This is an automated email from the ASF dual-hosted git repository.
dheres pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/main by this push:
new a8fe8b3204 chore(deps): update lz4_flex requirement from 0.12 to 0.13
(#9565)
a8fe8b3204 is described below
commit a8fe8b32045f32bc59794b9ad919ba08d22ef514
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Tue Mar 17 07:26:00 2026 +0100
chore(deps): update lz4_flex requirement from 0.12 to 0.13 (#9565)
Updates the requirements on
[lz4_flex](https://github.com/pseitz/lz4_flex) to permit the latest
version.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PSeitz/lz4_flex/blob/main/CHANGELOG.md";>lz4_flex's
changelog</a>.</em></p>
<blockquote>
<h1>0.13.0 (2026-03-15)</h1>
<h3>Features</h3>
<ul>
<li>Add option to reuse compression dict <a
href="https://redirect.github.com/PSeitz/lz4_flex/pull/207";>#207</a>
(thanks <a
href="https://github.com/matthewfollegot";><code>@matthewfollegot</code></a>)</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>Fix handling of invalid match offsets during decompression <a
href="https://github.com/PSeitz/lz4_flex/commit/055502e";>#055502e</a>
(thanks <a
href="https://github.com/Marcono1234";><code>@Marcono1234</code></a>)</li>
</ul>
<pre><code>Invalid match offsets (offset == 0) during decompression were
not properly
handled, which could lead to invalid memory reads. This is a security
fix
that was also backported to 0.12.1 and 0.11.6.
</code></pre>
<ul>
<li>Fix <code>get_maximum_output_size</code> overflow on 32-bit targets
<a href="https://redirect.github.com/PSeitz/lz4_flex/pull/205";>#205</a>
(thanks <a
href="https://github.com/dglittle";><code>@dglittle</code></a>)</li>
</ul>
<pre><code>Cast input_len to u64 before multiplying by 110, avoiding
overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.
</code></pre>
<h1>0.12.1 (2026-03-14)</h1>
<h3>Security Fix</h3>
<ul>
<li>Fix handling of invalid match offsets during decompression <a
href="https://github.com/PSeitz/lz4_flex/commit/a0b9154";>#a0b9154</a>
(thanks <a
href="https://github.com/Marcono1234";><code>@Marcono1234</code></a>)</li>
</ul>
<pre><code>Invalid match offsets (offset == 0) during decompression were
not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.
</code></pre>
<h1>0.12.0 (2025-11-11)</h1>
<ul>
<li>Fix integer overflows when decoding large payloads <a
href="https://redirect.github.com/PSeitz/lz4_flex/pull/192";>#192</a>
(thanks <a
href="https://github.com/teh-cmc";><code>@teh-cmc</code></a>)</li>
</ul>
<pre><code>This fixes an u32 integer overflow when decoding large
payloads in the block format.
Note: The block format is not suitable for such large payloads, since it
keeps everything in memory. Consider using the frame format for large
data.
<p>This change also removes a unsafe fast-path for write_integer to
simplify the code.<br />
The performance impact is on incompressible data, which is already fast
enough.<br />
</code></pre></p>
<h1>0.11.6 (2026-03-14)</h1>
<h3>Security Fix</h3>
<ul>
<li>Fix handling of invalid match offsets during decompression <a
href="https://github.com/PSeitz/lz4_flex/commit/84cdafb";>#84cdafb</a>
(thanks <a
href="https://github.com/Marcono1234";><code>@Marcono1234</code></a>)</li>
</ul>
<pre><code>Invalid match offsets (offset == 0) during decompression were
not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.
</code></pre>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/bfaae84cd4131e432577f04a0476c661e67cbdb0";><code>bfaae84</code></a>
release 0.13.0</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d";><code>055502e</code></a>
fix handling of invalid match offsets during decompression</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/7191df8231f2be4daa70c9171ed1c1521123efe5";><code>7191df8</code></a>
make hashtable visibility crate public</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/1bdafca3edf87b60fb5e045af9c37702e5c83ca5";><code>1bdafca</code></a>
add doc comments</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/c90fc91feebc8d583e33ead82030882526d0fc86";><code>c90fc91</code></a>
lz4_block exposes option to reuse compression dict</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/22e77f9bd191f31f958f75fd48891ee3d70a70d5";><code>22e77f9</code></a>
Delete .github/workflows/typos.yml</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/2991a09be12bad4574205daa3b2b09b2fc27f17f";><code>2991a09</code></a>
fix get_maximum_output_size overflow on 32-bit targets</li>
<li><a
href="https://github.com/PSeitz/lz4_flex/commit/7b5fb80e759e29c85aab6545bc143c4d4a217103";><code>7b5fb80</code></a>
add minimal security policy</li>
<li>See full diff in <a
href="https://github.com/pseitz/lz4_flex/compare/0.12.0...0.13.0";>compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot]
<49699333+dependabot[bot]@users.noreply.github.com>
---
arrow-ipc/Cargo.toml | 2 +-
parquet/Cargo.toml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arrow-ipc/Cargo.toml b/arrow-ipc/Cargo.toml
index 943852ffde..ae603d2acd 100644
--- a/arrow-ipc/Cargo.toml
+++ b/arrow-ipc/Cargo.toml
@@ -42,7 +42,7 @@ arrow-data = { workspace = true }
arrow-schema = { workspace = true }
arrow-select = { workspace = true}
flatbuffers = { version = "25.2.10", default-features = false }
-lz4_flex = { version = "0.12", default-features = false, features = ["std",
"frame"], optional = true }
+lz4_flex = { version = "0.13", default-features = false, features = ["std",
"frame"], optional = true }
zstd = { version = "0.13.0", default-features = false, optional = true }
[features]
diff --git a/parquet/Cargo.toml b/parquet/Cargo.toml
index 75ab432cce..9ab59f4e7e 100644
--- a/parquet/Cargo.toml
+++ b/parquet/Cargo.toml
@@ -57,7 +57,7 @@ snap = { version = "1.0", default-features = false, optional
= true }
brotli = { version = "8.0", default-features = false, features = ["std"],
optional = true }
# To use `flate2` you must enable either the `flate2-zlib-rs` or
`flate2-rust_backened` backends
flate2 = { version = "1.1", default-features = false, optional = true }
-lz4_flex = { version = "0.12", default-features = false, features = ["std",
"frame"], optional = true }
+lz4_flex = { version = "0.13", default-features = false, features = ["std",
"frame"], optional = true }
zstd = { version = "0.13", optional = true, default-features = false }
chrono = { workspace = true }
num-bigint = { version = "0.4", default-features = false }
@@ -86,7 +86,7 @@ tempfile = { version = "3.0", default-features = false }
insta = { workspace = true, default-features = true }
brotli = { version = "8.0", default-features = false, features = ["std"] }
flate2 = { version = "1.0", default-features = false, features =
["rust_backend"] }
-lz4_flex = { version = "0.12", default-features = false, features = ["std",
"frame"] }
+lz4_flex = { version = "0.13", default-features = false, features = ["std",
"frame"] }
zstd = { version = "0.13", default-features = false }
serde_json = { version = "1.0", features = ["std"], default-features = false }
arrow = { workspace = true, features = ["ipc", "test_utils", "prettyprint",
"json"] }
