Upgrade version of apache-arrow for security

[bombard1004]

Npm package @databricks/sql depends on apache-arrow.

apache-arrow relies on command-line-usage, and a security vulnerability was discovered in one of the dependencies of command-line-usage. A patch has been released to address this issue. However, apache-arrow@^13.0.0 strictly specifies the version of command-line-usage, which prevents this security patch from being applied.

Starting from version 15, apache-arrow specifies the version of command-line-usage with a caret (^). The latest version of apache-arrow is 17.

Please consider upgrading the apache-arrow version to at least 15 or higher.

[kravets-levko]

Hi @bombard1004! Thank you for reporting. Of course, we know about this issue, and did an investigation on the impact on this library. Considering that command-line-usage is used only for the arrow2csv CLI of apache-arrow, and also that no arbitrary JSON is passed to command-line-usage, we consider this a low severity for us.

Of course, we'll do an upgrade you suggested, but considering it's a major version upgrade - we need some time for proper testing.

If you have any considerations (especially something that may change our assessment of the issue) - feel free to share here

[bombard1004]

Hi @kravets-levko! Thank you for sharing the results of your investigation. Based on your findings, it seems this security vulnerability does not pose a significant risk to our project.

We also understand that a major version upgrade requires time for thorough testing, and we appreciate your careful approach.

Please proceed with the upgrade when ready. Thank you for your support!