chore(deps): update dependency google/protobuf to v4 [security] by renovate[bot] · Pull Request #542 · open-telemetry/opentelemetry-php-contrib

renovate · 2026-03-26T00:25:34Z

This PR contains the following updates:

Package	Change	Age	Confidence
google/protobuf (source)	`^3.23` → `^4.33.6`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

CVE-2026-6409 / GHSA-p2gh-cfq4-4wjc

More information

Details

Impact

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Patches

Patches have been released to 5.34.0-RC1 and 4.33.6.

Severity

CVSS Score: 7.1 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

protocolbuffers/protobuf-php (google/protobuf)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2026-03-26T00:27:30Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.84%. Comparing base (dd9a2d8) to head (28488ac).

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #542   +/-   ##
=========================================
  Coverage     80.84%   80.84%           
  Complexity     1734     1734           
=========================================
  Files           118      118           
  Lines          6960     6960           
=========================================
  Hits           5627     5627           
  Misses         1333     1333

Flag	Coverage Δ
Context/Swoole	`0.00% <ø> (ø)`
Exporter/Instana	`49.42% <ø> (ø)`
Instrumentation/AwsSdk	`81.35% <ø> (ø)`
Instrumentation/CakePHP	`20.40% <ø> (ø)`
Instrumentation/CodeIgniter	`78.99% <ø> (ø)`
Instrumentation/Curl	`87.40% <ø> (ø)`
Instrumentation/Doctrine	`92.92% <ø> (ø)`
Instrumentation/ExtAmqp	`88.48% <ø> (ø)`
Instrumentation/Guzzle	`75.58% <ø> (ø)`
Instrumentation/HttpAsyncClient	`78.04% <ø> (ø)`
Instrumentation/HttpConfig	`28.75% <ø> (ø)`
Instrumentation/IO	`0.00% <ø> (ø)`
Instrumentation/Laravel	`76.07% <ø> (ø)`
Instrumentation/MongoDB	`74.28% <ø> (ø)`
Instrumentation/MySqli	`93.94% <ø> (ø)`
Instrumentation/OpenAIPHP	`87.21% <ø> (ø)`
Instrumentation/PDO	`86.24% <ø> (ø)`
Instrumentation/PostgreSql	`91.89% <ø> (ø)`
Instrumentation/Psr14	`76.47% <ø> (ø)`
Instrumentation/Psr15	`89.15% <ø> (ø)`
Instrumentation/Psr16	`97.50% <ø> (ø)`
Instrumentation/Psr18	`77.46% <ø> (ø)`
Instrumentation/Psr6	`97.61% <ø> (ø)`
Instrumentation/Session	`94.52% <ø> (ø)`
Instrumentation/Slim	`84.28% <ø> (ø)`
Propagation/CloudTrace	`89.77% <ø> (ø)`
Propagation/Instana	`98.11% <ø> (ø)`
Propagation/ServerTiming	`94.73% <ø> (ø)`
Propagation/TraceResponse	`94.73% <ø> (ø)`
ResourceDetectors/Azure	`91.66% <ø> (ø)`
ResourceDetectors/DigitalOcean	`100.00% <ø> (ø)`
Sampler/Xray	`78.23% <ø> (ø)`
Shims/OpenTracing	`92.45% <ø> (ø)`
SqlCommenter	`95.65% <ø> (ø)`
Utils/Test	`87.53% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dd9a2d8...28488ac. Read the comment docs.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

renovate Bot added the dependencies label Mar 26, 2026

renovate Bot requested a review from a team as a code owner March 26, 2026 00:25

renovate Bot added the dependencies label Mar 26, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from f9bd582 to 1b59211 Compare March 26, 2026 16:30

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Mar 26, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 1b59211 to da8253f Compare March 26, 2026 20:26

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 26, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/packagist-google-protobuf-vulnerability branch March 27, 2026 02:53

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security] - autoclosed~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 3 times, most recently from d6ed622 to b990c31 Compare March 31, 2026 12:26

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Mar 31, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from b990c31 to 61e9ea1 Compare March 31, 2026 20:32

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 31, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] - autoclosed Apr 8, 2026

renovate Bot closed this Apr 8, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security] - autoclosed~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 8, 2026

renovate Bot reopened this Apr 8, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 3 times, most recently from 60532ac to 5706d7f Compare April 8, 2026 22:35

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 8, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 5706d7f to 0a83cdf Compare April 16, 2026 08:48

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 0a83cdf to 0441784 Compare April 16, 2026 21:20

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 0441784 to a5bf7fd Compare April 19, 2026 12:28

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 19, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from a5bf7fd to 066b01c Compare April 19, 2026 16:34

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 19, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 066b01c to 46d7111 Compare April 21, 2026 18:37

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 21, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 46d7111 to 4dc97c3 Compare April 21, 2026 22:36

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 21, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 22, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 4dc97c3 to 247da8b Compare April 22, 2026 12:13

chore(deps): update dependency google/protobuf to v4 [security]

28488ac

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 247da8b to 28488ac Compare April 22, 2026 17:50

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency google/protobuf to v4 [security]#542

chore(deps): update dependency google/protobuf to v4 [security]#542
renovate[bot] wants to merge 1 commit intomainfrom
renovate/packagist-google-protobuf-vulnerability

renovate Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Mar 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

Details

Impact

Patches

Severity

References

Release Notes

Configuration

Uh oh!

codecov Bot commented Mar 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Mar 26, 2026 •

edited

Loading

codecov Bot commented Mar 26, 2026 •

edited

Loading