deps: bump arrow to latest upstream; add back comment about lexical…

…-core soundness issues
jqnatividad · Sep 23, 2024 · ae24d82 · ae24d82
1 parent 04fa0a0
commit ae24d82
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -275,8 +275,9 @@ csv       = { git = "https://github.com/jqnatividad/rust-csv", branch = "qsv-opt
 csv-core  = { git = "https://github.com/jqnatividad/rust-csv", branch = "qsv-optimized" }
 csv-index = { git = "https://github.com/jqnatividad/rust-csv", branch = "qsv-optimized" }
 
-# use arrow 53 upstream with unreleased lexical-core fix
-arrow = { git = "https://github.com/apache/arrow-rs", rev = "5414f1d" }
+# older lexical-core versions have soundness issues - https://rustsec.org/advisories/RUSTSEC-2023-0086
+# use arrow 53 upstream with unreleased lexical-core fix & other fixes; used by csvlens
+arrow = { git = "https://github.com/apache/arrow-rs", rev = "b809021" }
 
 # use our csvlens fork with latest dependencies, including arrow 53 upstream, with unreleased lexical-core fix
 csvlens = { git = "https://github.com/jqnatividad/csvlens", branch = "dependency-upgrades-lexical-core_fix" }