LCORE-2506: PyArrow CVE fix

[tisnik]

Description

LCORE-2506: PyArrow CVE fix

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2506

Summary by CodeRabbit

• Chores
  • Updated dependency to latest patch version to include upstream fixes and improvements.

[coderabbitai]

Walkthrough

This pull request updates the pinned version of PyArrow from 23.0.0 to 23.0.1 in the Konflux wheel requirements lock file, with corresponding SHA256 hashes regenerated to match the new release.

Changes

Dependency version update

Layer / File(s)	Summary
PyArrow version and hashes .konflux/requirements.hashes.wheel.txt	PyArrow requirement is updated to 23.0.1 with all wheel distribution SHA256 hashes replaced to match the new version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: a CVE fix for PyArrow, which directly matches the pull request's objective of addressing LCORE-2506 security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements.hashes.wheel.txt:
- Around line 139-143: The override and wheel-hash requirement pins for pyarrow
are out of sync: .konflux/requirements.overrides.txt pins pyarrow==23.0.0 while
.konflux/requirements.hashes.wheel.txt pins pyarrow==23.0.1; update
.konflux/requirements.overrides.txt to pyarrow==23.0.1 and then run the
regeneration flow (invoke scripts/konflux_requirements.sh or run make
konflux-requirements) so the wheel hash file is rebuilt and the pinned version
and hashes in requirements.hashes.wheel.txt match the override.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6de370e1-c37d-4681-9f49-1f2a999636f5

📥 Commits

Reviewing files that changed from the base of the PR and between 31b6399 and 035c01e.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.wheel.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: Pyright
• GitHub Check: list_outdated_dependencies
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: bandit
• GitHub Check: build-pr
• GitHub Check: Pylinter
• GitHub Check: integration_tests (3.13)
• GitHub Check: integration_tests (3.12)
• GitHub Check: spectral
• GitHub Check: mypy
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the version mismatch between overrides and hashes
echo "=== PyArrow pin in overrides.txt ==="
grep -n "pyarrow==" .konflux/requirements.overrides.txt

echo -e "\n=== PyArrow version in hashes file ==="
grep -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt

echo -e "\n=== Do they match? ==="
OVERRIDE_VERSION=$(grep "pyarrow==" .konflux/requirements.overrides.txt | sed 's/.*==//;s/[[:space:]]*$//')
HASH_VERSION=$(grep "^pyarrow==" .konflux/requirements.hashes.wheel.txt | sed 's/.*==//;s/[[:space:]]*$//')

if [ "$OVERRIDE_VERSION" = "$HASH_VERSION" ]; then
  echo "✓ Versions match: pyarrow==$OVERRIDE_VERSION"
else
  echo "✗ VERSION MISMATCH: overrides=$OVERRIDE_VERSION vs hashes=$HASH_VERSION"
  exit 1
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 274

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Inspect scripts/konflux_requirements.sh for overrides usage ==="
if [ -f scripts/konflux_requirements.sh ]; then
  sed -n '1,200p' scripts/konflux_requirements.sh | nl -ba
  echo
  echo "---- Search within script for requirements.overrides.txt / requirements.hashes.wheel.txt ----"
  rg -n "requirements\.overrides\.txt|hashes\.wheel\.txt|pip compile|uv pip compile|override" scripts/konflux_requirements.sh || true
else
  echo "Missing: scripts/konflux_requirements.sh" >&2
fi

echo
echo "=== Inspect Tekton pipeline for hashes usage ==="
if [ -f .tekton/lightspeed-stack-pull-request.yaml ]; then
  sed -n '1,200p' .tekton/lightspeed-stack-pull-request.yaml | nl -ba
  echo
  echo "---- Search within Tekton for requirements.hashes.wheel.txt ----"
  rg -n "requirements\.hashes\.wheel\.txt|prefetch|pip|uv pip" .tekton/lightspeed-stack-pull-request.yaml || true
else
  echo "Missing: .tekton/lightspeed-stack-pull-request.yaml" >&2
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 205

