Skip to content

Comments

chore(deps): [conversational-commerce-agent] Update dependency protobuf [SECURITY]#314

Open
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-protobuf-vulnerability
Open

chore(deps): [conversational-commerce-agent] Update dependency protobuf [SECURITY]#314
renovate-bot wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-protobuf-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Feb 1, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
protobuf 5.29.66.30.0 age confidence
protobuf ==4.25.8==5.29.6 age confidence

protobuf affected by a JSON recursion depth bypass

CVE-2026-0994 / GHSA-7gcm-g887-7qv7

More information

Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

GitHub Vulnerability Alerts

CVE-2026-0994

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@forking-renovate
Copy link

forking-renovate bot commented Feb 1, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: projects/conversational-commerce-agent/data-ingestion/requirements.txt
Command failed: pip-compile --generate-hashes requirements.in
  ERROR: Cannot install -r requirements.in (line 16), -r requirements.in (line 23), -r requirements.in (line 6), -r requirements.in (line 8) and protobuf==5.29.6 because these package versions have conflicting dependencies.
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 99, in resolve
    result = self._result = resolver.resolve(
                            ^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 601, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 542, in resolve
    raise ResolutionImpossible(self.state.backtrack_causes)
pip._vendor.resolvelib.resolvers.exceptions.ResolutionImpossible: [RequirementInformation(requirement=SpecifierRequirement('protobuf==5.29.6'), parent=None), RequirementInformation(requirement=SpecifierRequirement('protobuf!=3.20.0,!=3.20.1,!=4.21.0,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<6.0.0.dev0,>=3.19.5'), parent=LinkCandidate('https://files.pythonhosted.org/packages/17/a4/c26886d57d90032c5f74c2e80aefdc38ec58551fc46bd4ce79fb2c9389fa/google_api_core-2.23.0-py3-none-any.whl (from https://pypi.org/simple/google-api-core/) (requires-python:>=3.7)')), RequirementInformation(requirement=SpecifierRequirement('protobuf!=3.20.0,!=3.20.1,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<6.0.0.dev0,>=3.20.2'), parent=LinkCandidate('https://files.pythonhosted.org/packages/a0/0f/c0713fb2b3d28af4b2fded3291df1c4d4f79a00d15c2374a9e010870016c/googleapis_common_protos-1.66.0-py2.py3-none-any.whl (from https://pypi.org/simple/googleapis-common-protos/) (requires-python:>=3.7)')), RequirementInformation(requirement=SpecifierRequirement('protobuf<6.0.0dev,>=3.19.0'), parent=LinkCandidate('https://files.pythonhosted.org/packages/dd/25/0b7cc838ae3d76d46539020ec39fc92bfc9acc29367e58fe912702c2a79e/proto_plus-1.25.0-py3-none-any.whl (from https://pypi.org/simple/proto-plus/) (requires-python:>=3.7)')), RequirementInformation(requirement=SpecifierRequirement('protobuf!=3.20.0,!=3.20.1,!=4.21.0,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<5.0.0dev,>=3.19.5'), parent=LinkCandidate('https://files.pythonhosted.org/packages/e7/78/77d4d56bb29b9bbe9ec80410bb32c241fcd8daee4bb319ce8a925e48487b/google_cloud_aiplatform-1.48.0-py2.py3-none-any.whl (from https://pypi.org/simple/google-cloud-aiplatform/) (requires-python:>=3.8)'))]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/bin/pip-compile", line 7, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1485, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1406, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1269, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 824, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/scripts/compile.py", line 481, in cli
    results = resolver.resolve(max_rounds=max_rounds)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/resolver.py", line 642, in resolve
    is_resolved = self._do_resolve(
                  ^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/resolver.py", line 677, in _do_resolve
    resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 108, in resolve
    raise error from e
pip._internal.exceptions.DistributionNotFound: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts
File name: projects/conversational-commerce-agent/conversational-agent-examples/assets/apparel-search-cf/requirements.txt
Command failed: pip-compile --generate-hashes requirements.in --upgrade-package=protobuf==6.30.0
  ERROR: Cannot install -r requirements.in (line 2) because these package versions have conflicting dependencies.
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 99, in resolve
    result = self._result = resolver.resolve(
                            ^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 601, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 542, in resolve
    raise ResolutionImpossible(self.state.backtrack_causes)
pip._vendor.resolvelib.resolvers.exceptions.ResolutionImpossible: [RequirementInformation(requirement=SpecifierRequirement('protobuf!=4.21.0,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<6.0.0dev,>=3.20.2'), parent=LinkCandidate('https://files.pythonhosted.org/packages/a9/8f/743ceac8fa8989acd08fa02bce9fa15ab841bce3fffbb10b6a96a4f7a90e/google_cloud_retail-1.24.0-py2.py3-none-any.whl (from https://pypi.org/simple/google-cloud-retail/) (requires-python:>=3.7)'))]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/bin/pip-compile", line 7, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1485, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1406, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 1269, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/core.py", line 824, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/scripts/compile.py", line 481, in cli
    results = resolver.resolve(max_rounds=max_rounds)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/resolver.py", line 642, in resolve
    is_resolved = self._do_resolve(
                  ^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/piptools/resolver.py", line 677, in _do_resolve
    resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.11.14/lib/python3.11/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 108, in resolve
    raise error from e
pip._internal.exceptions.DistributionNotFound: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

@renovate-bot renovate-bot added the p0 label Feb 1, 2026
@renovate-bot renovate-bot changed the title chore(deps): [contextual-ai] Update dependency protobuf to v6.33.5 [SECURITY] chore(deps): [contextual-ai] Update dependency protobuf [SECURITY] Feb 9, 2026
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from 4a582c7 to c8bc1d6 Compare February 10, 2026 08:20
@renovate-bot renovate-bot changed the title chore(deps): [contextual-ai] Update dependency protobuf [SECURITY] chore(deps): [conversational-commerce-agent] Update dependency protobuf [SECURITY] Feb 11, 2026
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from c8bc1d6 to 7a1e651 Compare February 11, 2026 10:03
@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Feb 11, 2026
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 7a1e651 to baf0c45 Compare February 13, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mservidio mservidio Awaiting requested review from mservidio

@michael-chi michael-chi Awaiting requested review from michael-chi michael-chi is a code owner

Assignees

@michael-chi michael-chi

Labels

dependencies Pull requests that update a dependency file p0 SECURITY

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @michael-chi