CLevasseur opened a new pull request, #10208: URL: https://github.com/apache/arrow-rs/pull/10208
## Summary Bumps the `thrift` dependency in the `parquet` crate from `0.17` to `0.23.0`. ### Motivation [CVE-2026-43868 / GHSA-2F9F-GQ7V-9H6M](https://github.com/advisories/GHSA-2F9F-GQ7V-9H6M): The thrift Rust crate ≤ 0.22.0 allows untrusted, excessively large size values to drive memory allocation without bounds checking (CWE-789). This is remotely exploitable with no authentication, rated CVSS 5.3 (moderate). The fix shipped in **thrift 0.23.0**. > **Note:** The `main` branch removed the thrift dependency entirely in 59.0.0 (#9962) as a workaround while no patched version existed on crates.io. Now that 0.23.0 is available, this PR provides the security fix for users still on the 58.x line. ### Changes - `parquet/Cargo.toml`: `thrift = { version = "0.17" }` → `thrift = { version = "0.23" }` ### Compatibility The thrift 0.23.0 API is fully backward-compatible with 0.17. No code changes were required. All **1084 parquet tests** pass against thrift 0.23.0. ## Test plan - [x] `cargo check -p parquet` passes cleanly - [x] `cargo test -p parquet` — 1084 passed, 0 failed 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
