gftools protobuf is pinned to a vulnarable version

I get Dependabot alert on a number of repositories that protobuf < 4.25.8 “has a potential Denial of Service issue”. Which I can’t upgrade from because gftools depends on protobuf>=3.7.0, <4. I don’t know if this is a real issue, but I keep getting this alert every time I push to the affected repos and this is really annoying.

Nov 04 '25 19:11 khaledhosny

To fix this we will have to big-bang update all our tools which use protobuf at the same time - which is not a terrible idea but is going to cause lots of user confusion.

Perhaps a better alternative is to do what we are moving to on the Rust side and have a separate module will all the protobuf definitions in it together so that there is only one point of interaction with the protobuf library. Of course in the short term this causes the same problem; we're bound to have people with gftools>gfmetadata>protobuf==6.33.0 and also gflanguages>protobuf=3.7.0. But once we have moved everyone across to gfmetadata we update protobuf stuff once.

Nov 05 '25 07:11 simoncozens

The alternative is we leave things as they are since we're going to RIIR anyway...

Nov 05 '25 10:11 simoncozens

See also https://github.com/googlefonts/gf-metadata/pull/1

Nov 05 '25 11:11 simoncozens

I don’t know what is protobuf and how it is used. I trust your judgement here.

Nov 05 '25 13:11 khaledhosny