chore(deps): update dependency protobuf to v6.33.5 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobuf	==6.33.0 → ==6.33.5

GitHub Vulnerability Alerts

CVE-2026-0994

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the protobuf library to its latest patch version, 6.33.5, primarily to resolve a critical security vulnerability. This ensures the project's dependencies are kept up-to-date and protected against known exploits, maintaining the overall integrity and stability of the application.

Highlights

• Dependency Update: The protobuf dependency has been updated from version 6.33.0 to 6.33.5.
• Security Fix: This update addresses a denial-of-service (DoS) vulnerability (CVE-2026-0994) in google.protobuf.json_format.ParseDict() which could be exploited by bypassing the max_recursion_depth limit with nested google.protobuf.Any messages.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the protobuf dependency to version 6.33.5 to address a security vulnerability. While the update is necessary, the change is made directly to requirements.txt, which is an auto-generated file. To ensure the change is permanent and maintainable, the dependency should be pinned in requirements.in and requirements.txt should be regenerated using pip-compile. I've added a comment with details on how to do this.

[gemini-code-assist]

This change updates the protobuf dependency directly in requirements.txt. However, as stated in the file header, this file is auto-generated from requirements.in.

To prevent this security fix from being accidentally reverted, please pin the version in requirements.in and regenerate requirements.txt. You should change protobuf to protobuf==6.33.5 in requirements.in and then run pip-compile --allow-unsafe --generate-hashes requirements.in.

References

1. For generated code, apply fixes to the generator templates rather than patching individual output files to ensure consistency across the codebase.

[parthea]

This change won't be reverted