fix: require protobuf 6.33.5 in Bazel Workspace to address CVE-2026-0994#17254
fix: require protobuf 6.33.5 in Bazel Workspace to address CVE-2026-0994#17254parthea wants to merge 9 commits into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the minimum required version of protobuf to 6.33.5 (and updates related Bazel dependencies) to address security vulnerability CVE-2026-0994. The feedback points out that setting constraints to protobuf>=7 in Python 3.13 and 3.14 testing templates unnecessarily excludes the secure 6.33.5 version and forces a major upgrade. Additionally, recommending 7.x in the package template is confusing since the minimum supported version is within the 6.x series, so recommending 6.x remains more appropriate.
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Setting the constraint to protobuf>=7 excludes the secure 6.33.5 version that this PR is introducing. It also forces a major version upgrade to 7.x, which may not be fully compatible or available. It should be set to protobuf>=6.33.5 to align with the minimum secure version specified in setup.py.
protobuf>=6.33.5
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Setting the constraint to protobuf>=7 excludes the secure 6.33.5 version that this PR is introducing. It also forces a major version upgrade to 7.x, which may not be fully compatible or available. It should be set to protobuf>=6.33.5 to align with the minimum secure version specified in setup.py.
protobuf>=6.33.5
| _recommendation = " (we recommend 6.x)" | ||
| _next_supported_version = "6.33.5" | ||
| _next_supported_version_tuple = (6, 33, 5) | ||
| _recommendation = " (we recommend 7.x)" |
There was a problem hiding this comment.
Since the minimum supported version is 6.33.5 (which is a 6.x version), recommending 7.x is unnecessary and potentially confusing for users who are on an older 6.x version (e.g., 6.30.0). They only need to upgrade to 6.33.5 or later within the 6.x series. Recommending 6.x is more appropriate.
_recommendation = " (we recommend 6.x)"
parthea
changed the title
Require Protobuf 6.33.5 to address [CVE-2026-0994](GHSA-7gcm-g887-7qv7). As per https://protobuf.dev/support/version-support/#python and https://protobuf.dev/support/version-support/#duration, Protobuf 5.x is no longer supported. The changes to bump Protobuf in the bazel WORKSPACE file will be done in a [separate PR](#17254). The minimum versions of `google-api-core` and `proto-plus` and others also need to be versions that support Protobuf 6 https://github.com/googleapis/python-api-core/releases/tag/v2.24.2 https://github.com/googleapis/proto-plus-python/releases/tag/v1.26.1 Also see the client library versions which allow Protobuf 6.x in PR #13644 (https://github.com/googleapis/google-cloud-python/blob/release-please--branches--main--release-notes/release-notes.md) Towards b/420641246
1 participant
This PR will be used to debug the changes needed to upgrade Protobuf in the Bazel Workspace. Also see #17349