Skip to content

fix(deps): Update dependency protobuf to v6.33.5 [SECURITY] - abandoned #709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate-bot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(deps): Update dependency protobuf to v6.33.5 [SECURITY] - abandoned #709

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c0f37f
feat(env_baseline): dynamic zone selection for GKE T4 GPU and ARM nodes
apeabody May 16, 2026
9dd6c3f
fix(deps): Update dependency protobuf to v6.33.5 [SECURITY]
renovate-bot May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 47 additions & 3 deletions 2-multitenant/modules/env_baseline/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ locals {
networks_re = "/networks/([^/]*)$"
subnetworks_re = "/subnetworks/([^/]*)$"
projects_re = "projects/([^/]*)/"
regions_re = "regions/([^/]+)"
cluster_project_id = data.google_project.eab_cluster_project.project_id
available_cidr_ranges = var.master_ipv4_cidr_blocks

Expand All @@ -30,12 +29,33 @@ locals {

cluster_sa = [for i in merge(module.gke-standard, module.gke-autopilot) : i.service_account][0]

arm_node_pool = { for k, v in local.subnets : k => (regex(local.regions_re, v)[0]) == "us-central1" ?
# Map each region to zones that support nvidia-tesla-t4
gpu_t4_zones = {
for r_idx, r in data.google_compute_zones.available : r_idx => [
for z in r.names : z if contains([for a in data.google_compute_accelerator_types.t4[z].accelerator_types : a.name], "nvidia-tesla-t4")
]
}

# Map each region to zones that support t2a-standard-4
arm_zones = {
for r_idx, r in data.google_compute_zones.available : r_idx => [
for z in r.names : z if length(data.google_compute_machine_types.arm[z].machine_types) > 0
]
}

# ARM node pool locations must be a subset of cluster zones (which are restricted to T4 zones)
arm_node_pool_zones = {
for k, v in local.subnets : k => [
for z in local.arm_zones[k] : z if contains(local.gpu_t4_zones[k], z)
]
}

arm_node_pool = { for k, v in local.subnets : k => length(local.arm_node_pool_zones[k]) > 0 ?
[
{
name = "regional-arm64-pool"
machine_type = "t2a-standard-4"
node_locations = "us-central1-a,us-central1-b,us-central1-f"
node_locations = join(",", local.arm_node_pool_zones[k])
strategy = "SURGE"
max_surge = 1
max_unavailable = 0
Expand Down Expand Up @@ -169,6 +189,29 @@ data "google_compute_subnetwork" "default" {
self_link = each.value
}

data "google_compute_zones" "available" {
for_each = local.subnets
region = data.google_compute_subnetwork.default[each.key].region
project = local.cluster_project_id
}

locals {
all_zones = distinct(flatten([for z in data.google_compute_zones.available : z.names]))
}

data "google_compute_accelerator_types" "t4" {
for_each = toset(local.all_zones)
zone = each.value
project = local.cluster_project_id
}

data "google_compute_machine_types" "arm" {
for_each = toset(local.all_zones)
zone = each.value
project = local.cluster_project_id
filter = "name = \"t2a-standard-4\""
}

