Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
From what I see PyFlink still has the requirement of Apache Beam => 2.43.0 and <= 2.49.0 which subsequently results in a requirement of PyArrow <= 12.0.0. That keeps us exposed to https://nvd.nist.gov/vuln/detail/CVE-2023-47248
I'm not deep enough familiar with the PyFlink code base to understand why Apache Beam's upper dependency limit can't be lifted. From all the existing issues I haven't seen one addressing this. Therefore I created one now.