Skip to content

Upgrade protobuf to 4.33.0 (Security Fix) #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nthmost-orkes merged 2 commits into from
Dec 5, 2025
Merged

Upgrade protobuf to 4.33.0 (Security Fix) #676

nthmost-orkes merged 2 commits into from
Dec 5, 2025

Conversation

@nthmost-orkes
Copy link
Contributor

@nthmost-orkes nthmost-orkes commented Dec 3, 2025

Summary

Upgrades protobuf from 3.25.5 to 4.33.0 to address security vulnerability (CVE announced Jan 2025).

Changes

  • Update protobuf-java from 3.25.5 to 4.33.0 (runtime)
  • Update protobuf-gradle-plugin from 0.8.19 to 0.9.5
  • Use protoc 3.25.5 for code generation (maintains gRPC 1.73.0 compatibility)
  • Fix hardcoded protobuf version in annotations-processor to use ${revProtoBuf} variable

Technical Notes

This upgrade uses the recommended approach for protobuf 3.x → 4.x migration:

  • Runtime: protobuf-java 4.33.0 (gets security fixes)
  • Code generation: protoc 3.25.5 (maintains backward compatibility)

See: grpc/grpc-java#12246

Testing

  • ✅ Full build passes
  • ✅ All gRPC module tests pass
  • ✅ Protobuf code regenerated successfully

Closes

Part of #640 (Epic: Dependabot PR Cleanup and Security Updates)

@nthmost-orkes
Upgrade protobuf-java to 4.33.0 to address security vulnerability
2548ea0 
- Update protobuf-java from 3.25.5 to 4.33.0 (addresses CVE announced Jan 2025)
- Update protobuf-gradle-plugin from 0.8.19 to 0.9.5
- Use protoc 3.25.5 for code generation (maintains gRPC compatibility)
- Fix hardcoded protobuf version in annotations-processor

Closes #644
Closes #232
Closes #231
@nthmost-orkes
Merge main into upgrade-protobuf-4.33.0
bc5839f
@nthmost-orkes nthmost-orkes requested review from c4lm and v1r3n December 4, 2025 00:22
This was referenced Dec 4, 2025
Open
Closed
Closed
@nthmost-orkes
Copy link
Contributor Author

nthmost-orkes commented Dec 4, 2025

Testing locally with a couple different configurations -- will merge tomorrow if no issues.

@nthmost-orkes nthmost-orkes merged commit aa7de92 into main Dec 5, 2025
9 checks passed
@nthmost-orkes nthmost-orkes deleted the upgrade-protobuf-4.33.0 branch December 5, 2025 20:49
@nthmost-orkes nthmost-orkes added the dependencies Pull requests that update a dependency file label Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c4lm c4lm c4lm approved these changes

@v1r3n v1r3n Awaiting requested review from v1r3n

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade protobuf to 4.33.0 (major version, security vulnerability)

3 participants

@nthmost-orkes @c4lm