chore(deps): update dependency pyarrow to v22 #404
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 6 | 0 | 0 | 0.04s | |
| ✅ DOCKERFILE | hadolint | 8 | 0 | 0 | 0.49s | |
| ✅ EDITORCONFIG | editorconfig-checker | 51 | 0 | 0 | 0.08s | |
| ✅ JSON | jsonlint | 6 | 0 | 0 | 0.17s | |
| ✅ JSON | prettier | 6 | 0 | 0 | 0.56s | |
| ✅ JSON | v8r | 6 | 0 | 0 | 8.15s | |
| markdownlint | 9 | 6 | 0 | 0.69s | ||
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.25s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.03s | |
| kics | yes | no | 2 | 2.6s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 1.55s | |
| ✅ REPOSITORY | syft | yes | no | no | 5.58s | |
| trivy | yes | 5 | 1 | 10.42s | ||
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 1.27s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 14.24s | |
| ✅ YAML | prettier | 9 | 0 | 0 | 0.61s | |
| ✅ YAML | v8r | 9 | 0 | 0 | 6.49s | |
| ✅ YAML | yamllint | 9 | 0 | 0 | 0.42s |
Detailed Issues
⚠️ REPOSITORY / kics - 2 warnings
warning: The 'Dockerfile' contains the 'chown' flag
┌─ images/ml-on-fhir/Dockerfile:43:1
│
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
│
= Chown Flag Exists
= It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
warning: The 'Dockerfile' contains the 'chown' flag
┌─ images/hive-metastore/Dockerfile:30:1
│
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
│
= Chown Flag Exists
= It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
warning: 2 warnings emitted
⚠️ MARKDOWN / markdownlint - 6 errors
images/dsf-bpe-full/CHANGELOG.md:120 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:123 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:123:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:124 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:130:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:131:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]
⚠️ REPOSITORY / trivy - 5 errors
warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
┌─ images/semantic-release/package-lock.json:5310:1
│
5310 │ ╭ "node_modules/npm/node_modules/tar": {
5311 │ │ "version": "7.5.1",
5312 │ │ "inBundle": true,
5313 │ │ "license": "ISC",
· │
5323 │ │ }
5324 │ │ },
│ ╰^
│
= node-tar has a race condition leading to uninitialized memory exposure
= node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/apache-superset/Dockerfile:8:1
│
8 │ ╭ RUN <<EOF
9 │ │ set -e
10 │ │ apt-get update -y
11 │ │ apt-get install -y --no-install-recommends alien libaio-dev libaio1 unzip wget
· │
16 │ │ rm oracle-instantclient-basic-23.6.0.24.10-1.el9.x86_64.rpm
17 │ │ EOF
│ ╰^
│
= 'RUN <package-manager> update' instruction alone
= The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
error: Artifact: images/coder-base/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/coder-base/Dockerfile:14:1
│
14 │ ╭ RUN <<EOF
15 │ │ apt-get update
16 │ │ xargs -r -a /tmp/setup/packages.txt apt-get install -y --no-install-recommends
17 │ │
· │
27 │ │ useradd coder --create-home --shell=/bin/bash --uid=10001 --user-group
28 │ │ EOF
│ ╰^
│
= 'RUN <package-manager> update' instruction alone
= The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
error: Artifact: images/hive-metastore/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/hive-metastore/Dockerfile:20:1
│
20 │ ╭ RUN <<EOF
21 │ │ chown -R 1000:1000 /opt/hive
22 │ │ apt-get update
23 │ │ apt-get upgrade -y
· │
27 │ │ rm -rf /var/lib/apt/lists/*
28 │ │ EOF
│ ╰^
│
= 'RUN <package-manager> update' instruction alone
= The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
error: Artifact: images/ml-on-fhir/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/ml-on-fhir/Dockerfile:8:1
│
8 │ ╭ RUN <<EOF
9 │ │ apt-get -y update
10 │ │ apt-get install --no-install-recommends -y openjdk-17-jre-headless
11 │ │ rm -rf /var/lib/apt/lists/*
12 │ │ EOF
│ ╰^
│
= 'RUN <package-manager> update' instruction alone
= The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
error: Artifact: images/semantic-release/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
┌─ images/semantic-release/Dockerfile:10:1
│
10 │ ╭ RUN <<EOF
11 │ │ apt-get update
12 │ │ apt-get install --no-install-recommends -y git bash
13 │ │ apt-get clean
14 │ │ rm -rf /var/lib/apt/lists/*
15 │ │ EOF
│ ╰^
│
= 'RUN <package-manager> update' instruction alone
= The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
warning: 1 warnings emitted
error: 5 errors emitted
See detailed reports in MegaLinter artifacts
You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
- oxsecurity/megalinter/flavors/[email protected] (53 linters)
- oxsecurity/megalinter/flavors/[email protected] (87 linters)
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==21.0.0->==22.0.0Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.