chore(deps): downgrade pyarrow to v16

[drummerwolli]

SUMMARY

some database connectors are not supporting the newer pyarrow version (introduced in #31476) yet, or require first an upgrade to SQLAlchemy 2.0. see #34692

fyi @phillipleblanc

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.80%. Comparing base (732506b) to head (d50fe1a).
⚠️ Report is 893 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #34693       +/-   ##
===========================================
+ Coverage        0   72.80%   +72.80%     
===========================================
  Files           0      574      +574     
  Lines           0    41667    +41667     
  Branches        0     4390     +4390     
===========================================
+ Hits            0    30335    +30335     
- Misses          0    10168    +10168     
- Partials        0     1164     +1164     

Flag	Coverage Δ
hive	47.04% <ø> (?)
mysql	71.79% <ø> (?)
postgres	71.86% <ø> (?)
presto	50.75% <ø> (?)
python	72.76% <ø> (?)
sqlite	71.41% <ø> (?)
unit	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sadpandajoe]

If we cannot upgrade, can we add a comment on why and what is the condition to lift this range?

[drummerwolli]

i added a comment. let me know if it is clear.

[sadpandajoe]

By downgrading this, will it initially reintroduce the issue that #31476 was trying to fix?

[phillipleblanc]

By downgrading this, will it initially reintroduce the issue that #31476 was trying to fix?

pyarrow 16 has support for the StringView types that I wanted to upgrade pyarrow for, so this PR shouldn't break that. Thanks @drummerwolli for catching this.

[nigzak]

Hi together @phillipleblanc @sadpandajoe @drummerwolli

With this downgrade a critical CVE will come back to superset with CVSS V3 CISA-APP score 9.8

It should be may be considered to update to the fixed version V17.0.0 (or newer) and not again downgrade to an affected version?

Hint: I expecially don't name the CVE details here, all actual scanner find them in all current superset versions 4.x (
I did not check V5 yet)

AWS ECR scan marks this a critical finding
JFROG marks it as critical finding
(like this is a well-known finding in pyarrow version < 17.0.0)