Minimum required numpy version (1.16.6) has security vulnerability #35846
Comments
The minimum required Numpy version (1.16.6) is affected by the following vulnerability: https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 With this commit, the minimum required numpy version is increased to 1.22.2, such that Snyk checks do not fail anymore.
|
Hey @diegohavenstein, thanks for bringing this up. While I would definitely encourage users to install a numpy version w/o known vulnerabilities, I don't think we want to enforce it in this case given that numpy 1.22.2 was released just a little over a year ago (Feb 3, 2022)[1]. Snyk also reports the known vulnerabilities as low severity, so it's probably best to allow users additional time to upgrade their numpy version. |
|
Indeed, it is up to applications and end users to ensure they use a newer numpy version in case those security reports are relevant for them (for many users scripting locally, it is not relevant at all), and not for libraries starting to limit allowed versions. numpy/numpy#19038 is also an interesting read (about the (non-)usefulness of those CVEs), and essentially disputes the vulnerability, quoting:
|
Describe the bug, including details regarding any error messages, version, and platform.
We currently use version 11.0.0 of pyarrow. We run Snyk checks to find vulnerabilities in our third party dependencies
In the version we use, but also on main, the setup.py file states numpy >= 1.16.6 is required (https://github.com/apache/arrow/blob/main/python/setup.py#L451)
This Python version is affected by the following vulnerability: https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964
To solve the issue, version 1.22.2 or higher should be required
Component(s)
Python
The text was updated successfully, but these errors were encountered: