Fix CVE-2026-0994: Update protobuf to 5.29.6 (#13011)

Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
2026-03-22 05:37:20 +08:00 · 2026-02-24 17:25:40 -06:00
parent a0dba6124a
commit b84f352b63
3 changed files with 27 additions and 27 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -66,7 +66,7 @@ dependencies = [
  "playwright>=1.55",
  "poetry>=2.1.2",
  "prompt-toolkit>=3.0.50",
-  "protobuf>=5,<6",
+  "protobuf>=5.29.6,<6",
  "psutil",
  "pybase62>=1",
  "pygithub>=2.5",
@@ -191,7 +191,7 @@ tornado = ">=6.5"
 python-dotenv = "*"
 rapidfuzz = "^3.9.0"
 whatthepatch = "^1.0.6"
-protobuf = "^5.0.0,<6.0.0"                         # Updated to support newer opentelemetry
+protobuf = ">=5.29.6,<6.0.0"                       # Updated to fix CVE-2026-0994
 opentelemetry-api = "^1.33.1"
 opentelemetry-exporter-otlp-proto-grpc = "^1.33.1"