Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 6642263

Browse filesBrowse files
partheaparthea
authored
fix: require protobuf 6.33.5 to address CVE-2026-0994 (#17349)
Require Protobuf 6.33.5 to address [CVE-2026-0994](GHSA-7gcm-g887-7qv7). As per https://protobuf.dev/support/version-support/#python and https://protobuf.dev/support/version-support/#duration, Protobuf 5.x is no longer supported. The changes to bump Protobuf in the bazel WORKSPACE file will be done in a [separate PR](#17254). The minimum versions of `google-api-core` and `proto-plus` and others also need to be versions that support Protobuf 6 https://github.com/googleapis/python-api-core/releases/tag/v2.24.2 https://github.com/googleapis/proto-plus-python/releases/tag/v1.26.1 Also see the client library versions which allow Protobuf 6.x in PR #13644 (https://github.com/googleapis/google-cloud-python/blob/release-please--branches--main--release-notes/release-notes.md) Towards b/420641246
1 parent 0953133 commit 6642263
Copy full SHA for 6642263

34 files changed

+124-136Lines changed: 124 additions & 136 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎packages/gapic-generator/gapic/ads-templates/setup.py.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/ads-templates/setup.py.j2
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,12 @@ else:
2929
release_status = "Development Status :: 5 - Production/Stable"
3030

3131
dependencies = [
32-
"google-api-core[grpc] >= 2.10.0, < 3.0.0",
32+
"google-api-core[grpc] >= 2.24.2, < 3.0.0",
3333
"google-auth >= 2.14.1, <3.0.0",
3434
"googleapis-common-protos >= 1.53.0",
3535
"grpcio >= 1.10.0",
36-
"proto-plus >= 1.22.3, <2.0.0",
37-
"protobuf >= 4.25.8, < 8.0.0",
36+
"proto-plus >= 1.26.1, <2.0.0",
37+
"protobuf >= 6.33.5, < 8.0.0",
3838
{% if api.requires_package(('google', 'iam', 'v1')) %}
3939
"grpc-google-iam-v1",
4040
{% endif %}
Collapse file

‎packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2
+4-4Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ else: # pragma: NO COVER
6969

7070
def parse_version_to_tuple(version_string: str):
7171
"""Safely converts a semantic version string to a comparable tuple of integers.
72-
Example: "4.25.8" -> (4, 25, 8)
72+
Example: "6.33.5" -> (6, 33, 5)
7373
Ignores non-numeric parts and handles common version formats.
7474
Args:
7575
version_string: Version string in the format "x.y.z" or "x.y.z<suffix>"
@@ -98,9 +98,9 @@ else: # pragma: NO COVER
9898
return (None, "--")
9999

100100
_dependency_package = "google.protobuf"
101-
_next_supported_version = "4.25.8"
102-
_next_supported_version_tuple = (4, 25, 8)
103-
_recommendation = " (we recommend 6.x)"
101+
_next_supported_version = "6.33.5"
102+
_next_supported_version_tuple = (6, 33, 5)
103+
_recommendation = " (we recommend 7.x)"
104104
(_version_used, _version_used_string) = _get_version(_dependency_package)
105105
if _version_used and _version_used < _next_supported_version_tuple:
106106
warnings.warn(f"Package {_package_label} depends on " +
Collapse file

‎packages/gapic-generator/gapic/templates/_pypi_packages.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/templates/_pypi_packages.j2
+8-8Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,14 @@ allowed version.
77
-->
88
{% set pypi_packages = {
99
("google", "apps", "card", "v1"): {"package_name": "google-apps-card", "lower_bound": "0.3.0", "upper_bound": "1.0.0"},
10-
("google", "apps", "script", "type"): {"package_name": "google-apps-script-type", "lower_bound": "0.2.0", "upper_bound": "1.0.0"},
11-
("google", "geo", "type"): {"package_name": "google-geo-type", "lower_bound": "0.1.0", "upper_bound": "1.0.0"},
12-
("google", "identity", "accesscontextmanager", "v1"): {"package_name": "google-cloud-access-context-manager", "lower_bound": "0.2.0", "upper_bound": "1.0.0"},
13-
("google", "cloud", "documentai", "v1"): {"package_name": "google-cloud-documentai", "lower_bound": "2.4.1", "upper_bound": "4.0.0"},
14-
("google", "cloud", "kms", "v1"): {"package_name": "google-cloud-kms", "lower_bound": "2.13.0", "upper_bound": "4.0.0"},
15-
("google", "cloud", "osconfig", "v1"): {"package_name": "google-cloud-os-config", "lower_bound": "1.13.0", "upper_bound": "2.0.0"},
16-
("google", "iam", "v1"): {"package_name": "grpc-google-iam-v1", "lower_bound": "0.14.0", "upper_bound": "1.0.0"},
17-
("google", "iam", "v2"): {"package_name": "google-cloud-iam", "lower_bound": "2.12.2", "upper_bound": "3.0.0"},
10+
("google", "apps", "script", "type"): {"package_name": "google-apps-script-type", "lower_bound": "0.3.14", "upper_bound": "1.0.0"},
11+
("google", "geo", "type"): {"package_name": "google-geo-type", "lower_bound": "0.3.12", "upper_bound": "1.0.0"},
12+
("google", "identity", "accesscontextmanager", "v1"): {"package_name": "google-cloud-access-context-manager", "lower_bound": "0.2.2", "upper_bound": "1.0.0"},
13+
("google", "cloud", "documentai", "v1"): {"package_name": "google-cloud-documentai", "lower_bound": "3.2.1", "upper_bound": "4.0.0"},
14+
("google", "cloud", "kms", "v1"): {"package_name": "google-cloud-kms", "lower_bound": "3.4.1", "upper_bound": "4.0.0"},
15+
("google", "cloud", "osconfig", "v1"): {"package_name": "google-cloud-os-config", "lower_bound": "1.20.1", "upper_bound": "2.0.0"},
16+
("google", "iam", "v1"): {"package_name": "grpc-google-iam-v1", "lower_bound": "0.14.2", "upper_bound": "1.0.0"},
17+
("google", "iam", "v2"): {"package_name": "google-cloud-iam", "lower_bound": "2.18.2", "upper_bound": "3.0.0"},
1818
("google", "shopping", "type"): {"package_name": "google-shopping-type", "lower_bound": "1.0.0", "upper_bound": "2.0.0"}
1919
}
2020
%}
Collapse file

