Pyarrow update

[tisnik]

Description

Pyarrow update

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #

Summary by CodeRabbit

• Chores
  • Updated pyarrow from version 23.0.0 to 24.0.0
  • Added scikit-learn version 1.9.0 as a new dependency
  • Updated build configuration and dependency prefetching settings accordingly

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 31e0f233-b1d2-4b0d-8060-10dfd1024e57

📥 Commits

Reviewing files that changed from the base of the PR and between 0f5c230 and e264c28.

📒 Files selected for processing (4)

• .konflux/requirements.hashes.source.txt
• .konflux/requirements.hashes.wheel.txt
• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml

💤 Files with no reviewable changes (1)

• .konflux/requirements.hashes.wheel.txt

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: build-pr
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

🔇 Additional comments (4)

.tekton/lightspeed-stack-pull-request.yaml (1)

36-61: LGTM!

.tekton/lightspeed-stack-push.yaml (1)

36-57: LGTM!

.konflux/requirements.hashes.source.txt (2)

872-922: pyarrow==24.0.0: version exists, hashes match PyPI, and upgrade covers known CVEs

• PyPI shows 24.0.0 is the latest stable pyarrow release.
• The 50 sha256 digests for pyarrow==24.0.0 in .konflux/requirements.hashes.source.txt match the digests.sha256 values published on PyPI (no missing/extra).
• GitHub security advisories for pyarrow list: CVE-2026-25087 (patched in 23.0.1), CVE-2023-47248 (patched in 14.0.1), CVE-2019-12408 (patched in 0.15.1), CVE-2019-12410 (patched in 0.15.1)—all addressed by upgrading to 24.0.0.

---

1116-1147: Confirm scikit-learn==1.9.0 exists on PyPI; follow up to validate hashes

PyPI shows scikit-learn version 1.9.0 exists. The provided --hash=sha256:... values in .konflux/requirements.hashes.source.txt (lines 1116-1147) still need to be checked against the sha256 digests published for the corresponding wheels in that PyPI release.

---

Walkthrough

Pyarrow is upgraded from 23.0.0 to 24.0.0 in the source hash file and scikit-learn 1.9.0 is added as a new pinned dependency. The deprecated pyarrow 23.0.0 entry is removed from wheel hashes. Tekton pipeline configurations are updated to remove pyarrow from binary prefetch lists.

Changes

Dependency Version and Pipeline Configuration

Layer / File(s)	Summary
Dependency version pinning and hash entries .konflux/requirements.hashes.wheel.txt, .konflux/requirements.hashes.source.txt	Pyarrow 23.0.0 removed from wheel hashes; pyarrow 24.0.0 and scikit-learn 1.9.0 added to source hashes with corresponding SHA256 entries.
Tekton pipeline prefetch configuration .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Pyarrow removed from binary.packages prefetch lists in both pull-request and push pipeline configurations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• lightspeed-core/lightspeed-stack#1381: Both involve modifications to Tekton pipeline binary.packages parameter in prefetch-input configurations.

Possibly related PRs

• lightspeed-core/lightspeed-stack#1826: Both PRs update Konflux autogenerated dependency hash pins in .konflux/requirements.hashes.source.txt by adding or modifying pinned package entries.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pyarrow update' is directly related to the main changes in the pull request, which involve updating pyarrow from version 23.0.0 to 24.0.0 and updating scikit-learn, along with configuration adjustments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tisnik]

/retest