Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare 37.1.0 release (on branch-37) #10128

Merged
merged 4 commits into from
Apr 18, 2024

Conversation

alamb
Copy link
Contributor

@alamb alamb commented Apr 18, 2024

NOTE this PR targets branch-37. Once it is merged I will create a PR with a cherry-pick to main to bring the changes there

Which issue does this PR close?

Part of #9904

Rationale for this change

Patch release to fix regressions

What changes are included in this PR?

  • Update version to 37.1.0
  • Update changelog (rendered)

Are these changes tested?

Are there any user-facing changes?

@alamb alamb marked this pull request as ready for review April 18, 2024 11:28
@alamb alamb changed the title Alamb/prepare 37.1.0 Prepare 37.1.0 release (on branch-37`) Apr 18, 2024
@alamb alamb changed the title Prepare 37.1.0 release (on branch-37`) Prepare 37.1.0 release (on branch-37) Apr 18, 2024
@alamb alamb marked this pull request as draft April 18, 2024 11:29
@alamb
Copy link
Contributor Author

alamb commented Apr 18, 2024

Note that the security-audit CI check is failing

https://github.com/apache/arrow-datafusion/actions/runs/8737098473/job/23973329903?pr=10128

error: 1 vulnerability found!
Crate:     gix-transport
Version:   0.39.0
Title:     gix-transport indirect code execution via malicious username
Date:      2024-04-[13](https://github.com/apache/arrow-datafusion/actions/runs/8737098473/job/23973329903?pr=10128#step:4:14)
ID:        RUSTSEC-2024-0335
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0335
Solution:  Upgrade to >=0.42.0
Dependency tree:
gix-transport 0.39.0
├── gix-protocol 0.42.0
│   └── gix 0.56.0
│       └── cargo 0.77.0
│           └── datafusion 37.1.0
│               ├── datafusion-wasmtest 37.1.0
│               ├── datafusion-substrait 37.1.0
│               ├── datafusion-sqllogictest 37.1.0
│               ├── datafusion-proto 37.1.0
│               │   └── datafusion-benchmarks 37.1.0
│               ├── datafusion-examples 37.1.0
│               ├── datafusion-docs-tests 37.1.0
│               └── datafusion-benchmarks 37.1.0
└── gix 0.56.0

This is due to a dev dependency on cargo in datafusion for the depcheck binary

https://github.com/apache/arrow-datafusion/blob/d4eb72c30d45c0f3f359c64f41a6caed30abe750/datafusion/core/Cargo.toml#L133

We removed this dependency from main (38.0.0) but it is still on the brach-37 #9865

Two options:

  1. Merge the PR as is (with the CI check failure)
  2. Remove the depcheck binary/ci/cargo dependnecy from the branch-37 line to get CI passing cleanly

@alamb alamb self-assigned this Apr 18, 2024
@alamb alamb marked this pull request as ready for review April 18, 2024 11:36
@alamb
Copy link
Contributor Author

alamb commented Apr 18, 2024

I am going to merge without fixing the security CI failure on the 37 branch. If we want to make more releases from 37 we can fix it later

@alamb alamb mentioned this pull request Apr 18, 2024
8 tasks
@alamb
Copy link
Contributor Author

alamb commented Apr 18, 2024

Hmm, I appear to have forgotten to merge this PR before sending out the vote thread 🤦

@alamb alamb merged commit aee976a into apache:branch-37 Apr 18, 2024
24 of 25 checks passed
@alamb alamb deleted the alamb/prepare_37.1.0 branch April 18, 2024 21:06
alamb added a commit to alamb/datafusion that referenced this pull request Apr 18, 2024
* Add CHANGELOG for 37.1.0

* Update version to 37.1.0

* prettier

* update configs.md
@alamb
Copy link
Contributor Author

alamb commented Apr 18, 2024

Created #10136 to port these changes to main

jackwener pushed a commit that referenced this pull request Apr 19, 2024
* Add CHANGELOG for 37.1.0

* Update version to 37.1.0

* prettier

* update configs.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants