tensorflow-onnx icon indicating copy to clipboard operation
tensorflow-onnx copied to clipboard
verified publisher icon onnx

Request to update protobuf dependency (>=4.25.8) – PR #2391 inactive

Open FrancoCV opened this issue 4 months ago • 3 comments

Hi👋,

I'm working on a production app that requires protobuf >= 4.25.8, but the current version of tf2onnx requires <4.0, which causes dependency conflicts:

Because tf2onnx (1.16.1) depends on protobuf (>=3.20,<4.0) and our app requires protobuf (>=4.25.8), version solving fails.

I noticed that PR #2391 attempts to update this but has been inactive for over 3 months and the CI logs have expired.

Would you be open to reviewing that PR and reviving it?

Thanks so much!

FrancoCV avatar Aug 04 '25 16:08 FrancoCV

Same thing here. It seems that protobuf <=4.25.8 has been flagged for this CVE with high severity: https://github.com/advisories/GHSA-8qvm-5x2c-j2w7

vanfalen avatar Oct 02 '25 16:10 vanfalen

@FrancoCV hello, is there any update?

strentom avatar Nov 04 '25 14:11 strentom

Any updates?

tlippold-meta avatar Dec 06 '25 20:12 tlippold-meta