Permalink
Comparing changes
Choose two branches to see whatβs changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 6 commits
- 3 files changed
- 1 contributor
Commits on Jun 16, 2025
-
fix(deps): Update dependency protobuf to v5.29.5 [SECURITY] (#301)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [protobuf](https://developers.google.com/protocol-buffers/) | patch | `==5.29.4` -> `==5.29.5` | ### GitHub Vulnerability Alerts #### [CVE-2025-4565](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8) ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8). ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478) ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1) --- ### Configuration π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwic2VjdXJpdHkiXX0=-->
Commits on Jun 26, 2025
-
fix(deps): Update dependency cloudquery-plugin-pb to v0.0.44 (#303)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cloudquery-plugin-pb](https://github.com/cloudquery/plugin-pb-python) | patch | `==0.0.43` -> `==0.0.44` | --- ### Release Notes <details> <summary>cloudquery/plugin-pb-python (cloudquery-plugin-pb)</summary> ### [`v0.0.44`](https://github.com/cloudquery/plugin-pb-python/blob/HEAD/CHANGELOG.md#0044-2025-06-25) [Compare Source](https://github.com/cloudquery/plugin-pb-python/compare/v0.0.43...v0.0.44) ##### Bug Fixes - **deps:** Update dependency protobuf to v5.29.5 \[SECURITY] ([#​162](https://github.com/cloudquery/plugin-pb-python/issues/162)) ([bdf356e](https://github.com/cloudquery/plugin-pb-python/commit/bdf356e85bd68e4d8db31c6b29c68149eea75c22)) - Generate Python Code from `plugin-pb` ([#​164](https://github.com/cloudquery/plugin-pb-python/issues/164)) ([386b701](https://github.com/cloudquery/plugin-pb-python/commit/386b701fe64be6aa2a9a08cddbc0c1a104e621b8)) </details> --- ### Configuration π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
Commits on Jul 1, 2025
-
fix(deps): Update dependency exceptiongroup to v1.3.0 (#304)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [exceptiongroup](https://github.com/agronholm/exceptiongroup) ([changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst)) | minor | `==1.2.2` -> `==1.3.0` | --- ### Release Notes <details> <summary>agronholm/exceptiongroup (exceptiongroup)</summary> ### [`v1.3.0`](https://github.com/agronholm/exceptiongroup/releases/tag/1.3.0) [Compare Source](https://github.com/agronholm/exceptiongroup/compare/1.2.2...1.3.0) - Added `**kwargs` to function and method signatures as appropriate to match the signatures in the standard library - In line with the stdlib typings in typeshed, updated `(Base)ExceptionGroup` generic types to define defaults for their generic arguments (defaulting to `BaseExceptionGroup[BaseException]` and `ExceptionGroup[Exception]`) (PR by [@​mikenerone](https://github.com/mikenerone)) - Changed `BaseExceptionGroup.__init__()` to directly call `BaseException.__init__()` instead of the superclass `__init__()` in order to emulate the CPython behavior (broken or not) (PR by [@​cfbolz](https://github.com/cfbolz)) - Changed the `exceptions` attribute to always return the same tuple of exceptions, created from the original exceptions sequence passed to `BaseExceptionGroup` to match CPython behavior ([#​143](https://github.com/agronholm/exceptiongroup/issues/143)) </details> --- ### Configuration π **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
-
fix(deps): Update dependency grpcio to v1.73.0 (#305)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [grpcio](https://grpc.io) ([source](https://github.com/grpc/grpc)) | minor | `==1.71.0` -> `==1.73.0` | `1.73.1` | --- ### Release Notes <details> <summary>grpc/grpc (grpcio)</summary> ### [`v1.73.0`](https://github.com/grpc/grpc/releases/tag/v1.73.0) [Compare Source](https://github.com/grpc/grpc/compare/v1.72.2...v1.73.0) This is release 1.73.0 ([gradient](https://github.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core. For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://github.