ff-sdesai opened a new issue, #29615: URL: https://github.com/apache/beam/issues/29615
### What happened? I am trying to add the dependency of apache-beam 2.52.0 (latest version) to pyproject.toml file. However, Sync is reporting a vulnerability during the build process in pyarrow 11.0.0 which Apache beam uses internally. ``` Pin [email protected] to [email protected] to fix ✗ Deserialization of Untrusted Data (new) [Critical Severity][https://security.snyk.io/vuln/SNYK-PYTHON-PYARROW-6052811] in [email protected] introduced by [email protected] > [email protected] ``` I tried going to back to Apache beam 2.44.0 which uses pyarrow 9 internally but same vulnerability is being reported with all the versions. Is there any workaround for this? ### Issue Priority Priority: 0 (outage / urgent vulnerability) ### Issue Components - [X] Component: Python SDK - [ ] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [ ] Component: IO connector - [ ] Component: Beam YAML - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Samza Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
