chore(deps): update dependency google/protobuf to v4 [security] by renovate[bot] · Pull Request #542 · open-telemetry/opentelemetry-php-contrib

renovate · 2026-03-26T00:25:34Z

This PR contains the following updates:

Package	Change	Age	Confidence
google/protobuf (source)	`^3.23` → `^4.33.6`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

CVE-2026-6409 / GHSA-p2gh-cfq4-4wjc

More information

Details

Impact

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Patches

Patches have been released to 5.34.0-RC1 and 4.33.6.

Severity

CVSS Score: 7.1 / 10 (High)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

protocolbuffers/protobuf-php (google/protobuf)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2026-03-26T00:27:30Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.45%. Comparing base (832c714) to head (0244ad3).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #542   +/-   ##
=========================================
  Coverage     80.45%   80.45%           
  Complexity     1669     1669           
=========================================
  Files           116      116           
  Lines          6262     6262           
=========================================
  Hits           5038     5038           
  Misses         1224     1224

Flag	Coverage Δ
Context/Swoole	`0.00% <ø> (ø)`
Exporter/Instana	`49.80% <ø> (ø)`
Instrumentation/AwsSdk	`82.14% <ø> (ø)`
Instrumentation/CakePHP	`20.42% <ø> (ø)`
Instrumentation/CodeIgniter	`79.31% <ø> (ø)`
Instrumentation/Curl	`86.88% <ø> (ø)`
Instrumentation/Doctrine	`92.82% <ø> (ø)`
Instrumentation/ExtAmqp	`88.80% <ø> (ø)`
Instrumentation/Guzzle	`76.25% <ø> (ø)`
Instrumentation/HttpAsyncClient	`78.94% <ø> (ø)`
Instrumentation/HttpConfig	`28.76% <ø> (ø)`
Instrumentation/IO	`0.00% <ø> (ø)`
Instrumentation/Laravel	`76.29% <ø> (ø)`
Instrumentation/MongoDB	`76.84% <ø> (ø)`
Instrumentation/MySqli	`93.39% <ø> (ø)`
Instrumentation/OpenAIPHP	`86.71% <ø> (ø)`
Instrumentation/PostgreSql	`91.36% <ø> (ø)`
Instrumentation/Psr14	`77.41% <ø> (ø)`
Instrumentation/Psr15	`89.74% <ø> (ø)`
Instrumentation/Psr16	`97.43% <ø> (ø)`
Instrumentation/Psr18	`79.41% <ø> (ø)`
Instrumentation/Psr6	`97.56% <ø> (ø)`
Instrumentation/Session	`94.28% <ø> (ø)`
Instrumentation/Slim	`84.21% <ø> (ø)`
Propagation/CloudTrace	`90.69% <ø> (ø)`
Propagation/Instana	`98.07% <ø> (ø)`
Propagation/ServerTiming	`94.73% <ø> (ø)`
Propagation/TraceResponse	`94.73% <ø> (ø)`
ResourceDetectors/Azure	`91.66% <ø> (ø)`
ResourceDetectors/DigitalOcean	`100.00% <ø> (ø)`
Sampler/Xray	`78.38% <ø> (ø)`
Shims/OpenTracing	`92.99% <ø> (ø)`
SqlCommenter	`95.58% <ø> (ø)`
Utils/Test	`87.79% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 832c714...0244ad3. Read the comment docs.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

renovate Bot added the dependencies label Mar 26, 2026

renovate Bot requested a review from a team as a code owner March 26, 2026 00:25

renovate Bot added the dependencies label Mar 26, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from f9bd582 to 1b59211 Compare March 26, 2026 16:30

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Mar 26, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 1b59211 to da8253f Compare March 26, 2026 20:26

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 26, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/packagist-google-protobuf-vulnerability branch March 27, 2026 02:53

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security] - autoclosed~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 3 times, most recently from d6ed622 to b990c31 Compare March 31, 2026 12:26

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Mar 31, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from b990c31 to 61e9ea1 Compare March 31, 2026 20:32

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Mar 31, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] - autoclosed Apr 8, 2026

renovate Bot closed this Apr 8, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security] - autoclosed~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 8, 2026

renovate Bot reopened this Apr 8, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 3 times, most recently from 60532ac to 5706d7f Compare April 8, 2026 22:35

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 8, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 5706d7f to 0a83cdf Compare April 16, 2026 08:48

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 0a83cdf to 0441784 Compare April 16, 2026 21:20

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 28488ac to 22f39e2 Compare April 23, 2026 13:13

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 23, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 22f39e2 to 9606f10 Compare April 23, 2026 16:33

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 23, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 9606f10 to 3665128 Compare April 24, 2026 10:20

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 24, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 3665128 to 9a8b6f3 Compare April 24, 2026 13:04

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 24, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security] - autoclosed~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 3 times, most recently from b834393 to f6c80d3 Compare April 28, 2026 19:29

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 28, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from f6c80d3 to 4dcf16c Compare April 28, 2026 21:35

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 28, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from 4dcf16c to ecaea1c Compare April 29, 2026 08:07

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from ecaea1c to 5d6582a Compare April 29, 2026 08:10

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 29, 2026

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch 2 times, most recently from 5328fb6 to a14dacc Compare April 29, 2026 08:38

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v5 [security]~~ chore(deps): update dependency google/protobuf to v4 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/packagist-google-protobuf-vulnerability branch from a14dacc to 5c661b3 Compare April 29, 2026 11:38

renovate Bot changed the title ~~chore(deps): update dependency google/protobuf to v4 [security]~~ chore(deps): update dependency google/protobuf to v5 [security] Apr 29, 2026

chore(deps): update dependency google/protobuf to v4 [security]

0244ad3

ChrisLightfootWild approved these changes Apr 29, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency google/protobuf to v4 [security]#542

chore(deps): update dependency google/protobuf to v4 [security]#542
ChrisLightfootWild merged 1 commit into
mainfrom
renovate/packagist-google-protobuf-vulnerability

renovate Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented Mar 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

Details

Impact

Patches

Severity

References

Release Notes

Configuration

Uh oh!

codecov Bot commented Mar 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate Bot commented Mar 26, 2026 •

edited

Loading

codecov Bot commented Mar 26, 2026 •

edited

Loading