proto: relax protobuf upper bound to <8.0

tanmaydarmorha · tanmaydarmorha · commit ebabdccec7e7 · 2026-04-15T00:46:54.000+05:30
Unblocks adoption of protobuf 7.x, which contains the fix for CVE-2026-8994 (DoS in google.protobuf.json_format.ParseDict). Mirrors the prior bump in #4620 (<6.0 -> <7.0). Refs #5099
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   ([#4907](https://github.com/open-telemetry/opentelemetry-python/issues/4907))
 - Drop Python 3.9 support
   ([#5076](https://github.com/open-telemetry/opentelemetry-python/pull/5076))
+- `opentelemetry-proto`: relax protobuf upper bound from `<7.0` to `<8.0` to unblock adoption of protobuf 7.x (CVE-2026-8994)
+  ([#5099](https://github.com/open-telemetry/opentelemetry-python/issues/5099))
 
 
 ## Version 1.41.0/0.62b0 (2026-04-09)
diff --git a/opentelemetry-proto/pyproject.toml b/opentelemetry-proto/pyproject.toml
@@ -25,7 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-  "protobuf>=5.0, < 7.0",
+  "protobuf>=5.0, < 8.0",
 ]
 
 [project.urls]

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ classifiers = [`
`25`	`25`	`"Programming Language :: Python :: 3.14",`
`26`	`26`	`]`
`27`	`27`	`dependencies = [`
`28`		`- "protobuf>=5.0, < 7.0",`
	`28`	`+ "protobuf>=5.0, < 8.0",`
`29`	`29`	`]`
`30`	`30`
`31`	`31`	`[project.urls]`