Minimum required numpy version (1.16.6) has security vulnerability

[diegohavenstein]

Describe the bug, including details regarding any error messages, version, and platform.

We currently use version 11.0.0 of pyarrow. We run Snyk checks to find vulnerabilities in our third party dependencies

In the version we use, but also on main, the setup.py file states numpy >= 1.16.6 is required (https://github.com/apache/arrow/blob/main/python/setup.py#L451)

This Python version is affected by the following vulnerability: https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964

To solve the issue, version 1.22.2 or higher should be required

Component(s)

Python

[danepitkin]

Hey @diegohavenstein, thanks for bringing this up. While I would definitely encourage users to install a numpy version w/o known vulnerabilities, I don't think we want to enforce it in this case given that numpy 1.22.2 was released just a little over a year ago (Feb 3, 2022)[1]. Snyk also reports the known vulnerabilities as low severity, so it's probably best to allow users additional time to upgrade their numpy version.

[1]https://pypi.org/project/numpy/1.22.2/

[jorisvandenbossche]

Indeed, it is up to applications and end users to ensure they use a newer numpy version in case those security reports are relevant for them (for many users scripting locally, it is not relevant at all), and not for libraries starting to limit allowed versions.

https://github.com/numpy/numpy/issues/19038 is also an interesting read (about the (non-)usefulness of those CVEs), and essentially disputes the vulnerability, quoting:

Not a meaningful vulnerability because triggering the issue seems only plausible if the malicious party already has the privilege to run NumPy commands. Thus, while a bug, it does not present an escalation of privilege.