resource "google_access_context_manager_access_level_condition" "access-level-conditions" {
count = var.access_level_name != null ? 1 : 0
access_level = var.access_level_name
Expand Down Expand Up @@ -256,6 +299,7 @@ module "gke-standard" {
project_id = local.cluster_project_id
regional = true
region = data.google_compute_subnetwork.default[each.key].region
zones = local.gpu_t4_zones[each.key]
network_project_id = regex(local.projects_re, data.google_compute_subnetwork.default[each.key].id)[0]
network = regex(local.networks_re, data.google_compute_subnetwork.default[each.key].network)[0]
subnetwork = regex(local.subnetworks_re, local.subnets[each.key])[0]
Expand Down
23 changes: 11 additions & 12 deletions 5-appinfra/modules/htc-infra/american-option/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,18 +116,17 @@ grpcio-tools==1.66.1 \
--hash=sha256:f94d5193b2f2a9595795b83e7978b2bee1c0399da66f2f24d179c388f81fb99c \
--hash=sha256:fa4f95a79a34afc3b5464895d091cd1911227fc3ab0441b9a37cd1817cf7db86
# via -r ./requirements.in
protobuf==5.27.2 \
--hash=sha256:0e341109c609749d501986b835f667c6e1e24531096cff9d34ae411595e26505 \
--hash=sha256:176c12b1f1c880bf7a76d9f7c75822b6a2bc3db2d28baa4d300e8ce4cde7409b \
--hash=sha256:354d84fac2b0d76062e9b3221f4abbbacdfd2a4d8af36bab0474f3a0bb30ab38 \
--hash=sha256:4fadd8d83e1992eed0248bc50a4a6361dc31bcccc84388c54c86e530b7f58863 \
--hash=sha256:54330f07e4949d09614707c48b06d1a22f8ffb5763c159efd5c0928326a91470 \
--hash=sha256:610e700f02469c4a997e58e328cac6f305f649826853813177e6290416e846c6 \
--hash=sha256:7fc3add9e6003e026da5fc9e59b131b8f22b428b991ccd53e2af8071687b4fce \
--hash=sha256:9e8f199bf7f97bd7ecebffcae45ebf9527603549b2b562df0fbc6d4d688f14ca \
--hash=sha256:a109916aaac42bff84702fb5187f3edadbc7c97fc2c99c5ff81dd15dcce0d1e5 \
--hash=sha256:b848dbe1d57ed7c191dfc4ea64b8b004a3f9ece4bf4d0d80a367b76df20bf36e \
--hash=sha256:f3ecdef226b9af856075f28227ff2c90ce3a594d092c39bee5513573f25e2714
protobuf==6.33.5 \
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The requirements.in file for this module still pins protobuf==5.27.2 (line 19). Since requirements.txt is autogenerated from it, this security update will be lost upon the next re-compilation. Furthermore, the comment in requirements.in (line 17) states that protobuf and grpcio-tools must be kept in sync. Upgrading to 6.33.5 while keeping grpcio-tools at 1.66.1 may lead to compatibility issues. Consider updating both in requirements.in to their latest versions (e.g., grpcio-tools==1.70.0 and protobuf==6.33.5), or if a major version jump is not desired, update protobuf to 5.29.5 which also contains the security fixes.

--hash=sha256:3093804752167bcab3998bec9f1048baae6e29505adaf1afd14a37bddede533c \
--hash=sha256:69915a973dd0f60f31a08b8318b73eab2bd6a392c79184b3612226b0a3f8ec02 \
--hash=sha256:6ddcac2a081f8b7b9642c09406bc6a4290128fce5f471cddd165960bb9119e5c \
--hash=sha256:8afa18e1d6d20af15b417e728e9f60f3aa108ee76f23c3b2c07a2c3b546d3afd \
--hash=sha256:8f04fa32763dcdb4973d537d6b54e615cc61108c7cb38fe59310c3192d29510a \
--hash=sha256:9b71e0281f36f179d00cbcb119cb19dec4d14a81393e5ea220f64b286173e190 \
--hash=sha256:a3157e62729aafb8df6da2c03aa5c0937c7266c626ce11a278b6eb7963c4e37c \
--hash=sha256:a5cb85982d95d906df1e2210e58f8e4f1e3cdc088e52c921a041f9c9a0386de5 \
--hash=sha256:cbf16ba3350fb7b889fca858fb215967792dc125b35c7976ca4818bee3521cf0 \
--hash=sha256:d71b040839446bac0f4d162e758bea99c8251161dae9d0983a3b88dee345153b
# via
# -r ./requirements.in
# grpcio-reflection
Expand Down
2 changes: 1 addition & 1 deletion 5-appinfra/modules/htc-infra/kubernetes/storage/parallelstore-transfer-tool/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ proto-plus==1.26.0
# via
# google-api-core
# google-cloud-parallelstore
protobuf==6.30.0
protobuf==6.33.5
# via
# google-api-core
# google-cloud-parallelstore
Expand Down