Skip to content

LCORE-2506: PyArrow CVE fix #1920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tisnik merged 1 commit into from
Jun 12, 2026
+5 −4
Merged

LCORE-2506: PyArrow CVE fix #1920

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions .konflux/requirements.hashes.wheel.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,10 +136,11 @@ psycopg2-binary==2.9.11 \
--hash=sha256:0badf162b98436fdb9aa273e2901db462a6ffa081904e9d722429b75e01532d9 \
--hash=sha256:623cff634940e5d248125a1b8d74a19625db0c11c6aecd8db007940ccb409436 \
--hash=sha256:bf7588449bc9604e13c7fc2a374c359a82784a265776b2975fd013588eba032e
pyarrow==23.0.0 \
--hash=sha256:5c8077c77ed2d0ef9ec150cc2e47dd98e3e49e6f7d5e3ee84e718ee31b45cf85 \
--hash=sha256:f5af9838bbfefa2535c3ae9bf4fbfaab63367994c1e65243b1830e41b943b366 \
--hash=sha256:f8eea464a5138cfe7b32b5422caedaca6a9fe4b20af1ed917f2a6cf9ec802d94
pyarrow==23.0.1 \
--hash=sha256:c00b052ccfb5b904e77f0ca0472723936903d8dc7d1964504a9489c7212a47fc \
--hash=sha256:c1fb462a14714f87a6c2d56d0ce938769e38206130231af669722f13eda5b612 \
--hash=sha256:c4302f07a0e9d212d42b5b89be8745b5a22ae970209189271387d91e45b6ec4e \
--hash=sha256:fb062054b2ba4c84d3b607f64c8e7ae65fced4f20016602773da4b7481d162a9
Comment on lines +139 to +143

@coderabbitai coderabbitai Bot Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the version mismatch between overrides and hashes
echo "=== PyArrow pin in overrides.txt ==="
grep -n "pyarrow==" .konflux/requirements.overrides.txt

echo -e "\n=== PyArrow version in hashes file ==="
grep -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt

echo -e "\n=== Do they match? ==="
OVERRIDE_VERSION=$(grep "pyarrow==" .konflux/requirements.overrides.txt | sed 's/.*==//;s/[[:space:]]*$//')
HASH_VERSION=$(grep "^pyarrow==" .konflux/requirements.hashes.wheel.txt | sed 's/.*==//;s/[[:space:]]*$//')

if [ "$OVERRIDE_VERSION" = "$HASH_VERSION" ]; then
  echo "✓ Versions match: pyarrow==$OVERRIDE_VERSION"
else
  echo "✗ VERSION MISMATCH: overrides=$OVERRIDE_VERSION vs hashes=$HASH_VERSION"
  exit 1
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 274

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Inspect scripts/konflux_requirements.sh for overrides usage ==="
if [ -f scripts/konflux_requirements.sh ]; then
  sed -n '1,200p' scripts/konflux_requirements.sh | nl -ba
  echo
  echo "---- Search within script for requirements.overrides.txt / requirements.hashes.wheel.txt ----"
  rg -n "requirements\.overrides\.txt|hashes\.wheel\.txt|pip compile|uv pip compile|override" scripts/konflux_requirements.sh || true
else
  echo "Missing: scripts/konflux_requirements.sh" >&2
fi

echo
echo "=== Inspect Tekton pipeline for hashes usage ==="
if [ -f .tekton/lightspeed-stack-pull-request.yaml ]; then
  sed -n '1,200p' .tekton/lightspeed-stack-pull-request.yaml | nl -ba
  echo
  echo "---- Search within Tekton for requirements.hashes.wheel.txt ----"
  rg -n "requirements\.hashes\.wheel\.txt|prefetch|pip|uv pip" .tekton/lightspeed-stack-pull-request.yaml || true
else
  echo "Missing: .tekton/lightspeed-stack-pull-request.yaml" >&2
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 205

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Locate and inspect scripts/konflux_requirements.sh ==="
if [ -f scripts/konflux_requirements.sh ]; then
  echo "Found scripts/konflux_requirements.sh"
  wc -l scripts/konflux_requirements.sh
  echo "--- First 200 lines ---"
  sed -n '1,200p' scripts/konflux_requirements.sh | cat -n
  echo
  echo "--- Search patterns in scripts/konflux_requirements.sh ---"
  rg -n "requirements\.overrides\.txt|requirements\.hashes\.wheel\.txt|pip compile|uv pip compile|override" scripts/konflux_requirements.sh || true
else
  echo "Missing scripts/konflux_requirements.sh" >&2
  echo "--- Listing scripts/ (if exists) ---"
  ls -la scripts 2>/dev/null || true
fi