‎packages/gapic-generator/gapic/templates/setup.py.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/templates/setup.py.j2
+3-5Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,16 +33,15 @@ else:
3333
release_status = "Development Status :: 5 - Production/Stable"
3434

3535
dependencies = [
36-
"google-api-core[grpc] >= 2.17.1, <3.0.0",
36+
"google-api-core[grpc] >= 2.24.2, <3.0.0",
3737
# Exclude incompatible versions of `google-auth`
3838
# See https://github.com/googleapis/google-cloud-python/issues/12364
3939
"google-auth >= 2.14.1, <3.0.0,!=2.24.0,!=2.25.0",
4040
"grpcio >= 1.59.0, < 2.0.0",
4141
"grpcio >= 1.75.1, < 2.0.0; python_version >= '3.14'",
42-
"proto-plus >= 1.22.3, <2.0.0",
43-
"proto-plus >= 1.25.0, <2.0.0; python_version >= '3.13'",
42+
"proto-plus >= 1.26.1, <2.0.0",
4443
{# Explicitly exclude protobuf versions mentioned in https://cloud.google.com/support/bulletins#GCP-2022-019 #}
45-
"protobuf >= 4.25.8, < 8.0.0",
44+
"protobuf >= 6.33.5, < 8.0.0",
4645
{% for package_tuple, package_info in pypi_packages.items() %}
4746
{# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #}
4847
{% if api.naming.warehouse_package_name != package_info.package_name %}
@@ -55,7 +54,6 @@ dependencies = [
5554
extras = {
5655
{% if rest_async_io_enabled %}
5756
"async_rest": [
58-
"google-api-core[grpc] >= 2.21.0, < 3.0.0",
5957
"google-auth[aiohttp] >= 2.35.0, <3.0.0"
6058
],
6159
{% endif %}
Collapse file

‎packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@
88
# pinning their versions to their lower bounds.
99
# For example, if setup.py has "google-cloud-foo >= 1.14.0, < 2.0.0",
1010
# then this file should have google-cloud-foo==1.14.0
11-
google-api-core==2.21.0
11+
google-api-core==2.24.2
1212
google-auth==2.35.0
1313
grpcio==1.59.0
14-
proto-plus==1.22.3
15-
protobuf==4.25.8
14+
proto-plus==1.26.1
15+
protobuf==6.33.5
1616
{% for package_tuple, package_info in pypi_packages.items() %}
1717
{# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #}
1818
{% if api.naming.warehouse_package_name != package_info.package_name %}
Collapse file

‎packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,11 @@
55
# pinning their versions to their lower bounds.
66
# For example, if setup.py has "google-cloud-foo >= 1.14.0, < 2.0.0",
77
# then this file should have google-cloud-foo==1.14.0
8-
google-api-core==2.17.1
8+
google-api-core==2.24.2
99
google-auth==2.14.1
1010
grpcio==1.59.0
11-
proto-plus==1.22.3
12-
protobuf==4.25.8
11+
proto-plus==1.26.1
12+
protobuf==6.33.5
1313
{% for package_tuple, package_info in pypi_packages.items() %}
1414
{# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #}
1515
{% if api.naming.warehouse_package_name != package_info.package_name %}
Collapse file

‎packages/gapic-generator/requirements.in‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/requirements.in
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ google-api-core
33
googleapis-common-protos
44
jinja2
55
MarkupSafe
6-
protobuf>=4.25.8
6+
protobuf>=6.33.5 # for CVE-2026-0994. See https://github.com/advisories/GHSA-7gcm-g887-7qv7 and https://protobuf.dev/support/version-support/#python
77
pypandoc
88
PyYAML
99
grpc-google-iam-v1
Collapse file

