arpitjain099 commented on PR #49965: URL: https://github.com/apache/arrow/pull/49965#issuecomment-4443365167
@raulcd the alert is on my fork (Dependabot enabled there): https://github.com/arpitjain099/arrow/security/dependabot/1. apache/arrow's own security tab may not surface this specific file or this Dependabot bucket, which would explain why it isn't visible to you. The advisory is a global GitHub one: [GHSA-fpfv-jqm9-f5jm / CVE-2021-34141](https://github.com/advisories/GHSA-fpfv-jqm9-f5jm) against `numpy < 1.22` in `python/requirements-wheel-test.txt`. Agree the practical impact is small given this is only the wheel-test lower bound and the actual build uses `numpy>=1.25`. If you're comfortable letting the CI run on the bumped value be the test, happy to wait for that signal and update or close as you prefer once it lands. And if dropping Python 3.10 in a release-or-two effectively retires this file's relevance anyway, that's fine too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
