Numpy==1.21.3 Denial of Service (DoS) & NULL Pointer Dereference & Buffer Overflow

[numersoz]

Synk security scan is giving Denial of Service (DoS) & NULL Pointer Dereference & Buffer Overflow to numpy==1.21.3 version.

I couldn't locate requirements.txt file for databricks-sql-python package. Is the version >=1.21.3?

This package is identified as one that depends on this specific Numpy version.

https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964?_gl=1%2a1f3l87s%2a_ga%2aODg3MDQzNTMyLjE2OTA0MjUyOTE.%2a_ga_X9SH3KP7B4%2aMTY5MjI4OTA0MC42LjEuMTY5MjI5MjY3MC4wLjAuMA..

https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966?_gl=1%2a1m55uiu%2a_ga%2aODg3MDQzNTMyLjE2OTA0MjUyOTE.%2a_ga_X9SH3KP7B4%2aMTY5MjI4OTA0MC42LjEuMTY5MjI5MjY4Mi4wLjAuMA..

https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970?_gl=1%2a1rlzldx%2a_ga%2aODg3MDQzNTMyLjE2OTA0MjUyOTE.%2a_ga_X9SH3KP7B4%2aMTY5MjI4OTA0MC42LjEuMTY5MjI5MjU3NC4wLjAuMA..

[susodapop]

Our numpy spec is defined in pyproject.toml here:

https://github.com/databricks/databricks-sql-python/blob/a737ef3107f41d64803326cfe59f2fcacea88343/pyproject.toml#L25-L28

[susodapop]

As written, we will generally install the most recent compatible version above 1.16.6 as we are not pinned to a specific version but rather a range. Does it make sense to narrow this dependency to be >1.21.3?