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## Core As of this version, gRPC on MacOS & iOS will utilize Abseil's synchronization features, aligning it with other platforms. Should you encounter any issues due to this update, you can disable it by enabling GPR_DISABLE_ABSEIL_SYNC. If you do this, please report any problems by filing a bug at https://github.com/grpc/grpc. - \[Dep] Update Protobuf to v31.0. ([#​39392](https://github.com/grpc/grpc/pull/39392)) - \[Core] Added GPR_DISABLE_ABSEIL_SYNC. ([#​39562](https://github.com/grpc/grpc/pull/39562)) - \[xds_override_host] pass through per-endpoint args when creating subchannels. ([#​39532](https://github.com/grpc/grpc/pull/39532)) - Expose GRPC_OPENSSL_CLEANUP_TIMEOUT to control shutdown grace period. ([#​39297](https://github.com/grpc/grpc/pull/39297)) - \[URI] fix parsing of user_info in proxy settings. ([#​39004](https://github.com/grpc/grpc/pull/39004)) - \[EventEngine] Fix busy loop in thread pool when shutting down. ([#​39258](https://github.com/grpc/grpc/pull/39258)) - \[Dep] Added a flag to build with `openssl` instead of `boringssl`. ([#​39188](https://github.com/grpc/grpc/pull/39188)) - \[EventEngine] Cleanup: EventEngine client, listener, and dns experiments are on by default on all platforms. ([#​39079](https://github.com/grpc/grpc/pull/39079)) ## C++ - \[OpenCensus] Mark OpenCensus and dependent APIs as deprecated. ([#​39554](https://github.com/grpc/grpc/pull/39554)) ## Python - \[Python] Pin Cython to 3.1.1. ([#​39609](https://github.com/grpc/grpc/pull/39609)) - \[Python] grpc_tools: make PythonGrpcGenerator handle dot `.` in proto paths the same way as native Generator/PyiGenerator. ([#​39586](https://github.com/grpc/grpc/pull/39586)) ## Ruby - \[Ruby] add remove_unused_artifacts to opt build. ([#​39593](https://github.com/grpc/grpc/pull/39593)) ### [`v1.72.2`](https://github.com/grpc/grpc/releases/tag/v1.72.2) [Compare Source](https://github.com/grpc/grpc/compare/v1.72.1...v1.72.2) This is release 1.72.2 ([gusto](https://github.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core. For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://github.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## Python - \[Backport of [#​39894](https://github.com/grpc/grpc/issues/39894) to v1.72.x] Fix the issue with gRPC Python Client not reconnecting in certain situations: [#​38290](https://github.com/grpc/grpc/issues/38290), [#​39113](https://github.com/grpc/grpc/issues/39113), [#​39631](https://github.com/grpc/grpc/issues/39631). ([#​39949](https://github.com/grpc/grpc/issues/39949)) ### [`v1.72.1`](https://github.com/grpc/grpc/releases/tag/v1.72.1) [Compare Source](https://github.com/grpc/grpc/compare/v1.72.0...v1.72.1) This is release gRPC Core 1.72.1 (gusto). For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://github.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## C++ - \[Backport of [#​39266](https://github.com/grpc/grpc/issues/39266) to v1.71.x] Protect grpc generated sources from unwanted system macros ([#​39484](https://github.com/grpc/grpc/issues/39484)). ## Python - \[Backport of [#​39609](https://github.com/grpc/grpc/issues/39609) to v1.71.x] Pin Cython to 3.1.1 ([#​39632](https://github.com/grpc/grpc/issues/39632)). This addresses several issues: - [#​39588](https://github.com/grpc/grpc/issues/39588) Using inconsistent Cython version in released platform-specific wheels within the same grpcio release. - [cython/cython#6878](https://github.com/cython/cython/issues/6878) Several published grpcio wheels were built with Cython 3.1.0 and are affected by Cython memory leak issue when using AsyncIO APIs (`grpc.aio.*`). - \[Backport of [#​39418](https://github.com/grpc/grpc/issues/39418) to v1.71.x] Fix Python 3.12 MacOS universal release artifact ([#​39504](https://github.com/grpc/grpc/issues/39504)). ### [`v1.72.0`](https://github.com/grpc/grpc/releases/tag/v1.72.0) [Compare Source](https://github.com/grpc/grpc/compare/v1.71.2...v1.72.0) This is release gRPC Core 1.72.0 (gusto). For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://github.