ORC-1934: Upgrade `protobuf-java` to 3.25.8 #2246

dependabot · 2025-06-02T13:35:43Z

Bumps com.google.protobuf:protobuf-java from 3.25.5 to 3.25.8.

Commits

a4cbdd3 Updating version.json and repo version numbers to: 25.8
29445be Merge pull request #21880 from shaod2/py-25
cc13b69 Remove debugging code and add EOLs
d31100c Manually backport recursion limit enforcement to 25.x
88a3b90 Change pre-22 poison pill to only log once per affected message type. (#21754)
320eafa Weaken vulnerable gencode poison pills to warning by default.
f584fe3 Merge branch 'protocolbuffers:25.x' into 25.x
c710036 Update test_upb.yml to use ubuntu-22
9721758 Fix missing trailing newline.
cca7b28 Update test_upb.yml to use ubuntu-22
Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
com.google.protobuf:protobuf-java	[>= 4.a, < 5]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.google.protobuf:protobuf-java](https://github.com/protocolbuffers/protobuf) from 3.25.5 to 3.25.8. - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](protocolbuffers/protobuf@v3.25.5...v3.25.8) --- updated-dependencies: - dependency-name: com.google.protobuf:protobuf-java dependency-version: 3.25.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

dongjoon-hyun

+1, LGTM.

dependabot · 2025-06-20T19:56:20Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Bumps [com.google.protobuf:protobuf-java](https://github.com/protocolbuffers/protobuf) from 3.25.5 to 3.25.8. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/protocolbuffers/protobuf/commit/a4cbdd3ed0042e8f9b9c30e8b0634096d9532809"><code>a4cbdd3</code></a> Updating version.json and repo version numbers to: 25.8</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/29445be43d3235115f1f60c874a04c2147ea0488"><code>29445be</code></a> Merge pull request <a href="https://redirect.github.com/protocolbuffers/protobuf/issues/21880">#21880</a> from shaod2/py-25</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/cc13b69985f90f6f142b7c3f9cb6bdebee9b4579"><code>cc13b69</code></a> Remove debugging code and add EOLs</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/d31100c9195819edb0a12f44705dfc2da111ea9b"><code>d31100c</code></a> Manually backport recursion limit enforcement to 25.x</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/88a3b9033014bfd4185d934bd199191667a67d2a"><code>88a3b90</code></a> Change pre-22 poison pill to only log once per affected message type. (<a href="https://redirect.github.com/protocolbuffers/protobuf/issues/21754">#21754</a>)</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/320eafa0b7ab3c649f75bcbe851e0d3acf868cf3"><code>320eafa</code></a> Weaken vulnerable gencode poison pills to warning by default.</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/f584fe36d4aa4af5dcc71e592c855b59e0ecee2c"><code>f584fe3</code></a> Merge branch 'protocolbuffers:25.x' into 25.x</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/c7100368a25a849691dec7695078a113f6a4ef9f"><code>c710036</code></a> Update test_upb.yml to use ubuntu-22</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/97217584375d1a29af91aeb607cc67327a3e05da"><code>9721758</code></a> Fix missing trailing newline.</li> <li><a href="https://github.com/protocolbuffers/protobuf/commit/cca7b289bcda8baab9f59101d5c737790c5cc610"><code>cca7b28</code></a> Update test_upb.yml to use ubuntu-22</li> <li>Additional commits viewable in <a href="https://github.com/protocolbuffers/protobuf/compare/v3.25.5...v3.25.8">compare view</a></li> </ul> </details> <br /> <details> <summary>Most Recent Ignore Conditions Applied to This Pull Request</summary> | Dependency Name | Ignore Conditions | | --- | --- | | com.google.protobuf:protobuf-java | [>= 4.a, < 5] | </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.protobuf:protobuf-java&package-manager=maven&previous-version=3.25.5&new-version=3.25.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `dependabot rebase` will rebase this PR - `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `dependabot merge` will merge this PR after your CI passes on it - `dependabot squash and merge` will squash and merge this PR after your CI passes on it - `dependabot cancel merge` will cancel a previously requested merge and block automerging - `dependabot reopen` will reopen this PR if it is closed - `dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Closes #2246 from dependabot[bot]/dependabot/maven/java/com.google.protobuf-protobuf-java-3.25.8. Authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Dongjoon Hyun <[email protected]> (cherry picked from commit f76d23f) Signed-off-by: Dongjoon Hyun <[email protected]>

dongjoon-hyun · 2025-06-20T19:59:49Z

Merged to main/2.1.

