Exclude vulnerable Protobuf versions from dependencies (#1102)

hectorcast-db · web-flow · commit 3a9bcd483246 · 2025-11-04T15:03:36.000Z
## What changes are proposed in this pull request? Exclude vulnerable Protobuf versions from dependencies. https://security.snyk.io/vuln/SNYK-PYTHON-PROTOBUF-10364902 ## How is this tested? `make && make test`
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,6 +4,9 @@
 
 ### New Features and Improvements
 
+### Security
+- Update `protobuf` dependency constraints to exclude known vulnerable versions (related to `SNYK-PYTHON-PROTOBUF-10364902`).
+
 ### Bug Fixes
 
 ### Documentation
diff --git a/pyproject.toml b/pyproject.toml
@@ -27,7 +27,9 @@ classifiers = [
 dependencies = [
     "requests>=2.28.1,<3",
     "google-auth~=2.0",
-    "protobuf>=4.21.0,<7.0",
+    # Exclude vulnerable protobuf versions: [,4.25.8), [5.26.0rc1, 5.29.5), [6.30.0rc1, 6.31.1)
+    # https://security.snyk.io/vuln/SNYK-PYTHON-PROTOBUF-10364902
+    "protobuf>=4.25.8,!=5.26.*,!=5.27.*,!=5.28.*,!=5.29.0,!=5.29.1,!=5.29.2,!=5.29.3,!=5.29.4,!=6.30.0,!=6.30.1,!=6.31.0,<7.0",
 ]
 
 [project.urls]
