fix: require protobuf 6.33.5 to address CVE-2026-0994#17349
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the minimum supported version of protobuf to 6.33.5 (to address CVE-2026-0994) and google-api-core to 2.24.2 across setup templates, requirements, and golden test files. The review feedback highlights that recommending 7.x is premature given the new 6.33.5 minimum, and that changing the Python 3.13 and 3.14 constraints to protobuf>=7 incorrectly prevents testing with the minimum supported 6.x versions.
| _recommendation = " (we recommend 6.x)" | ||
| _next_supported_version = "6.33.5" | ||
| _next_supported_version_tuple = (6, 33, 5) | ||
| _recommendation = " (we recommend 7.x)" |
There was a problem hiding this comment.
Recommending 7.x when the minimum supported version is 6.33.5 (which is 6.x) is premature and potentially confusing, as 6.x is the current supported major version. It is better to keep the recommendation as 6.x so users are guided to a valid, supported version that meets the minimum requirement.
_recommendation = " (we recommend 6.x)"
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Since the minimum supported version of protobuf is now 6.33.5, protobuf>=6 is perfectly valid and allows testing with the minimum supported version. Changing this to protobuf>=7 prevents testing with any 6.x version (including 6.33.5) on Python 3.13, which defeats the purpose of testing the minimum supported version. It should remain protobuf>=6 (or be updated to protobuf>=6.33.5).
protobuf>=6
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Since the minimum supported version of protobuf is now 6.33.5, protobuf>=6 is perfectly valid and allows testing with the minimum supported version. Changing this to protobuf>=7 prevents testing with any 6.x version (including 6.33.5) on Python 3.14, which defeats the purpose of testing the minimum supported version. It should remain protobuf>=6 (or be updated to protobuf>=6.33.5).
protobuf>=6
2 participants
Require Protobuf 6.33.5 to address CVE-2026-0994. As per https://protobuf.dev/support/version-support/#python and https://protobuf.dev/support/version-support/#duration, Protobuf 5.x is no longer supported.
The changes to bump Protobuf in the bazel WORKSPACE file will be done in a separate PR.
The minimum versions of
google-api-coreandproto-plusand others also need to be versions that support Protobuf 6https://github.com/googleapis/python-api-core/releases/tag/v2.24.2
https://github.com/googleapis/proto-plus-python/releases/tag/v1.26.1
Also see the client library versions which allow Protobuf 6.x in PR #13644 (https://github.com/googleapis/google-cloud-python/blob/release-please--branches--main--release-notes/release-notes.md)
Towards b/420641246