dryvist · JacobPEvans-personal · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,7 +20,7 @@ dependencies = [
     "huggingface-hub>=0.23",
     "jsonschema[format]>=4.23.0",
     "psutil>=5.9",
-    "pyarrow>=17.0.0",
+    "pyarrow>=23.0.1",
     "lm-eval[api]==0.4.12",
     # tokenizers powers the lm-eval converter's tok/s computation. The library
     # is also a transitive dep of transformers (and therefore lm-eval), but

diff --git a/space/requirements.txt b/space/requirements.txt
@@ -9,9 +9,10 @@ huggingface-hub>=0.23
 #   pillow  9.5.0   → 3 CVEs fixed in 10.4.0 (CVE-2024-28219, CVE-2023-50447, CVE-2024-44537)
 #   pillow  10.4.0  → GHSA-cfh3-3jmp-rvhc + GHSA-whj4-6x5x-4v2j fixed in 12.2.0
 #   pyarrow 14      → PYSEC-2023-238 + PYSEC-2024-161 fixed in 17.0.0
+#   pyarrow 17.0.0  → PYSEC-2026-113 (CVSS 7.0 High) fixed in 23.0.1
 #   orjson  3.9.9   → GHSA-hx9q-6w63-j58v fixed in 3.11.6
 #   idna    3.9.0   → GHSA-65pc-fj4g-8rjx fixed in 3.15 (CVSS 6.9, transitive via requests/httpx)
-pyarrow>=17.0.0
+pyarrow>=23.0.1
 pillow>=12.2.0
 orjson>=3.11.6
 idna>=3.15
diff --git a/uv.lock b/uv.lock