34141](https://github.com/advisories/GHSA-fpfv-jqm9-f5jm) (medium, "Incorrect Comparison in NumPy"), vulnerable range `< 1.22`, first patched `1.22`. It's flagged on my fork against `python/requirements-wheel-test.txt` specifically because that file still pins `numpy~=1.21.3` for `<3.11`. 2. On the numpy 2 path (#48473): not mutually exclusive with this. This PR is the minimal fix that closes the dependabot alert without touching the broader migration story. Happy to drop it if you'd rather wait for the full 2.x cutover, but the alert stays open until then. 3. Right that build already uses `numpy>=1.25` so the build side is fine. The vulnerability is specifically on the wheel-test surface where the file still pins `numpy~=1.21.3` for Python `<3.11`. That's the line dependabot points at. Let me know which direction you'd prefer. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
