Skip to content

proto: relax protobuf upper bound to <8.0#5100

Closed
tanmaydarmorha wants to merge 1 commit intoopen-telemetry:mainfrom
tanmaydarmorha:bump-protobuf-upper-bound
Closed

proto: relax protobuf upper bound to <8.0#5100
tanmaydarmorha wants to merge 1 commit intoopen-telemetry:mainfrom
tanmaydarmorha:bump-protobuf-upper-bound

Conversation

@tanmaydarmorha
Copy link
Copy Markdown

@tanmaydarmorha tanmaydarmorha commented Apr 14, 2026

Description

Relax the protobuf upper bound in opentelemetry-proto from <7.0 to <8.0 so downstream users of opentelemetry-exporter-otlp (and its proto-grpc / proto-common / proto-http variants) can adopt protobuf>=7.0.

Protobuf 7.0 contains the fix for CVE-2026-8994 (CVSS 7.58) — a DoS in google.protobuf.json_format.ParseDict() where a malicious payload can bypass input validation. The current <7.0 cap blocks users from picking up that fix without pinning around OTel constraints.

This mirrors the prior bump pattern in #4620 (<6.0<7.0). googleapis-common-protos already allows protobuf <8.0.0, so it is not a blocker.

Fixes #5099

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

  • Installed the package against protobuf==7.34.1 and confirmed opentelemetry.proto.*_pb2 modules import and serialize/deserialize cleanly (wire format is stable across 5.x → 7.x).
  • Installed the package against protobuf==5.29.5 (existing test-requirements.oldest.txt) to confirm the lower bound still resolves.

CI coverage (tox) exercises the proto package against the existing pinned protobuf in test-requirements.txt; no generated code changes, so existing unit tests are unaffected.

Does This PR Require a Contrib Repo Change?

  • Yes. - Link to PR:
  • No.

This PR only relaxes a dependency specifier in opentelemetry-proto/pyproject.toml. No shared config files, CODEOWNERS, scripts copied to contrib, or public interfaces change.

Checklist:

  • Followed the style guidelines of this project
  • Changelogs have been updated
  • Unit tests have been added — N/A (dependency specifier change, no behavioral change in generated or library code)
  • Documentation has been updated — N/A

@tanmaydarmorha tanmaydarmorha requested a review from a team as a code owner April 14, 2026 19:13
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Apr 14, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: tanmaydarmorha / name: Tanmay Darmorha (ebabdcc)

@tanmaydarmorha
proto: relax protobuf upper bound to <8.0
ebabdcc 
Unblocks adoption of protobuf 7.x, which contains the fix for
CVE-2026-8994 (DoS in google.protobuf.json_format.ParseDict).

Mirrors the prior bump in open-telemetry#4620 (<6.0 -> <7.0).

Refs open-telemetry#5099
@tanmaydarmorha tanmaydarmorha force-pushed the bump-protobuf-upper-bound branch from 814df4f to ebabdcc Compare April 14, 2026 19:17
xrmx
xrmx reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@xrmx xrmx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CVE id is wrong, the severity for 2026-0994 as well and the fix has been backported to protobuf 5.29.6 and 6.33.4 as well.

@xrmx xrmx closed this Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xrmx xrmx xrmx left review comments

Assignees

No one assigned

Labels

None yet

Projects

Python PR digest
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bump protobuf upper bound from <7.0 to <8.0 in opentelemetry-proto (CVE-2026-8994)

2 participants

@tanmaydarmorha @xrmx