[Snyk] Security upgrade protobuf from 4.24.4 to 6.33.5

[gouzil]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• python/unittest_py/requirements.txt

⚠️ Warning

visualdl 2.5.3 requires protobuf, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[Copilot]

Pull request overview

This PR aims to fix a security vulnerability by upgrading the protobuf dependency from version 4.24.4 to 6.33.5 in the unittest requirements file, as recommended by Snyk security scanning.

Changes:

• Added protobuf>=6.33.5 constraint to python/unittest_py/requirements.txt to address security vulnerability SNYK-PYTHON-PROTOBUF-15090738

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This protobuf version requirement conflicts with the main requirements.txt file. The main python/requirements.txt file specifies protobuf>=3.20.2, while this file now specifies protobuf>=6.33.5. This creates an inconsistency where unittest dependencies require a much newer version than the main package dependencies. This could lead to different versions being installed depending on the installation order, potentially causing compatibility issues. Consider updating python/requirements.txt to also require protobuf>=6.33.5 to ensure consistency across the project.

Suggested change

	protobuf>=6.33.5 # not directly required, pinned by Snyk to avoid a vulnerability
	protobuf>=3.20.2 # keep in sync with python/requirements.txt

[Copilot]

The upgrade from protobuf 4.24.4 to 6.33.5 represents a major version jump that introduced significant breaking changes. Protobuf 5.x and 6.x introduced changes to the Python API, including the removal of some deprecated features and changes to internal implementation details. The codebase contains version-specific handling for protobuf >= 4.21.0 in python/paddle/distributed/fleet/base/distributed_strategy.py (line 2770), which checks for internal API changes. While the existing code handles the 4.21.0+ API, upgrading to version 6.x may introduce additional compatibility issues that should be verified through testing, particularly around the RepeatedScalarContainer usage and other protobuf internal APIs.