opentelemetry-python icon indicating copy to clipboard operation
opentelemetry-python copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

upgrade opentelemetry-exporter-zipkin-proto-http protobuf dependency

Open shiranbi opened this issue 1 year ago • 4 comments

It would be very helpful if the zipkin proto exporter python dependencies would be upgraded The opentelemetry-proto dependency was already upgraded to "protobuf>=3.19, < 5.0" but the zipkin exporter is on ~=3.12 making it impossible to upgrade other libraries which require protobuf >= 4.0

shiranbi avatar Jan 02 '24 06:01 shiranbi

+1

litan1106 avatar Jan 08 '24 17:01 litan1106

Also #3074

iwedaz avatar May 10 '24 11:05 iwedaz

It would be necessary to update the protobuf version to be compatible with the rest of the opentelemetry packages that have already been updated and require protobuf version > 5.0 and < 6.0 as a dependency.

sergioave avatar Jan 15 '25 09:01 sergioave 

    opentelemetry-exporter-zipkin-proto-http 1.28.0 depends on protobuf~=3.12
    opentelemetry-proto 1.28.0 depends on protobuf<6.0 and >=5.0

last version when it was aligned is 1.27.0

andrewkoltsov avatar Mar 24 '25 08:03 andrewkoltsov

This is especially relevant as https://nvd.nist.gov/vuln/detail/CVE-2025-4565 just dropped, which is marked High (regardless of actual exploitability in this lib's context) and thus comes with upgrade-or-remove requirements for organizations with strict security standards.

If there's simple housekeeping involved in the upgrade, I'd be happy to help how I can!

jkingsman avatar Jun 23 '25 18:06 jkingsman

Is there any workaround this or an open PR?

mihailyanchev avatar Nov 17 '25 20:11 mihailyanchev