echo
echo "=== Inspect .tekton/lightspeed-stack-pull-request.yaml (if exists) ==="
if [ -f .tekton/lightspeed-stack-pull-request.yaml ]; then
  wc -l .tekton/lightspeed-stack-pull-request.yaml
  echo "--- First 220 lines ---"
  sed -n '1,220p' .tekton/lightspeed-stack-pull-request.yaml | cat -n
  echo
  echo "--- Search patterns in .tekton/lightspeed-stack-pull-request.yaml ---"
  rg -n "requirements\.hashes\.wheel\.txt|prefetch|pip|uv pip" .tekton/lightspeed-stack-pull-request.yaml || true
else
  echo "Missing .tekton/lightspeed-stack-pull-request.yaml" >&2
  echo "--- Listing .tekton/ (if exists) ---"
  ls -la .tekton 2>/dev/null || true
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 21034

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show pyarrow pin in .konflux/requirements.overrides.txt ==="
rg -n "^\s*pyarrow==|pyarrow==" .konflux/requirements.overrides.txt
echo
echo "Context:"
sed -n '1,200p' .konflux/requirements.overrides.txt | nl -ba | sed -n '1,220p' || true

echo
echo "=== Show pyarrow entries in .konflux/requirements.hashes.wheel.txt ==="
rg -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt
echo
echo "Context around first pyarrow== match:"
LINE=$(rg -n "^pyarrow==" .konflux/requirements.hashes.wheel.txt | head -n1 | cut -d: -f1)
START=$((LINE-5))
END=$((LINE+10))
sed -n "${START},${END}p" .konflux/requirements.hashes.wheel.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 1500

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search Tekton for konflux_requirements.sh / requirements.overrides.txt usage ==="
rg -n "konflux_requirements\.sh|requirements\.overrides\.txt|requirements\.no_hashes\.txt" .tekton/lightspeed-stack-pull-request.yaml || true

echo
echo "=== Search repo for konflux_requirements.sh invocation (lightweight) ==="
rg -n "konflux_requirements\.sh" . || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 285

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for requirements.overrides.txt usage across .tekton ==="
rg -n "requirements\.overrides\.txt" .tekton || true

echo
echo "=== Search for requirements.hashes.wheel.txt usage across repo ==="
rg -n "requirements\.hashes\.wheel\.txt" . | head -n 50 || true

echo
echo "=== Search for requirements.overrides.txt usage across repo (lightweight) ==="
rg -n "requirements\.overrides\.txt" . | head -n 50 || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 792

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search .tekton for regeneration steps (make, konflux_requirements, requirements.no_hashes) ==="
rg -n "make (|$)|konflux_requirements\.sh|requirements\.no_hashes\.txt|requirements\.source\.txt|requirements\.wheel\.txt" .tekton || true

echo
echo "=== Search workflows/scripts for invoking make targets around konflux requirements ==="
rg -n "konflux_requirements\.sh|requirements\.overrides\.txt|requirements\.hashes\.wheel\.txt" .github .gitlab ci scripts deploy Makefile || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 912

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Show Containerfile snippet around requirements.hashes.wheel.txt install ==="
sed -n '50,100p' deploy/lightspeed-stack/Containerfile | cat -n

echo
echo "=== Show README section describing requirements.hashes.wheel.txt ==="
sed -n '1380,1440p' README.md | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 5730

Align PyArrow pins between requirements.overrides.txt and requirements.hashes.wheel.txt

.konflux/requirements.overrides.txt pins pyarrow==23.0.0 (line 12), while .konflux/requirements.hashes.wheel.txt pins pyarrow==23.0.1 (lines 139-143). scripts/konflux_requirements.sh uses the overrides file to generate the wheel list and then regenerates requirements.hashes.wheel.txt, so re-running make konflux-requirements would likely revert the wheel hashes back to 23.0.0.

Update requirements.overrides.txt to pyarrow==23.0.1 and regenerate the Konflux requirements (so the pinned versions/hashes match).

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.wheel.txt around lines 139 - 143, The override
and wheel-hash requirement pins for pyarrow are out of sync:
.konflux/requirements.overrides.txt pins pyarrow==23.0.0 while
.konflux/requirements.hashes.wheel.txt pins pyarrow==23.0.1; update
.konflux/requirements.overrides.txt to pyarrow==23.0.1 and then run the
regeneration flow (invoke scripts/konflux_requirements.sh or run make
konflux-requirements) so the wheel hash file is rebuilt and the pinned version
and hashes in requirements.hashes.wheel.txt match the override.

pyasn1-modules==0.4.2 \
--hash=sha256:cda22a851735d664e92c8354a30405d88c5a1aa7d6313ba6c583bc3034654937
pycparser==3.0 \
Expand Down
Loading