Include the hotfix for pyarrow for versions of pyarrow below 14.0.1

[mattijn]

The hotfix for pyarrow is required until our minimum supported pyarrow version is 14.0.1 as is documented here: https://github.com/pitrou/pyarrow-hotfix#readme

We generally recommend upgrading to PyArrow 14.0.1 or later, but if you cannot upgrade, this package disables the vulnerability on older versions.

Since our minimum supported version of pyarrow is version 11 within our altair["all"] (pypi), altair-all (conda), we should aim to import this hotfix for versions lower than 14.0.1,

altair/pyproject.toml

Lines 57 to 66 in f2ac0a1

	all = [
	"vega_datasets>=0.9.0",
	"vl-convert-python>=1.5.0",
	"pandas>=0.25.3",
	"numpy<2.0.0",
	"pyarrow>=11",
	"vegafusion[embed]>=1.6.6",
	"anywidget>=0.9.0",
	"altair_tiles>=0.3.0"
	]

[mattijn]

Or bump our minimum required version of pyarrow

[binste]

As 14.0.1 only came out in November 2023, just adding pyarrow-hotfix makes sense to me so that we don't unnecessarily exclude other users with dependencies on pyarrow < 14.

[dangotbanned]

I can't find any examples of dependencies specified in this way search?q=pyarrow-hotfix+language%3Atoml

The two larger packages I found using pyarrow_hotfix were:

• geoarrow
• ibis

Interestingly, neither pandas, nor polars include it in their dependencies - despite both supporting "pyarrow<14.0.1".

pandas instead has this baked in, since v2.2.0

• Parquet/Feather IO: disable PyExtensionType autoload pandas-dev/pandas#55894

Since the original PR (#3494) that brought this to our attention; we no longer specify an ibis dependency (#3672).

---

That's all the info I could gather.
I'm going to close this as not planned, but feel free to reopen if anyone wants to take a swing at it in the future 👍