chore(deps): Update dependency google-cloud-aiplatform to v1.133.0 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
google-cloud-aiplatform	==1.122.0 → ==1.133.0

---

Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)

CVE-2026-2472 / GHSA-qv8j-hgpc-vrq8

More information

Details

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Severity

• CVSS Score: 8.6 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2472
• https://docs.cloud.google.com/support/bulletins#gcp-2026-011
• https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480
• https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0
• https://github.com/JoshuaProvoste/CVE-2026-2472-Vertex-AI-SDK-Google-Cloud
• https://github.com/advisories/GHSA-qv8j-hgpc-vrq8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming

CVE-2026-2473 / GHSA-wh2j-26j7-9728

More information

Details

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

This vulnerability was patched and no customer action is needed.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2473
• https://docs.cloud.google.com/support/bulletins#gcp-2026-012
• https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0
• https://github.com/advisories/GHSA-wh2j-26j7-9728

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

googleapis/python-aiplatform (google-cloud-aiplatform)

v1.133.0

Compare Source

Features

• Deprecate tuning public preview SDK in favor of tuning SDK (35d362c)
• GenAI SDK client - Enabling Few-shot Prompt Optimization by passing either "OPTIMIZATION_TARGET_FEW_SHOT_RUBRICS" or "OPTIMIZATION_TARGET_FEW_SHOT_TARGET_RESPONSE" to the optimize_prompt method (715cc5b)
• GenAI SDK client(memory): Add enable_third_person_memories (65717fa)
• Support Developer Connect in AE (04f1771)

Bug Fixes

• Add None check for agent_info in evals.py (c8c0f0f)
• GenAI client(evals) - Fix TypeError in _build_generate_content_config (be2eaaa)
• Make project_number to project_id mapping fail-open. (f1c8458)
• Replace asyncio.run with create_task in ADK async thread mains. (83f4076)
• Replace asyncio.run with create_task in ADK async thread mains. (8c876ef)
• Require uri or staging bucket configuration for saving model to Vertex Experiment. (5448f06)
• Return embedding metadata if available (d9c6eb1)
• Update examples_dataframe type to PandasDataFrame in Prompt Optimizer. (a2564cc)

v1.132.0

Compare Source

Features

• Add Lustre support to the Vertex Training Custom Job API (71747e8)
• Add Lustre support to the Vertex Training Custom Job API (71747e8)

Documentation

• A comment for field restart_job_on_worker_restart in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)
• A comment for field timeout in message .google.cloud.aiplatform.v1beta1.Scheduling is changed (71747e8)

v1.131.0

Compare Source

Features

• Allow list of events to be passed to AdkApp.async_stream_query (dd8840a)
• GenAI Client(evals) - Support CustomCodeExecution metric in Vertex Gen AI Eval Service (4114728)
• Updates the ADK template to direct structured JSON logs to standard output. (a65ec29)

Bug Fixes

• Fix RagManagedVertexVectorSearch when using backend_config (df0976e)
• GenAI Client(evals) - patch for vulnerability in visualization (8a00d43)

v1.130.0

Compare Source

Features

• A new field min_gpu_driver_version is added to message .google.cloud.aiplatform.v1beta1.MachineSpec (26dfdfe)
• Adding RagManagedVertexVectorSearch Vector DB option for RAG corpuses to SDK (da79e21)
• Expose FullFineTunedResources for full fine tuned deployments (26dfdfe)
• Expose zone when creating a FeatureOnlineStore (26dfdfe)
• GenAI Client(evals) - Add support to local agent run for agent eval (30e41d0)
• GenAI SDK client(memory): Add PurgeMemories (95eb10f)
• Introduce RagManagedVertexVectorSearch as a new vector db option (26dfdfe)

Documentation

• Update ReplicatedVoiceConfig.mime_type comment (26dfdfe)
• Update ReplicatedVoiceConfig.mime_type comment (26dfdfe)

v1.129.0

Compare Source

⚠ BREAKING CHANGES

• An existing field transfer_to_agent is removed from message .google.cloud.aiplatform.v1beta1.EventActions
• updating bigtable_metadata field name in FeatureOnlineStore
• updating enableDirectBigtableAccess field name in FeatureOnlineStore`
• updating bigtable_metadata field name in FeatureView

