From ca2b2bca9975d02d825a29b129685b9bc2a8e9af Mon Sep 17 00:00:00 2001 From: Paolo Dettori Date: Tue, 7 Jul 2026 22:25:00 -0400 Subject: [PATCH] fix(deps): cap protobuf<7 in file_organizer and image_service protobuf 7.x is incompatible with every released opentelemetry: the opentelemetry-proto package requires protobuf>=5.0,<7.0. Bumping to protobuf>=7 (Dependabot #507/#510) forces uv to walk the entire OpenTelemetry stack back to a 2022-era release (1.11.1), which is incompatible with the retained modern otel-api/sdk and crashes the agent at startup (test-startup: exit 2, server never binds). There is no security benefit: the existing protobuf>=6.33.5 pin already resolves 6.33.6, which mitigates CVE-2026-0994. Cap protobuf<7 (still >=6.33.5) in both services and re-lock. This also prevents Dependabot from recreating the major-bump PRs, since they can no longer satisfy the constraint. Supersedes #507 and #510. Assisted-By: Claude (Anthropic AI) Signed-off-by: Paolo Dettori --- a2a/file_organizer/pyproject.toml | 2 +- a2a/file_organizer/uv.lock | 2 +- a2a/image_service/pyproject.toml | 2 +- a2a/image_service/uv.lock | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/a2a/file_organizer/pyproject.toml b/a2a/file_organizer/pyproject.toml index a948b636..29993876 100644 --- a/a2a/file_organizer/pyproject.toml +++ b/a2a/file_organizer/pyproject.toml @@ -29,7 +29,7 @@ dependencies = [ "cryptography>=48.0.0,<49", # Indirect; prevents CVE-2026-26007 "mcp>=1.28.1", # Indirect; prevents CVE-2025-66416 "orjson>=3.11.6", # Indirect; prevents CVE-2025-67221 - "protobuf>=6.33.5", # Indirect; prevents CVE-2026-0994 + "protobuf>=6.33.5,<7", # Indirect; prevents CVE-2026-0994. Cap <7: opentelemetry-proto requires protobuf<7.0 (proto7 downgrades OTel and breaks startup) "pyasn1>=0.6.3", # Indirect; prevents CVE-2026-30922 "pyjwt>=2.13.0", # Indirect; prevents CVE-2026-32597 ] diff --git a/a2a/file_organizer/uv.lock b/a2a/file_organizer/uv.lock index 356196a7..7794aae2 100644 --- a/a2a/file_organizer/uv.lock +++ b/a2a/file_organizer/uv.lock @@ -551,7 +551,7 @@ requires-dist = [ { name = "opentelemetry-exporter-otlp", specifier = ">=1.43.0" }, { name = "opentelemetry-proto", specifier = ">=1.42.1" }, { name = "orjson", specifier = ">=3.11.6" }, - { name = "protobuf", specifier = ">=6.33.5" }, + { name = "protobuf", specifier = ">=6.33.5,<7" }, { name = "pyasn1", specifier = ">=0.6.3" }, { name = "pydantic-settings", specifier = ">=2.14.2" }, { name = "pyjwt", specifier = ">=2.13.0" }, diff --git a/a2a/image_service/pyproject.toml b/a2a/image_service/pyproject.toml index 74ad33cd..7de2fcf0 100644 --- a/a2a/image_service/pyproject.toml +++ b/a2a/image_service/pyproject.toml @@ -23,7 +23,7 @@ dependencies = [ "aiohttp>=3.14.0", # Indirect; prevents CVE-2026-34525, CVE-2026-34516, CVE-2026-34515, CVE-2026-22815 "mcp>=1.28.1", # Indirect; prevents CVE-2025-66416 "orjson>=3.11.6", # Indirect; prevents CVE-2025-67221 - "protobuf>=6.33.5", # Indirect; prevents CVE-2026-0994 + "protobuf>=6.33.5,<7", # Indirect; prevents CVE-2026-0994. Cap <7: opentelemetry-proto requires protobuf<7.0 (proto7 downgrades OTel and breaks startup) "pyasn1>=0.6.3", # Indirect; prevents CVE-2026-30922 "cryptography>=48.0.0,<49", # Indirect; prevents CVE-2026-26007 "pyjwt>=2.13.0", # Indirect; prevents CVE-2026-32597 diff --git a/a2a/image_service/uv.lock b/a2a/image_service/uv.lock index 4258c0b9..23ee4896 100644 --- a/a2a/image_service/uv.lock +++ b/a2a/image_service/uv.lock @@ -872,7 +872,7 @@ requires-dist = [ { name = "opentelemetry-exporter-otlp", specifier = ">=1.43.0" }, { name = "opentelemetry-proto", specifier = ">=1.42.1" }, { name = "orjson", specifier = ">=3.11.6" }, - { name = "protobuf", specifier = ">=6.33.5" }, + { name = "protobuf", specifier = ">=6.33.5,<7" }, { name = "pyasn1", specifier = ">=0.6.3" }, { name = "pydantic-settings", specifier = ">=2.14.2" }, { name = "pyjwt", specifier = ">=2.13.0" },