Use pyarrow-hotfix to mitigate CVE-2023-47248 (apache#35650)

* Use `pyarrow-hotfix` to mitigate CVE-2023-47248 This is a temporary measure and we will remove it once Apache Beam allows us to upgrade to pyarrow 14.0.1 --------- Co-authored-by: Jarek Potiuk <[email protected]>
TiDeane · Nov 15, 2023 · 2afbb0a · 2afbb0a
1 parent d88d32e
commit 2afbb0a
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/setup.py b/setup.py
@@ -353,7 +353,13 @@ def write_version(filename: str = str(AIRFLOW_SOURCES_ROOT / "airflow" / "git_ve
 ]
 leveldb = ["plyvel"]
 otel = ["opentelemetry-exporter-prometheus"]
-pandas = ["pandas>=0.17.1", "pyarrow>=9.0.0"]
+pandas = [
+    "pandas>=0.17.1",
+    # Use pyarrow-hotfix to fix https://nvd.nist.gov/vuln/detail/CVE-2023-47248.
+    # We should remove it once Apache Beam frees us to upgrade to pyarrow 14.0.1
+    "pyarrow-hotfix",
+    "pyarrow>=9.0.0",
+]
 password = [
     "bcrypt>=2.0.0",
     "flask-bcrypt>=0.7.1",