chore(deps): bump deps (#10718)

ibis-project · Jan 24, 2025 · 5a49756 · 5a49756
1 parent 470e6fd
commit 5a49756
Show file tree

Hide file tree

Showing 4 changed files with 223 additions and 219 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/ibis/backends/mssql/__init__.py b/ibis/backends/mssql/__init__.py
@@ -319,6 +319,13 @@ def _get_schema_using_query(self, query: str) -> sch.Schema:
         # us to pre-filter the columns we want back.
         # The syntax is:
         # `sys.dm_exec_describe_first_result_set(@tsql, @params, @include_browse_information)`
+        #
+        # Yes, this *is* a SQL injection risk, but it's not clear how to avoid
+        # that since we allow users to pass arbitrary SQL.
+        #
+        # SQLGlot has a bug that forces capitalization of
+        # `dm_exec_describe_first_result_set`, so we can't even use its builder
+        # APIs. That doesn't really solve the injection problem though.
         query = f"""
         SELECT
           name,
@@ -330,7 +337,7 @@ def _get_schema_using_query(self, query: str) -> sch.Schema:
           error_message
         FROM sys.dm_exec_describe_first_result_set(N{tsql}, NULL, 0)
         ORDER BY column_ordinal
-        """
+        """  # noqa: S608
         with self._safe_raw_sql(query) as cur:
             rows = cur.fetchall()
 

diff --git a/requirements-dev.txt b/requirements-dev.txt