…ire testing ### What changes were proposed in this pull request? This PR aims to add `com.google.protobuf.use_unsafe_pre22_gencode` to Surefire testing. ### Why are the changes needed? To suppress the following warnings during testing which occurs since ORC-1934 - #2246 ``` [INFO] Running org.apache.orc.impl.TestZlib Jun 30, 2025 2:50:15 PM com.google.protobuf.GeneratedMessage warnPre22Gencode WARNING: Vulnerable protobuf generated type in use: org.apache.orc.OrcProto$PostScript As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line to silence this warning. You also can set `-Dcom.google.protobuf.error_on_unsafe_pre22_gencode` to throw an error instead. See security vulnerability: GHSA-h4h5-3hr4-j3g2 ``` ### How was this patch tested? Manual tests because this is a warning log message. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #2305 from dongjoon-hyun/ORC-1943. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>

…ire testing ### What changes were proposed in this pull request? This PR aims to add `com.google.protobuf.use_unsafe_pre22_gencode` to Surefire testing. ### Why are the changes needed? To suppress the following warnings during testing which occurs since ORC-1934 - #2246 ``` [INFO] Running org.apache.orc.impl.TestZlib Jun 30, 2025 2:50:15 PM com.google.protobuf.GeneratedMessage warnPre22Gencode WARNING: Vulnerable protobuf generated type in use: org.apache.orc.OrcProto$PostScript As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property `-Dcom.google.protobuf.use_unsafe_pre22_gencode` on the command line to silence this warning. You also can set `-Dcom.google.protobuf.error_on_unsafe_pre22_gencode` to throw an error instead. See security vulnerability: GHSA-h4h5-3hr4-j3g2 ``` ### How was this patch tested? Manual tests because this is a warning log message. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #2305 from dongjoon-hyun/ORC-1943. Authored-by: Dongjoon Hyun <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]> (cherry picked from commit 88aaab5) Signed-off-by: Dongjoon Hyun <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file JAVA labels Jun 2, 2025

github-actions bot added the BUILD label Jun 2, 2025

dongjoon-hyun changed the title ~~Bump com.google.protobuf:protobuf-java from 3.25.5 to 3.25.8 in /java~~ Upgrade protobuf-java to 3.25.8 Jun 20, 2025

dongjoon-hyun changed the title ~~Upgrade protobuf-java to 3.25.8~~ ORC-1934: Upgrade protobuf-java to 3.25.8 Jun 20, 2025

dongjoon-hyun approved these changes Jun 20, 2025

View reviewed changes

dongjoon-hyun closed this in f76d23f Jun 20, 2025

dependabot bot deleted the dependabot/maven/java/com.google.protobuf-protobuf-java-3.25.8 branch June 20, 2025 19:56

dongjoon-hyun added this to the 2.2.0 milestone Jun 20, 2025

dongjoon-hyun modified the milestones: 2.2.0, 2.1.3 Jun 20, 2025

dongjoon-hyun mentioned this pull request Jun 20, 2025

ORC-1934: Upgrade protobuf-java to 3.25.8 #2294

Closed

dongjoon-hyun mentioned this pull request Jun 30, 2025

ORC-1943: Add com.google.protobuf.use_unsafe_pre22_gencode to Surefire testing #2305

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ORC-1934: Upgrade `protobuf-java` to 3.25.8 #2246

ORC-1934: Upgrade `protobuf-java` to 3.25.8 #2246

Uh oh!

dependabot bot commented on behalf of github Jun 2, 2025

Uh oh!

dongjoon-hyun left a comment

Uh oh!

dependabot bot commented on behalf of github Jun 20, 2025

Uh oh!

dongjoon-hyun commented Jun 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

ORC-1934: Upgrade protobuf-java to 3.25.8 #2246

ORC-1934: Upgrade protobuf-java to 3.25.8 #2246

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 2, 2025

Uh oh!

dongjoon-hyun left a comment

Choose a reason for hiding this comment

Uh oh!

dependabot bot commented on behalf of github Jun 20, 2025

Uh oh!

dongjoon-hyun commented Jun 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

ORC-1934: Upgrade `protobuf-java` to 3.25.8 #2246

ORC-1934: Upgrade `protobuf-java` to 3.25.8 #2246