Skip to content

Comments

chore(deps): downgrade pyarrow to v16#34693

Merged
sadpandajoe merged 4 commits intoapache:masterfrom
drummerwolli:downgrade-pyarrow-to-v16
Aug 18, 2025
Merged

chore(deps): downgrade pyarrow to v16#34693
sadpandajoe merged 4 commits intoapache:masterfrom
drummerwolli:downgrade-pyarrow-to-v16

Conversation

@drummerwolli
Copy link
Contributor

SUMMARY

some database connectors are not supporting the newer pyarrow version (introduced in #31476) yet, or require first an upgrade to SQLAlchemy 2.0. see #34692

fyi @phillipleblanc

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Aug 14, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.80%. Comparing base (732506b) to head (d50fe1a).
⚠️ Report is 893 commits behind head on master.

Additional details and impacted files
@@             Coverage Diff             @@
##           master   #34693       +/-   ##
===========================================
+ Coverage        0   72.80%   +72.80%     
===========================================
  Files           0      574      +574     
  Lines           0    41667    +41667     
  Branches        0     4390     +4390     
===========================================
+ Hits            0    30335    +30335     
- Misses          0    10168    +10168     
- Partials        0     1164     +1164     
Flag Coverage Δ
hive 47.04% <ø> (?)
mysql 71.79% <ø> (?)
postgres 71.86% <ø> (?)
presto 50.75% <ø> (?)
python 72.76% <ø> (?)
sqlite 71.41% <ø> (?)
unit 100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pyproject.toml Outdated
"python-dotenv", # optional dependencies for Flask but required for Superset, see https://flask.palletsprojects.com/en/stable/installation/#optional-dependencies
"python-geohash",
"pyarrow>=18.1.0, <19",
"pyarrow>=16.1.0, <17",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we cannot upgrade, can we add a comment on why and what is the condition to lift this range?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i added a comment. let me know if it is clear.

@sadpandajoe
Copy link
Member

By downgrading this, will it initially reintroduce the issue that #31476 was trying to fix?

@phillipleblanc
Copy link
Contributor

By downgrading this, will it initially reintroduce the issue that #31476 was trying to fix?

pyarrow 16 has support for the StringView types that I wanted to upgrade pyarrow for, so this PR shouldn't break that. Thanks @drummerwolli for catching this.

@sadpandajoe sadpandajoe merged commit 1127ab6 into apache:master Aug 18, 2025
55 checks passed
@drummerwolli drummerwolli deleted the downgrade-pyarrow-to-v16 branch August 19, 2025 05:23
@nigzak
Copy link
Contributor

nigzak commented Aug 22, 2025

Hi together @phillipleblanc @sadpandajoe @drummerwolli

With this downgrade a critical CVE will come back to superset with CVSS V3 CISA-APP score 9.8

It should be may be considered to update to the fixed version V17.0.0 (or newer) and not again downgrade to an affected version?

Hint: I expecially don't name the CVE details here, all actual scanner find them in all current superset versions 4.x (
I did not check V5 yet)

AWS ECR scan marks this a critical finding
JFROG marks it as critical finding
(like this is a well-known finding in pyarrow version < 17.0.0)

@github-actions github-actions bot added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 6.0.0 First shipped in 6.0.0 labels Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/XS 🚢 6.0.0 First shipped in 6.0.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants