diff --git a/a2a/file_organizer/pyproject.toml b/a2a/file_organizer/pyproject.toml index a948b636..29993876 100644 --- a/a2a/file_organizer/pyproject.toml +++ b/a2a/file_organizer/pyproject.toml @@ -29,7 +29,7 @@ dependencies = [ "cryptography>=48.0.0,<49", # Indirect; prevents CVE-2026-26007 "mcp>=1.28.1", # Indirect; prevents CVE-2025-66416 "orjson>=3.11.6", # Indirect; prevents CVE-2025-67221 - "protobuf>=6.33.5", # Indirect; prevents CVE-2026-0994 + "protobuf>=6.33.5,<7", # Indirect; prevents CVE-2026-0994. Cap <7: opentelemetry-proto requires protobuf<7.0 (proto7 downgrades OTel and breaks startup) "pyasn1>=0.6.3", # Indirect; prevents CVE-2026-30922 "pyjwt>=2.13.0", # Indirect; prevents CVE-2026-32597 ] diff --git a/a2a/file_organizer/uv.lock b/a2a/file_organizer/uv.lock index 356196a7..7794aae2 100644 --- a/a2a/file_organizer/uv.lock +++ b/a2a/file_organizer/uv.lock @@ -551,7 +551,7 @@ requires-dist = [ { name = "opentelemetry-exporter-otlp", specifier = ">=1.43.0" }, { name = "opentelemetry-proto", specifier = ">=1.42.1" }, { name = "orjson", specifier = ">=3.11.6" }, - { name = "protobuf", specifier = ">=6.33.5" }, + { name = "protobuf", specifier = ">=6.33.5,<7" }, { name = "pyasn1", specifier = ">=0.6.3" }, { name = "pydantic-settings", specifier = ">=2.14.2" }, { name = "pyjwt", specifier = ">=2.13.0" }, diff --git a/a2a/image_service/pyproject.toml b/a2a/image_service/pyproject.toml index 74ad33cd..7de2fcf0 100644 --- a/a2a/image_service/pyproject.toml +++ b/a2a/image_service/pyproject.toml @@ -23,7 +23,7 @@ dependencies = [ "aiohttp>=3.14.0", # Indirect; prevents CVE-2026-34525, CVE-2026-34516, CVE-2026-34515, CVE-2026-22815 "mcp>=1.28.1", # Indirect; prevents CVE-2025-66416 "orjson>=3.11.6", # Indirect; prevents CVE-2025-67221 - "protobuf>=6.33.5", # Indirect; prevents CVE-2026-0994 + "protobuf>=6.33.5,<7", # Indirect; prevents CVE-2026-0994. Cap <7: opentelemetry-proto requires protobuf<7.0 (proto7 downgrades OTel and breaks startup) "pyasn1>=0.6.3", # Indirect; prevents CVE-2026-30922 "cryptography>=48.0.0,<49", # Indirect; prevents CVE-2026-26007 "pyjwt>=2.13.0", # Indirect; prevents CVE-2026-32597 diff --git a/a2a/image_service/uv.lock b/a2a/image_service/uv.lock index 4258c0b9..23ee4896 100644 --- a/a2a/image_service/uv.lock +++ b/a2a/image_service/uv.lock @@ -872,7 +872,7 @@ requires-dist = [ { name = "opentelemetry-exporter-otlp", specifier = ">=1.43.0" }, { name = "opentelemetry-proto", specifier = ">=1.42.1" }, { name = "orjson", specifier = ">=3.11.6" }, - { name = "protobuf", specifier = ">=6.33.5" }, + { name = "protobuf", specifier = ">=6.33.5,<7" }, { name = "pyasn1", specifier = ">=0.6.3" }, { name = "pydantic-settings", specifier = ">=2.14.2" }, { name = "pyjwt", specifier = ">=2.13.0" },