fix: require protobuf 6.33.5 to address CVE-2026-0994#17349
Conversation
![gemini-code-assist[bot]](https://avatars.github.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the minimum supported version of protobuf to 6.33.5 (to address CVE-2026-0994) and google-api-core to 2.24.2 across setup templates, requirements, and golden test files. The review feedback highlights that recommending 7.x is premature given the new 6.33.5 minimum, and that changing the Python 3.13 and 3.14 constraints to protobuf>=7 incorrectly prevents testing with the minimum supported 6.x versions.
| _recommendation = " (we recommend 6.x)" | ||
| _next_supported_version = "6.33.5" | ||
| _next_supported_version_tuple = (6, 33, 5) | ||
| _recommendation = " (we recommend 7.x)" |
There was a problem hiding this comment.
Recommending 7.x when the minimum supported version is 6.33.5 (which is 6.x) is premature and potentially confusing, as 6.x is the current supported major version. It is better to keep the recommendation as 6.x so users are guided to a valid, supported version that meets the minimum requirement.
_recommendation = " (we recommend 6.x)"
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Since the minimum supported version of protobuf is now 6.33.5, protobuf>=6 is perfectly valid and allows testing with the minimum supported version. Changing this to protobuf>=7 prevents testing with any 6.x version (including 6.33.5) on Python 3.13, which defeats the purpose of testing the minimum supported version. It should remain protobuf>=6 (or be updated to protobuf>=6.33.5).
protobuf>=6
| grpcio>=1 | ||
| proto-plus>=1 | ||
| protobuf>=6 | ||
| protobuf>=7 |
There was a problem hiding this comment.
Since the minimum supported version of protobuf is now 6.33.5, protobuf>=6 is perfectly valid and allows testing with the minimum supported version. Changing this to protobuf>=7 prevents testing with any 6.x version (including 6.33.5) on Python 3.14, which defeats the purpose of testing the minimum supported version. It should remain protobuf>=6 (or be updated to protobuf>=6.33.5).
protobuf>=6
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v0.19.0 Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:234b9d1f2ddb057ed7ac6a38db0bf8163d839c65c6cf88ade52530cddebce59e <details><summary>gapic-generator: v1.35.0</summary> ## [v1.35.0](gapic-generator-v1.34.1...gapic-generator-v1.35.0) (2026-06-11) ### Features * setup.py matches prerelease versions (#17370) ([25b857e](25b857e1)) ### Bug Fixes * require protobuf 6.33.5 to address CVE-2026-0994 (#17349) ([6642263](66422636)) </details> <details><summary>google-auth: v2.54.0</summary> ## [v2.54.0](google-auth-v2.53.0...google-auth-v2.54.0) (2026-06-11) ### Features * implement regional access boundary support for standalone JWT and async service accounts (#17025) ([35af616](35af6168)) ### Bug Fixes * configure mTLS for impersonated credentials (#17404) ([57269d5](57269d56)) * fail-fast on missing ECP config file to avoid 30s hang (#17377) ([e096127](e0961270)) * Rename the 'seed' argument for setting an initial regional access boundary for clarity (#17186) ([e5c8cf9](e5c8cf92)) * update incorrect urls in setup.py to point at monorepo vs splitrepo (#17237) ([eaed04b](eaed04ba)) </details> <details><summary>google-cloud-alloydb: v0.11.0</summary> ## [v0.11.0](google-cloud-alloydb-v0.10.0...google-cloud-alloydb-v0.11.0) (2026-06-11) ### Features * update API sources and regenerate (#17413) ([59fe7cf](59fe7cf8)) </details> <details><summary>google-cloud-biglake: v0.5.0</summary> ## [v0.5.0](google-cloud-biglake-v0.4.0...google-cloud-biglake-v0.5.0) (2026-06-11) ### Features * update API sources and regenerate (#17431) ([2e75c78](2e75c78c)) </details> <details><summary>google-cloud-ces: v0.7.0</summary> ## [v0.7.0](google-cloud-ces-v0.6.0...google-cloud-ces-v0.7.0) (2026-06-11) ### Features * update API sources and regenerate (#17413) ([59fe7cf](59fe7cf8)) </details> <details><summary>google-cloud-confidentialcomputing: v0.11.0</summary> ## [v0.11.0](google-cloud-confidentialcomputing-v0.10.0...google-cloud-confidentialcomputing-v0.11.0) (2026-06-11) ### Features * update API sources and regenerate (#17413) ([59fe7cf](59fe7cf8)) </details> <details><summary>google-cloud-modelarmor: v0.7.0</summary> ## [v0.7.0](google-cloud-modelarmor-v0.6.0...google-cloud-modelarmor-v0.7.0) (2026-06-11) ### Features * update API sources and regenerate (#17413) ([59fe7cf](59fe7cf8)) </details> <details><summary>google-cloud-network-services: v0.10.0</summary> ## [v0.10.0](google-cloud-network-services-v0.9.0...google-cloud-network-services-v0.10.0) (2026-06-11) ### Features * update API sources and regenerate (#17431) ([2e75c78](2e75c78c)) </details> <details><summary>google-cloud-oracledatabase: v0.6.0</summary> ## [v0.6.0](google-cloud-oracledatabase-v0.5.0...google-cloud-oracledatabase-v0.6.0) (2026-06-11) ### Features * update API sources and regenerate (#17413) ([59fe7cf](59fe7cf8)) </details> <details><summary>google-cloud-spanner: v3.68.0</summary> ## [v3.68.0](google-cloud-spanner-v3.67.0...google-cloud-spanner-v3.68.0) (2026-06-11) ### Features * add asynchronous code snippets and minor cleanup changes (#17337) ([d6aaf61](d6aaf610)) ### Performance Improvements * optimize query result decoding (#17375) ([3f70b2f](3f70b2ff)) </details> <details><summary>google-cloud-storage: v3.12.0</summary> ## [v3.12.0](google-cloud-storage-v3.11.0...google-cloud-storage-v3.12.0) (2026-06-11) ### Features * full object checksum: implement rolling checksum and verification in reads resumption strategy (#17262) ([2361ba6](2361ba6e)) * Enable full object checksum PR 1/3 : parse finalize_time and server crc32c in async object stream (#17261) ([72c7a27](72c7a272)) * full object checksum: integrate full-object checksum in AsyncMultiRangeDownloader (#17263) ([b6a85e4](b6a85e49)) </details> <details><summary>google-developer-knowledge: v0.1.0</summary> ## [v0.1.0](google-developer-knowledge-v0.0.0...google-developer-knowledge-v0.1.0) (2026-06-11) ### Features * add google-developer-knowledge (#17417) ([ca02afc](ca02afce)) </details>
2 participants
Require Protobuf 6.33.5 to address CVE-2026-0994. As per https://protobuf.dev/support/version-support/#python and https://protobuf.dev/support/version-support/#duration, Protobuf 5.x is no longer supported.
The changes to bump Protobuf in the bazel WORKSPACE file will be done in a separate PR.
The minimum versions of
google-api-coreandproto-plusand others also need to be versions that support Protobuf 6https://github.com/googleapis/python-api-core/releases/tag/v2.24.2
https://github.com/googleapis/proto-plus-python/releases/tag/v1.26.1
Also see the client library versions which allow Protobuf 6.x in PR #13644 (https://github.com/googleapis/google-cloud-python/blob/release-please--branches--main--release-notes/release-notes.md)
Towards b/420641246