Features

• Add gpu_partition_size in machine_spec v1 api (e0bc3d8)
• Add ReplicatedVoiceConfig to VoiceConfig to enable Gemini TTS voice replication (e0bc3d8)
• Add ReplicatedVoiceConfig to VoiceConfig to enable Gemini TTS voice replication (e0bc3d8)
• Add EmbedContent method v1 (e0bc3d8)
• Add EmbedContent method v1beta1 (e0bc3d8)
• Add FunctionResponsePart and excluded_predefined_functions in ComputerUse (e0bc3d8)
• Add FunctionResponsePart and excluded_predefined_functions in ComputerUse (e0bc3d8)
• Add new fields SUCCESSFULLY_DEPLOYED and FAILED_TO_DEPLOY to DeploymentStage (e0bc3d8)
• Add new fields SUCCESSFULLY_DEPLOYED and FAILED_TO_DEPLOY to DeploymentStage (e0bc3d8)
• Add order_by to list_events (e0bc3d8)
• Add support for developer connect based deployment (e0bc3d8)
• Add support for developer connect based deployment (e0bc3d8)
• Continuous Tuning (e0bc3d8)
• Enable Vertex Model Garden Managed OSS Fine Tuning. (26b7e51)
• GenAI Client(evals) - Add location override parameter to run_inference and evaluate methods (b867043)
• GenAI Client(evals) - support setting autorater generation config for predefined rubric metrics (9304f15)
• GenAI SDK client(multimodal) - Support Assess Tuning Resource for multimodal dataset. (bc26160)
• GenAI SDK client(sessions): Add label to Sessions (837c8ea)

Bug Fixes

• Add OTel cloud.provider attribute to AdkTemplate (7d3bcdd)
• Add support for app in _init_session (d9f6c58)
• An existing field transfer_to_agent is removed from message .google.cloud.aiplatform.v1beta1.EventActions (e0bc3d8)
• Correlate traces with logs in Cloud Trace panel on adk deploy agent_engine (9301551)
• Enable from vertexai.types import TypeName without needing to run from vertexai import types first (46285bf)
• Enable from vertexai.types import TypeName without needing to run from vertexai import types first (f4a6cbe)
• Gen AI SDK client - Fix bug in GCS bucket creation for new agent engines. (8d4ce38)
• GenAI SDK client(eval) - Reorder the params to put the Config param at the last place. (e8b12cb)
• Save artifact in init_session (2a43e9b)
• Update default input and output modes in create_agent_card (7ca4226)
• Updating bigtable_metadata field name in FeatureOnlineStore (e0bc3d8)
• Updating bigtable_metadata field name in FeatureView (e0bc3d8)
• Updating enableDirectBigtableAccess field name in FeatureOnlineStore` (e0bc3d8)

Documentation

• A comment for field filter in message .google.cloud.aiplatform.v1beta1.ListSessionsRequest is changed (e0bc3d8)
• A comment for field package_spec in message .google.cloud.aiplatform.v1.ReasoningEngineSpec is changed (e0bc3d8)
• A comment for field package_spec in message .google.cloud.aiplatform.v1beta1.ReasoningEngineSpec is changed (e0bc3d8)
• A comment for message ReasoningEngineSpec is changed (e0bc3d8)
• A comment for message ReasoningEngineSpec is changed (e0bc3d8)
• Fix idle_scaledown_period minimum from 3600 to 300 (5 minutes) (e0bc3d8)
• Remove comments for a non public feature (e0bc3d8)

Miscellaneous Chores

• Release 1.129.0 (89db338)

v1.128.0

Compare Source

Features

• GenAI Client(evals) - Add pass_rate to AggregatedMetricResult and calculate it for adaptive rubric metrics. (1f1f67e)
• GenAI SDK client - Support build options in Agent Engine GCS Deployment. (28499a9)
• GenAI SDK client - Support build options in Agent Engine source-based Deployment. (f7e718f)
• GenAI SDK client(multimodal) - Support Assemble feature on the multimodal datasets. (2195411)

Bug Fixes

• Fix the change runner behavior back to sync function in streaming_agent_run_with_events (e9d9c31)
• GenAI Client(evals) - fix eval visualizations in Vertex Workbench (c3abe51)
• GenAI Client(evals) - Reformat codebase 1. Remove duplicated code in _evals_utils and _evals_metric_loader 2. Keep metric utils in _evals_metric_loader and data util in _evals_utils (5f3c655)

v1.127.0

Compare Source

Features

• Reenable VertexAiSession for streaming_agent_run_with_events (d3b12d5)

Bug Fixes

• Forward reference resolution in Pydantic schema generation. (0013865)
• GenAI Client(evals): Long traces do not scroll (3a99664)

Documentation

• Add vertexai.types module to generated docs (fc83569)

v1.126.1

Compare Source

Bug Fixes

• Add telemetry enablement env for agent engines deployed using module (e64ff28)

v1.126.0

Compare Source

Features

• Default to "unspecified" for telemetry enablement (3ca65cb)
• GenAI Client(evals) - Add loading agent info util function (acb6cab)
• GenAI Client(evals): Add warning message when tool usage is empty for tool_use_quality (531d223)

Bug Fixes

• Populate missing auth_id for _init_session into adk session.state (37fa3ce)

v1.125.0

Compare Source

⚠ BREAKING CHANGES

• Switch tracing APIs in preview AdkApp.
• Switch cloudtrace.googleapis.com to telemetry.googleapis.com for tracing API.

