GH-49967: [Python][CI] Raise oldest NumPy wheel-test requirement to a patched release

[arpitjain099]

Summary

• Update python/requirements-wheel-test.txt for Python <3.11 from numpy~=1.21.3 to numpy~=1.22.0.

Why

Dependabot flags numpy < 1.22 in this requirements file. Bumping the lower compatible test constraint to the patched line addresses the advisory while preserving the existing per-Python version strategy.

Validation

• python3 -m pip install -r python/requirements-wheel-test.txt

• GitHub Issue: [Python][CI] Raise oldest NumPy wheel-test requirement to a patched release #49967

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - Contributing Overview

[raulcd]

Thanks for the PR. Could you follow the contributing guidelines for the project and open a corresponding issue

[arpitjain099]

@raulcd
Done, thanks for the review. I opened #49967 to track this change and updated the PR title to follow the project convention.

[github-actions]

⚠️ GitHub issue #49967 has been automatically assigned in GitHub to PR creator.

[github-actions]

⚠️ GitHub issue #49967 has no components, please add labels for components.

[arpitjain099]

@raulcd please review the PR when you can. I added corresponding issue as you asked. Thank you!

[raulcd]

Hi @arpitjain099, just so I understand this better, dependabot flags this dependency as a security issue or what is the exact problem?
There's also this discussion which maybe instead of bumping individual patch releases for numpy we could potentially bump to numpy 2, see:

• #48473

Also this is just for the minimal test requirements, is there a reason you are using requirements-wheel-test.txt. For build we already have a minimum numpy of >=1.25
I basically want to understand the case you are flagging

[arpitjain099]

@raulcd answers to each:

1. Yes, dependabot. The alert is GHSA-fpfv-jqm9-f5jm / CVE-2021-34141 (medium, "Incorrect Comparison in NumPy"), vulnerable range < 1.22, first patched 1.22. It's flagged on my fork against python/requirements-wheel-test.txt specifically because that file still pins numpy~=1.21.3 for <3.11.

2. On the numpy 2 path ([Python] Require numpy 2.x #48473): not mutually exclusive with this. This PR is the minimal fix that closes the dependabot alert without touching the broader migration story. Happy to drop it if you'd rather wait for the full 2.x cutover, but the alert stays open until then.

3. Right that build already uses numpy>=1.25 so the build side is fine. The vulnerability is specifically on the wheel-test surface where the file still pins numpy~=1.21.3 for Python <3.11. That's the line dependabot points at.

Let me know which direction you'd prefer.

[raulcd]

@github-actions crossbow submit wheel-310

[github-actions]

Revision: 528258b

Submitted crossbow builds: ursacomputing/crossbow @ actions-52d25f49e0

Task	Status
wheel-macos-monterey-cp310-cp310-amd64
wheel-macos-monterey-cp310-cp310-arm64
wheel-manylinux-2-28-cp310-cp310-amd64
wheel-manylinux-2-28-cp310-cp310-arm64
wheel-musllinux-1-2-cp310-cp310-amd64
wheel-musllinux-1-2-cp310-cp310-arm64
wheel-windows-cp310-cp310-amd64

[raulcd]

Ok, thanks for the comment. To be honest feels like a minor issue to me. We just use those to specify the minimum version we can be compatible with on testing but we build with a more modern version.
I am running tests for the wheels, which is the only place we use this requirements file on testing, and we can bump it if CI is successful, we are going to drop Python 3.10 support in one release once we add Python 3.15.
Just so I understand, where did you get the dependabot alert? I can't see it in the Arrow repo security alerts.
Thanks

[arpitjain099]

@raulcd the alert is on my fork (Dependabot enabled there): https://github.com/arpitjain099/arrow/security/dependabot/1. apache/arrow's own security tab may not surface this specific file or this Dependabot bucket, which would explain why it isn't visible to you. The advisory is a global GitHub one: GHSA-fpfv-jqm9-f5jm / CVE-2021-34141 against numpy < 1.22 in python/requirements-wheel-test.txt.

Agree the practical impact is small given this is only the wheel-test lower bound and the actual build uses numpy>=1.25. If you're comfortable letting the CI run on the bumped value be the test, happy to wait for that signal and update or close as you prefer once it lands. And if dropping Python 3.10 in a release-or-two effectively retires this file's relevance anyway, that's fine too.