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Locate and inspect scripts/konflux_requirements.sh ==="
if [ -f scripts/konflux_requirements.sh ]; then
  echo "Found scripts/konflux_requirements.sh"
  wc -l scripts/konflux_requirements.sh
  echo "--- First 200 lines ---"
  sed -n '1,200p' scripts/konflux_requirements.sh | cat -n
  echo
  echo "--- Search patterns in scripts/konflux_requirements.sh ---"
  rg -n "requirements\.overrides\.txt|requirements\.hashes\.wheel\.txt|pip compile|uv pip compile|override" scripts/konflux_requirements.sh || true
else
  echo "Missing scripts/konflux_requirements.sh" >&2
  echo "--- Listing scripts/ (if exists) ---"
  ls -la scripts 2>/dev/null || true
fi

echo
echo "=== Inspect .tekton/lightspeed-stack-pull-request.yaml (if exists) ==="
if [ -f .tekton/lightspeed-stack-pull-request.yaml ]; then
  wc -l .tekton/lightspeed-stack-pull-request.yaml
  echo "--- First 220 lines ---"
  sed -n '1,220p' .tekton/lightspeed-stack-pull-request.yaml | cat -n
  echo
  echo "--- Search patterns in .tekton/lightspeed-stack-pull-request.yaml ---"
  rg -n "requirements\.hashes\.wheel\.txt|prefetch|pip|uv pip" .tekton/lightspeed-stack-pull-request.yaml || true
else
  echo "Missing .tekton/lightspeed-stack-pull-request.yaml" >&2
  echo "--- Listing .tekton/ (if exists) ---"
  ls -la .tekton 2>/dev/null || true
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 21034

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show pyarrow pin in .konflux/requirements.overrides.txt ==="
rg -n "^\s*pyarrow==|pyarrow==" .konflux/requirements.overrides.txt
echo
echo "Context:"
sed -n '1,200p' .konflux/requirements.overrides.txt | nl -ba | sed -n '1,220p' || true

echo
echo "=== Show pyarrow entries in .konflux/requirements.hashes.wheel.txt ==="
rg -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt
echo
echo "Context around first pyarrow== match:"
LINE=$(rg -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt | head -n1 | cut -d: -f1)
START=$((LINE-5))
END=$((LINE+10))
sed -n "${START},${END}p" .konflux/requirements.hashes.wheel.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 1500

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search Tekton for konflux_requirements.sh / requirements.overrides.txt usage ==="
rg -n "konflux_requirements\.sh|requirements\.overrides\.txt|requirements\.no_hashes\.txt" .tekton/lightspeed-stack-pull-request.yaml || true

echo
echo "=== Search repo for konflux_requirements.sh invocation (lightweight) ==="
rg -n "konflux_requirements\.sh" . || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 285

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for requirements.overrides.txt usage across .tekton ==="
rg -n "requirements\.overrides\.txt" .tekton || true

echo
echo "=== Search for requirements.hashes.wheel.txt usage across repo ==="
rg -n "requirements\.hashes\.wheel\.txt" . | head -n 50 || true

echo
echo "=== Search for requirements.overrides.txt usage across repo (lightweight) ==="
rg -n "requirements\.overrides\.txt" . | head -n 50 || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 792

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search .tekton for regeneration steps (make, konflux_requirements, requirements.no_hashes) ==="
rg -n "make (|$)|konflux_requirements\.sh|requirements\.no_hashes\.txt|requirements\.source\.txt|requirements\.wheel\.txt" .tekton || true

echo
echo "=== Search workflows/scripts for invoking make targets around konflux requirements ==="
rg -n "konflux_requirements\.sh|requirements\.overrides\.txt|requirements\.hashes\.wheel\.txt" .github .gitlab ci scripts deploy Makefile || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 912

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show Containerfile snippet around requirements.hashes.wheel.txt install ==="
sed -n '50,100p' deploy/lightspeed-stack/Containerfile | cat -n

echo
echo "=== Show README section describing requirements.hashes.wheel.txt ==="
sed -n '1380,1440p' README.md | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 5730

---

Align PyArrow pins between requirements.overrides.txt and requirements.hashes.wheel.txt

.konflux/requirements.overrides.txt pins pyarrow==23.0.0 (line 12), while .konflux/requirements.hashes.wheel.txt pins pyarrow==23.0.1 (lines 139-143). scripts/konflux_requirements.sh uses the overrides file to generate the wheel list and then regenerates requirements.hashes.wheel.txt, so re-running make konflux-requirements would likely revert the wheel hashes back to 23.0.0.

Update requirements.overrides.txt to pyarrow==23.0.1 and regenerate the Konflux requirements (so the pinned versions/hashes match).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.wheel.txt around lines 139 - 143, The override
and wheel-hash requirement pins for pyarrow are out of sync:
.konflux/requirements.overrides.txt pins pyarrow==23.0.0 while
.konflux/requirements.hashes.wheel.txt pins pyarrow==23.0.1; update
.konflux/requirements.overrides.txt to pyarrow==23.0.1 and then run the
regeneration flow (invoke scripts/konflux_requirements.sh or run make
konflux-requirements) so the wheel hash file is rebuilt and the pinned version
and hashes in requirements.hashes.wheel.txt match the override.