deps:chore - update module google.golang.org/protobuf to v1.33.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
google.golang.org/protobuf	v1.27.1 -> v1.33.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

This release contains one security fix:

• encoding/protojson: Unmarshal could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. Unmarshal now correctly returns an error when handling these inputs. This is CVE-2024-24786.

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

• CL/489316: types/dynamicpb: add NewTypes
  • Add a function to construct a dynamic type registry from a protoregistry.Files
• CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

• CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
• CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

• CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
• CL/505555: encoding/protodelim: fix handling of io.EOF

v1.30.0

Compare Source

• Notable changes

Announcement
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.

Notable changes

New Features

• CL/449576: protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.

v1.29.1

Compare Source

• Notable changes

Notable changes

Bug fixes

• CL/475995: internal/encoding/text: fix parsing of incomplete numbers

v1.29.0

Compare Source

• Overview
• Notable changes

Overview

This version introduces a new package protodelim to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.

Notable changes

New Features

• CL/419254: encoding: add protodelim package
• CL/450775: reflect/protoreflect: add Value.Equal method
• CL/462315: cmd/protoc-gen-go: make deprecated messages more descriptive
• CL/473015: encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal

Alignment with protobuf

• CL/426054: types/descriptorpb: update *.pb.go to use latest protoc release, 21.5
• CL/425554: encoding/protojson: fix parsing of google.protobuf.Timestamp
• CL/461238: protobuf: remove the check for reserved field numbers
• CL/469255: types/descriptorpb: regenerate using latest protobuf v22.0 release
• CL/472696: cmd/protoc-gen-go: support protobuf retention feature

Documentation improvements:

• CL/464275: proto: document Equal behavior of invalid messages
• CL/466375: all: update links to Protocol Buffer documentation

Minor performance improvements

• CL/460215: types/known/structpb: preallocate map in AsMap
• CL/465115: internal/strs: avoid unnecessary allocations in Builder

Breaking changes

• CL/461238: protobuf: remove the check for reserved field numbers
  • protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.

v1.28.1

Compare Source

This release contains protoc-gen-go binaries for arm64.

Notable changes since v1.28.0:

• CL/418677: internal/impl: improve MessageInfo.New performance
• CL/411377: proto: short-circuit Equal when inputs are identical
• CL/419714: all: Add prebuild binaries for arm64

v1.28.0

Compare Source

• Overview
• Notable changes
  • UnmarshalOption RecursionLimit
• Upcoming breakage changes

Overview

The release provides a new unmarshal option for limiting the recursion depth when unmarshalling nested messages to prevent stack overflows. (UnmarshalOptions.RecursionLimit).

Notable changes

New features:

• CL/340489: testing/protocmp: add Message.Unwrap

Documentation improvements:

• CL/339569: reflect/protoreflect: add more docs on Value aliasing

Updated supported versions:

• CL/370055: all: update supported versions

UnmarshalOption RecursionLimit

• CL/385854: all: implement depth limit for unmarshalling

The new UnmarshalOptions.RecursionLimit limits the maximum recursion depth when unmarshalling messages. The limit is applied for nested messages. When messages are nested deeper than the specified limit the unmarshalling will fail. If unspecified, a default limit of 10,000 is applied.

In addition to the configurable limit for message nesting a non-configurable recursion limit for group nesting of 10,000 was introduced.

Upcoming breakage changes

The default recursion limit of 10,000 introduced in the release is subject to change. We want to align this limit with implementations for other languages in the long term. C++ and Java use a limit of 100 which is also the target for the Go implementation.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gitbotzup]

Overall Summary

This PR updates the project's dependency on google.golang.org/protobuf from v1.27.1 to v1.33.0. The update brings in potential bug fixes, performance improvements, and new features from the newer version of the protobuf library. Associated checksums in go.sum have also been updated to ensure module integrity.

---

Changed Files

• go.mod

  • Updated the version of google.golang.org/protobuf from v1.27.1 to v1.33.0.
  • This change may introduce new features, bug fixes, and performance improvements from the protobuf library.

• go.sum

  • Added checksums for google.golang.org/protobuf v1.33.0 and its go.mod file.
  • No other changes were made; these updates ensure the integrity and authenticity of the new dependency version.

---

Security Advice & Points of Attention

• Dependency Upgrades:
  Upgrading dependencies can introduce breaking changes or new vulnerabilities if the new version has undiscovered issues. However, it can also resolve known security vulnerabilities present in older versions.
  • Action: Review the changelog and release notes for google.golang.org/protobuf v1.33.0 for any security-related updates or breaking changes.
• Module Integrity:
  The go.sum changes are expected and ensure that the new dependency version is verified for integrity.

Recommendation:
Carefully test the application after this upgrade to ensure compatibility and stability. Pay special attention to any protobuf-related functionality.
This is an AI-generated summary, which may be innacurate.
This aims only to assist human reviewers, and does not replace code reviews in any way.
Use responsibly and please submit any feedback to this form.

[snykbotzup]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)