Features

• Add reservation affinity support to preview BatchPredictionJob (c8f38a0)
• Add support for Vertex Express Mode API key in AdkApp (05834cb)
• Add the identity type option for the agent engine and add effective identity to the resource (bf1851e)
• Alow VertexAiSession for streaming_agent_run_with_events (13faa27)
• GenAI Client(evals) - Add retry to predefine metric (9a46e67)

Bug Fixes

• GenAI Client(evals) - Change dataset visualization table to fixed to prevent horizontal expansion. (7a5a066)
• GenAI Client(evals) - Remove requirement for agent_info.agent in create_evaluation_run in Vertex AI GenAI SDK evals. (d02a7da)
• GenAI Client(evals) - Support direct pandas DataFrame dataset in evaluate() (a917122)
• Revert: Alow VertexAiSession for streaming_agent_run_with_events (7c8c218)

Miscellaneous Chores

• Release 1.125.0 (d344858)
• Switch cloudtrace.googleapis.com to telemetry.googleapis.com for tracing API. (c81f912)
• Switch tracing APIs in preview AdkApp. (27ef56b)

v1.124.0

Compare Source

⚠ BREAKING CHANGES

• GenAI SDK client - Enabling new data driven prompt optimization for prompts from Android API by passing

Features

• GenAI SDK client - Enabling new data driven prompt optimization for prompts from Android API by passing (4216790)

Bug Fixes

• GenAI Client(evals) - Apply sync function for agent run (8a20349)
• GenAI Client(evals) - Support EvaluationDataset output from run_inference as input dataset in create_evaluation_run in Vertex AI GenAI SDK evals (741c6ad)
• GenAI Client(evals) - Update send online eval service request default value and avoid None value (09bf9a9)

Miscellaneous Chores

• Release 1.124.0 (35ac4c5)

v1.123.0

Compare Source

Features

• Add initial support for Python v3.14 (4618729)
• Add more attributes to OTel resource for ADK tracing (5aaa60e)
• Add Python 3.13 Kokoro run config (57d2709)
• Add support for app input in AdkApp template (10ca56f)
• Add support of google-cloud-storage v3 dependency (85cbb75)
• Disable prompt/response content in ADK spans if telemetry env is set (be5d1f5)
• GenAI Client(evals) - Add agent data to EvaluationRun show in Vertex AI GenAI SDK evals (d62afc3)
• GenAI SDK client - add context management to AsyncClient (8075e60)
• GenAI SDK client - Enabling zero-shot prompt optimization for prompts from Android API by passing optimization_target=vertexai.types.OptimizeTarget.OPTIMIZATION_TARGET_GEMINI_NANO in the config (92d8b2a)
• GenAI SDK client (Multimodal Dataset) - Create a multimodal dataset from Big Query. (d4e211d)
• GenAI SDK client(memory): Add extracted memories to MemoryRevision resources (2267d58)
• GenAI SDK client(memory): Add filter to RetrieveMemories (2267d58)
• GenAI SDK client(memory): Add Memory Topic labels to Memory (de941a6)
• GenAI SDK client(multimodal) - Add get/update/list/delete to multimodal datasets. (34996a2)
• GenAI SDK client(multimodal) - Add public get/update/delete methods to multimodal datasets. (6737a70)
• Support Inline Source Deployment in Agent Engine (9ae5f35)

Bug Fixes

• Allow both camelCase and snake_case in _StreamRunRequest (6a6674d)
• Clone agent_framework attribute in ModuleAgent.clone() (81f8c40)
• GenAI Client(evals) - fix hallucination visualization (a52da0b)
• GenAI Client(evals) - fix visualization (67f9099)
• GenAI SDK client - Fix log showing how to get an Agent Engine. Positional arguments are not allowed. (0fc74de)
• Remove unnecessary pandas import from multimodal datasets preview module. (5dd51a2)

Documentation

• Add docstring for classes and fields that are not supported in Gemini or Vertex API (cd99635)
• Add docstring for enum classes that are not supported in Gemini or Vertex API (db364ab)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the google-cloud-aiplatform dependency version from 1.122.0 to 1.133.0 in the requirements.txt file for the agent example. I have no feedback to provide.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun