From 7590a83eb5791f991daaa36b4cd05e293f4a85f5 Mon Sep 17 00:00:00 2001
From: Henrik Brodin <90325907+hbrodin@users.noreply.github.com>
Date: Tue, 27 Jan 2026 14:58:02 +0100
Subject: [PATCH] build(deps): pin protobuf to 3.20.3 in fuzzer_runner for
 OSS-Fuzz compatibility

Add uv constraint-dependencies to prevent protobuf from being updated
beyond 3.20.3, which is required for compatibility with OSS-Fuzz
infrastructure.

This prevents dependabot from creating PRs like #453 that would break
the fuzzer runner.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 fuzzer_runner/pyproject.toml | 5 +++++
 fuzzer_runner/uv.lock        | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/fuzzer_runner/pyproject.toml b/fuzzer_runner/pyproject.toml
index e1a80aaa..242af9f1 100644
--- a/fuzzer_runner/pyproject.toml
+++ b/fuzzer_runner/pyproject.toml
@@ -25,6 +25,11 @@ packages = ["src/buttercup"]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
 
+[tool.uv]
+# Must match OSS-Fuzz protobuf version for compatibility
+# See: https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/Dockerfile
+constraint-dependencies = ["protobuf==3.20.3"]
+
 [tool.uv.sources]
 common = { path = "../common", editable = true }
 
diff --git a/fuzzer_runner/uv.lock b/fuzzer_runner/uv.lock
index 8e724d23..645c698f 100644
--- a/fuzzer_runner/uv.lock
+++ b/fuzzer_runner/uv.lock
@@ -2,6 +2,9 @@ version = 1
 revision = 3
 requires-python = "==3.12.*"
 
+[manifest]
+constraints = [{ name = "protobuf", specifier = "==3.20.3" }]
+
 [[package]]
 name = "annotated-types"
 version = "0.7.0"