fix(deps): update dependency protobuf to v5 [security] (main) - abandoned

[oep-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
protobuf	~=4.25.8 → ~=5.29.6
protobuf	~=4.24 → ~=5.29

---

protobuf affected by a JSON recursion depth bypass

CVE-2026-0994 / GHSA-7gcm-g887-7qv7

More information

Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-0994
• https://github.com/protocolbuffers/protobuf/issues/25070
• https://github.com/protocolbuffers/protobuf/pull/25239
• https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf
• https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b
• https://github.com/protocolbuffers/protobuf

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[oep-renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: interactive_ai/migration_job/uv.lock

Command failed: uv lock --upgrade-package protobuf
Using CPython 3.10.19 interpreter at: /opt/containerbase/tools/python/3.10.19/bin/python3
  × No solution found when resolving dependencies:
  ╰─▶ Because grpcio-tools==1.60.0 depends on protobuf>=4.21.6,<5.0.dev0 and
      migration-job:dev depends on grpcio-tools==1.60.0, we can conclude that
      migration-job:dev depends on protobuf>=4.21.6,<5.0.dev0.
      And because migration-job:dev depends on protobuf>=5.29.6,<5.30.dev0
      and your project requires migration-job:dev, we can conclude that your
      project's requirements are unsatisfiable.

File name: platform/services/initial_user/uv.lock

Command failed: uv lock --upgrade-package protobuf
Using CPython 3.10.19 interpreter at: /opt/containerbase/tools/python/3.10.19/bin/python3
  × No solution found when resolving dependencies:
  ╰─▶ Because grpcio-tools==1.60.0 depends on protobuf>=4.21.6,<5.0.dev0 and
      initial-user:dev depends on grpcio-tools==1.60.0, we can conclude that
      initial-user:dev depends on protobuf>=4.21.6,<5.0.dev0.
      And because initial-user:dev depends on protobuf>=5.29.6,<5.30.dev0
      and your project requires initial-user:dev, we can conclude that your
      project's requirements are unsatisfiable.

[oep-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[oep-renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[leoll2]

I think it's better to keep these under the exclusive control of @open-edge-platform/geti-ci-maintain for security reasons.

[jcchr]

ok - I removed new owners from CI section

[AlbertvanHouten]

I'd suggest removing all specific CODEOWNERS with the exception of security related files and replace the

# Default for anything not covered by one of the more specific rules below

with your names so the other teams don't get notifications anymores

[leoll2]

Changes to CODEOWNERS are okay for me. To test the other changes, which include major version upgrade in core libraries (protobuf, grpc, ...), I'd recommend to run e2e tests on this branch and share the results.