chore(deps): update dependency protobuf to v6 [security] #13771
Conversation
trusted-contributions-gcf
bot
added
kokoro:force-run
product-auto-label
bot
added
the
samples
Summary of ChangesHello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request updates the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
kokoro-team
removed
the
kokoro:force-run
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the protobuf dependency to a new major version to address a security vulnerability. While this is an important security fix, upgrading a major version carries risks. There is a high probability of dependency conflicts with other packages like google-cloud-aiplatform, which may not be compatible with this new version of protobuf. This could break the application's installation. Furthermore, major version updates can introduce breaking API changes, which might require code adjustments. The impact on json_format.ParseDict, which is used in the project, should be carefully considered.
| @@ -1,2 +1,2 @@ | |||
| google-cloud-aiplatform[all]==1.64.0 | |||
| protobuf==5.29.5 | |||
| protobuf==6.33.5 | |||
There was a problem hiding this comment.
This major version upgrade of protobuf from v5 to v6 is likely to be incompatible with google-cloud-aiplatform==1.64.0. The aiplatform library probably specifies an upper-bound dependency on protobuf (e.g., <6.0.0), which will lead to dependency resolution failures during installation. To address this, google-cloud-aiplatform may also need to be upgraded to a version that is compatible with protobuf v6.
2 participants
This PR contains the following updates:
==5.29.5→==6.33.5GitHub Vulnerability Alerts
CVE-2026-0994
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.