fix: relax protobuf and requests dependency lower bounds

[sohankshirsagar]

Summary

The SDK's dependency lower bounds for protobuf and requests were unnecessarily strict, causing installation failures in projects that pin older (but fully compatible) versions of these libraries. This was discovered when integrating the SDK into a project that uses google-cloud-translate (which requires protobuf<6.0) and pins requests==2.32.3.

Changes

• Relax protobuf from >=6.0 to >=3.20.0
• Relax requests from >=2.32.5 to >=2.28.0

Why this is safe

protobuf>=3.20.0: The SDK's core code barely uses google.protobuf directly. The only usage is google.protobuf.json_format.MessageToDict in grpc/utils.py (available since protobuf 3.x, with a fallback), and protobuf_utils.py which uses duck typing with no direct protobuf imports. The only file that actually requires protobuf 6 is greeter_pb2.py, which is an e2e test artifact — not part of the SDK runtime. The primary protobuf interaction is through betterproto (via tusk-drift-schemas), which is independent of the protobuf package version.

requests>=2.28.0: The SDK uses only long-stable requests APIs: Session.send(), Response() constructor, _content, _content_consumed, hooks.dispatch_hook, and standard response attributes (status_code, reason, headers, content). All of these have been stable across the entire requests 2.x line. The 2.28.0 floor aligns with the version that dropped Python 2.7/3.6, matching the SDK's own requires-python = ">=3.9".

[tusk-dev]

PR identified as a dependency upgrade

Tip

New to Tusk Unit Tests? Learn more here.

View check history

Commit	Status	Output	Created (UTC)
5a8b741	PR identified as a dependency upgrade	Output	Mar 18, 2026 8:17PM

[cubic-dev-ai]

No issues found across 1 file