Open bombard1004 opened 1 month ago
Hi @bombard1004! Thank you for reporting. Of course, we know about this issue, and did an investigation on the impact on this library. Considering that command-line-usage
is used only for the arrow2csv
CLI of apache-arrow
, and also that no arbitrary JSON is passed to command-line-usage
, we consider this a low severity for us.
Of course, we'll do an upgrade you suggested, but considering it's a major version upgrade - we need some time for proper testing.
If you have any considerations (especially something that may change our assessment of the issue) - feel free to share here
Hi @kravets-levko! Thank you for sharing the results of your investigation. Based on your findings, it seems this security vulnerability does not pose a significant risk to our project.
We also understand that a major version upgrade requires time for thorough testing, and we appreciate your careful approach.
Please proceed with the upgrade when ready. Thank you for your support!
Npm package
@databricks/sql
depends onapache-arrow
.apache-arrow
relies oncommand-line-usage
, and a security vulnerability was discovered in one of the dependencies ofcommand-line-usage
. A patch has been released to address this issue. However,apache-arrow@^13.0.0
strictly specifies the version ofcommand-line-usage
, which prevents this security patch from being applied.Starting from version 15,
apache-arrow
specifies the version ofcommand-line-usage
with a caret (^
). The latest version ofapache-arrow
is 17.Please consider upgrading the
apache-arrow
version to at least 15 or higher.