chore(deps): update dependency protobuf to v5.29.5 [security] - autoclosed

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
protobuf	==5.29.4 -> ==5.29.5

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[email protected]

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

• protobuf-python(4.25.8, 5.29.5, 6.31.1)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Renovate Bot, focuses on a critical security update for the protobuf dependency. It upgrades the protobuf package across multiple Python sample applications to patched versions, effectively mitigating a known Denial of Service vulnerability and enhancing the overall security posture of the affected components.

Highlights

• Security Vulnerability Patch: This pull request addresses CVE-2025-4565, a Denial of Service vulnerability in the pure-Python backend of protobuf. This vulnerability could allow an attacker to corrupt a project by exceeding the Python recursion limit when parsing untrusted Protocol Buffers data containing recursive groups, messages, or SGROUP tags.
• Dependency Version Upgrades: The protobuf dependency has been updated to 4.25.8 in the functions/v2/datastore/hello-datastore, functions/v2/firebase/hello-firestore, and functions/v2/firebase/upper-firestore samples. Additionally, protobuf has been updated to 5.29.5 in the gemma2, managedkafka/snippets, and secretmanager/snippets samples.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the protobuf dependency to address the security vulnerability CVE-2025-4565, which could lead to a Denial of Service. It also adds a newline character at the end of two requirements.txt files.