Yicong-Huang commented on PR #6231:
URL: https://github.com/apache/texera/pull/6231#issuecomment-4911687086

   > Can you suggest what to do with those libraries? Sometimes they do have 
CVEs.
   
   Let’s handle them case by case. CVEs should take priority. If a library has 
CVEs that need to be addressed, but bumping the minor or major version is not 
desirable, we can check whether the project provides backported fixes in patch 
releases.  (and the libraries usually backport important fixes!) 
   For example, NumPy may include CVE fixes in patch versions, which would let 
us address the issue without taking a larger version (minor or major) upgrade.
   
   For Arrow, it is a bit different: Arrow only uses sequential versioning, so 
backports to older patch releases are not possible. In that case, if a CVE 
needs to be addressed, we may have to take the newer Arrow version rather than 
relying on a patch release for an older version line. 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to