rusackas opened a new pull request, #40537: URL: https://github.com/apache/superset/pull/40537
### SUMMARY Resolves high-severity Dependabot alert [GHSA-7gcm-g887-7qv7](https://github.com/apache/superset/security/dependabot/940) — `protobuf` JSON recursion depth bypass (vulnerable `< 5.29.6`). Covers alerts **#940** (`requirements/development.txt`) and **#1195**. **Why Dependabot couldn't fix it:** `protobuf` is a transitive dependency pulled in via the BigQuery / google-cloud stack, and it was capped at the 4.x line by `google-cloud-bigquery-storage 2.19.1`, which requires `protobuf <5.0.0dev`. Dependabot can't bump protobuf without also moving that constraint. **Fix:** bump `google-cloud-bigquery-storage` to `2.26.0` — the first release that relaxes its pin to `protobuf <6.0.0dev` — which unblocks `protobuf 5.29.6`. All other protobuf consumers already permit 5.x: | Consumer | protobuf constraint | |----------|---------------------| | `google-api-core 2.23.0` | `<6.0.0.dev0,>=3.19.5` ✅ | | `googleapis-common-protos 1.66.0` | `<6.0.0.dev0,>=3.20.2` ✅ | | `grpcio-status 1.60.1` | `>=4.21.6` ✅ | | `proto-plus 1.25.0` | `<6.0.0dev,>=3.19.0` ✅ | | `google-cloud-bigquery-storage` | `<5.0.0dev` → bumped to 2.26.0 (`<6.0.0dev`) ✅ | The lockfile was regenerated with `./scripts/uv-pip-compile.sh -P protobuf==5.29.6 -P google-cloud-bigquery-storage==2.26.0` (canonical Python version, existing pins preserved), yielding a minimal diff. `google-cloud-bigquery-storage 2.26.0` introduces no new transitive dependencies. `protobuf` is a development-only dependency (BigQuery DB engine) and is not present in `requirements/base.txt`; alert #1195 references `base.txt` but protobuf isn't pinned there, so it should auto-resolve once Dependabot rescans. ### TESTING INSTRUCTIONS - [ ] CI passes - [ ] BigQuery DB engine tests pass with protobuf 5.x ### ADDITIONAL INFORMATION - [ ] Has associated issue: Dependabot alerts #940, #1195 - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
