fix: patch pyarrow and pydantic CVEs, harden release workflow (#104)

* fix(deps): raise pyarrow/pydantic floors past CVEs

* chore: tighten release.yml workflow permissions

Author: zfarrell

.github/workflows/release.yml

@@ -11,13 +11,15 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: write
+# Deny all permissions by default; grant only what each job needs.
+permissions: {}
 
 jobs:
   release:
     name: Create GitHub Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # create/update the GitHub Release and read the tagged ref
     env:
       RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref_name }}
     steps:

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Raised dependency floors to patched releases: `pyarrow >= 14.0.1` (CVE-2023-47248, RCE via unsafe deserialization) and `pydantic >= 2.4.0` (CVE-2024-3772, regex denial of service).
+
 
 ## [0.3.0] - 2026-06-05
 

pyproject.toml

@@ -13,12 +13,12 @@ requires-python = ">=3.9"
 dependencies = [
   "urllib3 (>=2.1.0,<3.0.0)",
   "python-dateutil (>=2.8.2)",
-  "pydantic (>=2)",
+  "pydantic (>=2.4.0)",
   "typing-extensions (>=4.7.1)",
 ]
 
 [project.optional-dependencies]
-arrow = ["pyarrow >= 14"]
+arrow = ["pyarrow >= 14.0.1"]
 
 [project.urls]
 Homepage = "https://www.hotdata.dev"

requirements.txt

@@ -1,4 +1,4 @@
 urllib3 >= 2.1.0, < 3.0.0
 python_dateutil >= 2.8.2
-pydantic >= 2
+pydantic >= 2.4.0
 typing-extensions >= 4.7.1

test-requirements.txt

@@ -7,4 +7,4 @@ mypy >= 1.5
 # pyarrow backs the `arrow` extra. Required here (not just an optional extra) so
 # the arrow integration scenarios actually run in CI instead of silently
 # skipping via importorskip. Keep the floor in sync with pyproject's extra.
-pyarrow >= 14
+pyarrow >= 14.0.1