From a928beffc83e1777800ac815b12f53bce8af9306 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Tue, 9 Jan 2024 20:15:47 +0100
Subject: [PATCH] Get rid of pyarrow-hotfix for CVE-2023-47248

The #35650 introduced a hotfix for Pyarrow CVE-2023-47248. So far
we have been blocked from removing it by Apache Beam that limited
Airflow from bumping pyarrow to a version that was not vulnerable.

This is now possible since Apache Beam relesed 2.53.0 version on
4th of January 2023 that allows to use non-vulnerable pyarrow.

We are now bumping both Pyarrow and Beam minimum versions to
reflect that and remove pyarrow hotfix.
---
 airflow/providers/apache/beam/provider.yaml | 4 +++-
 generated/provider_dependencies.json        | 3 ++-
 setup.py                                    | 4 ----
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/airflow/providers/apache/beam/provider.yaml b/airflow/providers/apache/beam/provider.yaml
index 0facc9cd455d6..ddf8100edeb0a 100644
--- a/airflow/providers/apache/beam/provider.yaml
+++ b/airflow/providers/apache/beam/provider.yaml
@@ -52,7 +52,9 @@ versions:
 
 dependencies:
   - apache-airflow>=2.6.0
-  - apache-beam>=2.47.0
+  # Apache Beam > 2.53.0 and pyarrow > 14.0.1 fix https://nvd.nist.gov/vuln/detail/CVE-2023-47248.
+  - apache-beam>=2.53.0
+  - pyarrow>=14.0.1
 
 integrations:
   - integration-name: Apache Beam
diff --git a/generated/provider_dependencies.json b/generated/provider_dependencies.json
index a0813d79791ff..cbbb567a52db2 100644
--- a/generated/provider_dependencies.json
+++ b/generated/provider_dependencies.json
@@ -56,7 +56,8 @@
   "apache.beam": {
     "deps": [
       "apache-airflow>=2.6.0",
-      "apache-beam>=2.47.0"
+      "apache-beam>=2.53.0",
+      "pyarrow>=14.0.1"
     ],
     "cross-providers-deps": [
       "google"
diff --git a/setup.py b/setup.py
index 047326f0c656f..ae3848b069e5e 100644
--- a/setup.py
+++ b/setup.py
@@ -351,10 +351,6 @@ def write_version(filename: str = str(AIRFLOW_SOURCES_ROOT / "airflow" / "git_ve
 otel = ["opentelemetry-exporter-prometheus"]
 pandas = [
     "pandas>=0.17.1",
-    # Use pyarrow-hotfix to fix https://nvd.nist.gov/vuln/detail/CVE-2023-47248.
-    # We should remove it once Apache Beam frees us to upgrade to pyarrow 14.0.1
-    "pyarrow-hotfix",
-    "pyarrow>=9.0.0",
 ]
 password = [
     "bcrypt>=2.0.0",