Skip to content

Update protobuf to 5.29.5 to address security vulnerability#525

Merged
rohanshah18 merged 1 commit intomainfrom
rshah/update-protobuf-version
Oct 31, 2025
Merged

Update protobuf to 5.29.5 to address security vulnerability#525
rohanshah18 merged 1 commit intomainfrom
rshah/update-protobuf-version

Conversation

@rohanshah18
Copy link
Contributor

@rohanshah18 rohanshah18 commented Oct 13, 2025

Problem

The Pinecone Python client is currently using protobuf version ^5.29, which includes vulnerable versions that are affected by GHSA-8qvm-5x2c-j2w7. This vulnerability involves uncontrolled recursion in Protobuf's pure-Python backend, which could lead to Denial of Service (DoS) attacks.

Solution

Updated the protobuf dependency constraint from ^5.29 to ^5.29.5 to ensure we're using the patched version that addresses this security vulnerability. The changes include:

  • Updated pyproject.toml: Changed protobuf version constraint from ^5.29 to ^5.29.5
  • Updated testing-dependency-grpc.yaml: Updated protobuf version from 5.29.1 to 5.29.5 in all three dependency testing matrix configurations
  • Verified that poetry.lock already contains protobuf 5.29.5, so no additional lock file updates were needed

This is a patch version update, so no breaking changes are expected. The protobuf dependency is optional and only installed when the grpc extra is requested.

Note: This is a security patch release to address the immediate vulnerability for existing users. A future release will include a comprehensive update to protobuf 6.x, which may include breaking changes and will require more extensive testing and migration planning.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • Infrastructure change (CI configs, etc)
  • Non-code change (docs, etc)
  • None of the above: (explain here)

Test Plan

  • Verified protobuf 5.29.5 is already installed and working
  • Updated CI/CD pipeline to test with the new version
  • No breaking changes expected as this is a patch version update

austin-denoble
austin-denoble approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@austin-denoble austin-denoble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me, thanks for following up on this.

I'll defer to @jhamon for any Python specifics around this.

@rohanshah18
Copy link
Contributor Author

rohanshah18 commented Oct 31, 2025

Admin api tests are failing but they are safe to ignore because of some internal changes to org which resulted in max_pods = 20 instead 0.

@rohanshah18 rohanshah18 merged commit 47757ff into main Oct 31, 2025
68 of 70 checks passed
@rohanshah18 rohanshah18 deleted the rshah/update-protobuf-version branch October 31, 2025 16:40
jhamon pushed a commit that referenced this pull request Nov 4, 2025
@rohanshah18 @jhamon
Update protobuf to 5.29.5 to address security vulnerability (#525)
9f0eddb 
## Problem

The Pinecone Python client is currently using protobuf version `^5.29`,
which includes vulnerable versions that are affected by
[GHSA-8qvm-5x2c-j2w7](GHSA-8qvm-5x2c-j2w7).
This vulnerability involves uncontrolled recursion in Protobuf's
pure-Python backend, which could lead to Denial of Service (DoS)
attacks.

## Solution

Updated the protobuf dependency constraint from `^5.29` to `^5.29.5` to
ensure we're using the patched version that addresses this security
vulnerability. The changes include:

- Updated `pyproject.toml`: Changed protobuf version constraint from
`^5.29` to `^5.29.5`
- Updated `testing-dependency-grpc.yaml`: Updated protobuf version from
`5.29.1` to `5.29.5` in all three dependency testing matrix
configurations
- Verified that `poetry.lock` already contains protobuf 5.29.5, so no
additional lock file updates were needed

This is a patch version update, so no breaking changes are expected. The
protobuf dependency is optional and only installed when the `grpc` extra
is requested.

**Note:** This is a security patch release to address the immediate
vulnerability for existing users. A future release will include a
comprehensive update to protobuf 6.x, which may include breaking changes
and will require more extensive testing and migration planning.


## Type of Change

- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] This change requires a documentation update
- [ ] Infrastructure change (CI configs, etc)
- [ ] Non-code change (docs, etc)
- [ ] None of the above: (explain here)

## Test Plan

- Verified protobuf 5.29.5 is already installed and working
- Updated CI/CD pipeline to test with the new version
- No breaking changes expected as this is a patch version update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@austin-denoble austin-denoble austin-denoble approved these changes

@jhamon jhamon Awaiting requested review from jhamon

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rohanshah18 @austin-denoble