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes. ### [`v1.71.2`](https://github.com/grpc/grpc/releases/tag/v1.71.2) [Compare Source](https://github.com/grpc/grpc/compare/v1.71.0...v1.71.2) This is release 1.71.2 ([gears](https://github.com/grpc/grpc/blob/master/doc/g_stands_for.md)) of gRPC Core. For gRPC documentation, see [grpc.io](https://grpc.io/). For previous releases, see [Releases](https://github.com/grpc/grpc/releases). This release contains refinements, improvements, and bug fixes, with highlights listed below. ## C++ - \[Backport of [#​39266](https://github.com/grpc/grpc/issues/39266) to v1.71.x] Protect grpc generated sources from unwanted system macros ([#​39484](https://github.com/grpc/grpc/issues/39484)). ## Python - \[Backport of [#​39894](https://github.com/grpc/grpc/issues/39894) to v1.71.x] Fix the issue with gRPC Python Client not reconnecting in certain situations: [#​38290](https://github.com/grpc/grpc/issues/38290), [#​39113](https://github.com/grpc/grpc/issues/39113), [#​39631](https://github.com/grpc/grpc/issues/39631) ([#​39948](https://github.com/grpc/grpc/issues/39948)). - \[Backport of [#​39609](https://github.com/grpc/grpc/issues/39609) to v1.71.x] Pin Cython to 3.1.1 ([#​39636](https://github.com/grpc/grpc/issues/39636)). This addresses several issues: - [#​39588](https://github.com/grpc/grpc/issues/39588) Using inconsistent Cython version in released platform-specific wheels within the same grpcio release. - [cython/cython#6878](https://github.com/cython/cython/issues/6878) Several published grpcio wheels were built with Cython 3.1.0 and are affected by Cython memory leak issue when using AsyncIO APIs (`grpc.aio.*`). </details> --- ### Configuration π **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
-
fix(deps): Update dependency cloudquery-plugin-pb to v0.0.45 (#306)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cloudquery-plugin-pb](https://github.com/cloudquery/plugin-pb-python) | patch | `==0.0.44` -> `==0.0.45` | --- ### Release Notes <details> <summary>cloudquery/plugin-pb-python (cloudquery-plugin-pb)</summary> ### [`v0.0.45`](https://github.com/cloudquery/plugin-pb-python/blob/HEAD/CHANGELOG.md#0045-2025-07-01) [Compare Source](https://github.com/cloudquery/plugin-pb-python/compare/v0.0.44...v0.0.45) ##### Bug Fixes - **deps:** Update dependency grpcio to v1.73.0 ([#​167](https://github.com/cloudquery/plugin-pb-python/issues/167)) ([6b289c5](https://github.com/cloudquery/plugin-pb-python/commit/6b289c520bd5dd68e7a654e3be7f414abbe748e5)) - **deps:** Update dependency grpcio-tools to v1.73.0 ([#​168](https://github.com/cloudquery/plugin-pb-python/issues/168)) ([306aa2a](https://github.com/cloudquery/plugin-pb-python/commit/306aa2a8779ee4327b2678619b3952e6a2b00706)) - **deps:** Update dependency pyarrow to v20 ([#​161](https://github.com/cloudquery/plugin-pb-python/issues/161)) ([26b943b](https://github.com/cloudquery/plugin-pb-python/commit/26b943b384b188654702cf87d53ba26eacd61db0)) - Generate Python Code from `plugin-pb` ([#​165](https://github.com/cloudquery/plugin-pb-python/issues/165)) ([6a9480b](https://github.com/cloudquery/plugin-pb-python/commit/6a9480b547e180af8a883f984568a7777014e5c3)) </details> --- ### Configuration π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIl19-->
-
chore(main): Release v0.1.45 (#302)
π€ I have created a release *beep* *boop* --- ## [0.1.45](v0.1.44...v0.1.45) (2025-07-01) ### Bug Fixes * **deps:** Update dependency cloudquery-plugin-pb to v0.0.44 ([#303](#303)) ([aefd9e1](aefd9e1)) * **deps:** Update dependency cloudquery-plugin-pb to v0.0.45 ([#306](#306)) ([e31f6a0](e31f6a0)) * **deps:** Update dependency exceptiongroup to v1.3.0 ([#304](#304)) ([73e911f](73e911f)) * **deps:** Update dependency grpcio to v1.73.0 ([#305](#305)) ([9c9ee6c](9c9ee6c)) * **deps:** Update dependency protobuf to v5.29.5 [SECURITY] ([#301](#301)) ([dbc81e3](dbc81e3)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we canβt render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v0.1.44...v0.1.45