‎packages/gapic-generator/setup.py‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/setup.py
+5-5Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,17 +28,17 @@
2828
# Ensure that the lower bounds of these dependencies match what we have in the
2929
# templated setup.py.j2: https://github.com/googleapis/gapic-generator-python/blob/main/gapic/templates/setup.py.j2
3030
"click >= 6.7",
31-
"google-api-core[grpc] >= 1.34.1, <3.0.0,!=2.0.*,!=2.1.*,!=2.2.*,!=2.3.*,!=2.4.*,!=2.5.*,!=2.6.*,!=2.7.*,!=2.8.*,!=2.9.*,!=2.10.*",
32-
"googleapis-common-protos >= 1.55.0",
33-
"grpcio >= 1.24.3",
31+
"google-api-core[grpc] >= 2.24.2, < 3.0.0",
32+
"googleapis-common-protos >= 1.55.0, < 2.0.0",
33+
"grpcio >= 1.24.3, < 2.0.0",
3434
# 2.11.0 is required which adds the `default` argument to `jinja-filters.map()`
3535
# https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.map
3636
# https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-0
3737
"jinja2 >= 2.11",
38-
"protobuf >= 4.25.8, < 8.0.0",
38+
"protobuf >= 6.33.5, < 8.0.0",
3939
"pypandoc >= 1.4",
4040
"PyYAML >= 5.1.1",
41-
"grpc-google-iam-v1 >= 0.14.0, < 1.0.0",
41+
"grpc-google-iam-v1 >= 0.14.2, < 1.0.0",
4242
"libcst >= 0.4.9, < 2.0.0",
4343
"inflection >= 0.5.1, < 1.0.0",
4444
]
Collapse file

‎packages/gapic-generator/tests/integration/goldens/asset/google/cloud/asset_v1/__init__.py‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/tests/integration/goldens/asset/google/cloud/asset_v1/__init__.py
+4-4Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@
129129

130130
def parse_version_to_tuple(version_string: str):
131131
"""Safely converts a semantic version string to a comparable tuple of integers.
132-
Example: "4.25.8" -> (4, 25, 8)
132+
Example: "6.33.5" -> (6, 33, 5)
133133
Ignores non-numeric parts and handles common version formats.
134134
Args:
135135
version_string: Version string in the format "x.y.z" or "x.y.z<suffix>"
@@ -158,9 +158,9 @@ def _get_version(dependency_name):
158158
return (None, "--")
159159

160160
_dependency_package = "google.protobuf"
161-
_next_supported_version = "4.25.8"
162-
_next_supported_version_tuple = (4, 25, 8)
163-
_recommendation = " (we recommend 6.x)"
161+
_next_supported_version = "6.33.5"
162+
_next_supported_version_tuple = (6, 33, 5)
163+
_recommendation = " (we recommend 7.x)"
164164
(_version_used, _version_used_string) = _get_version(_dependency_package)
165165
if _version_used and _version_used < _next_supported_version_tuple:
166166
warnings.warn(f"Package {_package_label} depends on " +
Collapse file

‎packages/gapic-generator/tests/integration/goldens/asset/setup.py‎

Copy file name to clipboardExpand all lines: packages/gapic-generator/tests/integration/goldens/asset/setup.py
+6-7Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,18 +39,17 @@
3939
release_status = "Development Status :: 5 - Production/Stable"
4040

4141
dependencies = [
42-
"google-api-core[grpc] >= 2.17.1, <3.0.0",
42+
"google-api-core[grpc] >= 2.24.2, <3.0.0",
4343
# Exclude incompatible versions of `google-auth`
4444
# See https://github.com/googleapis/google-cloud-python/issues/12364
4545
"google-auth >= 2.14.1, <3.0.0,!=2.24.0,!=2.25.0",
4646
"grpcio >= 1.59.0, < 2.0.0",
4747
"grpcio >= 1.75.1, < 2.0.0; python_version >= '3.14'",
48-
"proto-plus >= 1.22.3, <2.0.0",
49-
"proto-plus >= 1.25.0, <2.0.0; python_version >= '3.13'",
50-
"protobuf >= 4.25.8, < 8.0.0",
51-
"google-cloud-access-context-manager >= 0.2.0, <1.0.0",
52-
"google-cloud-os-config >= 1.13.0, <2.0.0",
53-
"grpc-google-iam-v1 >= 0.14.0, <1.0.0",
48+
"proto-plus >= 1.26.1, <2.0.0",
49+
"protobuf >= 6.33.5, < 8.0.0",
50+
"google-cloud-access-context-manager >= 0.2.2, <1.0.0",
51+
"google-cloud-os-config >= 1.20.1, <2.0.0",
52+
"grpc-google-iam-v1 >= 0.14.2, <1.0.0",
5453
]
5554
extras = {
5655
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.