Pyarrow <19.0 dependency causes CVE alert

[qamasailer]

Hi!

The dependency to pyarrow <19.0 causes the following CVE alert:
GHSA-rgxp-2hwp-jwgg

As the dependency was only introduced because there was the problematic version 19.0.0 and the anaconda channel did not have the bugfix version ready, I think that it is reasonable to drop the dependency now. The new fixed version 23.0.1 that does not cause the CVE alert is also available in https://repo.anaconda.com/pkgs/snowflake/.

Can you please remove this dependency?

[sfc-gh-valamuri]

Hi @qamasailer - we're on it! Just to double check in the meantime, have you tried updating the package to the latest version?

[qamasailer]

I cannot update to the latest version 1.41.0 and use pyarrow==23.0.1:

[sfc-gh-valamuri]

Thanks for checking. We've removed the constraint and it should be effective from the 1.42.0 release.

[qamasailer]

Thank you, i can install snowflake-ml-python 1.42.0 and pyarrow 23.0.1 together now.