Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump protobuf to 3.25.5 #6343

Merged
merged 12 commits into from
Oct 10, 2024
Merged

Bump protobuf to 3.25.5 #6343

merged 12 commits into from
Oct 10, 2024

Conversation

daymxn
Copy link
Member

@daymxn daymxn commented Oct 3, 2024
edited
Loading

Per b/371058443,

This bumps our protobuf deps to 3.25.5 to address CVE 2024-7254.

All relevant libraries should have a changelog attached, unless I missed any.

This PR also fixes the following:

  • b/371223043 -> Migrate protobuf deps to version catalog

Fixes #6336

@daymxn daymxn self-assigned this Oct 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024
edited
Loading

Release note changes

The following release notes were modified. Please ensure they look correct.

Release Notes
firebase-config 
### {{remote_config}} version 22.0.1 {: #remote-config_v22-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{remote_config}} Kotlin extensions version 22.0.1 {: #remote-config-ktx_v22-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-config` library. The Kotlin extensions library has no additional
updates.
firebase-crashlytics 
### {{crashlytics}} version 19.2.1 {: #crashlytics_v19-2-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{crashlytics}} Kotlin extensions version 19.2.1 {: #crashlytics-ktx_v19-2-1}

The Kotlin extensions library transitively includes the updated
`firebase-crashlytics` library. The Kotlin extensions library has no additional
updates.
firebase-dataconnect 
### {{firebase_data_connect}} version 16.0.0-beta02 {: #dataconnect_v16-0-0-beta02}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
firebase-firestore 
### {{firestore}} version 25.1.1 {: #firestore_v25-1-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{firestore}} Kotlin extensions version 25.1.1 {: #firestore-ktx_v25-1-1}

The Kotlin extensions library transitively includes the updated
`firebase-firestore` library. The Kotlin extensions library has no additional
updates.
firebase-inappmessaging-display 
### {{inappmessaging}} Display version 21.0.1 {: #inappmessaging-display_v21-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{inappmessaging}} Display Kotlin extensions version 21.0.1 {: #inappmessaging-display-ktx_v21-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-inappmessaging-display` library. The Kotlin extensions library has no additional
updates.
firebase-inappmessaging 
### {{inappmessaging}} version 21.0.1 {: #inappmessaging_v21-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{inappmessaging}} Kotlin extensions version 21.0.1 {: #inappmessaging-ktx_v21-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-inappmessaging` library. The Kotlin extensions library has no additional
updates.
firebase-messaging 
### {{messaging_longer}} version 24.0.3 {: #messaging_v24-0-3}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{messaging_longer}} Kotlin extensions version 24.0.3 {: #messaging-ktx_v24-0-3}

The Kotlin extensions library transitively includes the updated
`firebase-messaging` library. The Kotlin extensions library has no additional
updates.
firebase-ml-modeldownloader 
### {{firebase_ml}} version 25.0.1 {: #firebaseml-modeldownloader_v25-0-1}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{firebase_ml}} Kotlin extensions version 25.0.1 {: #firebaseml-modeldownloader-ktx_v25-0-1}

The Kotlin extensions library transitively includes the updated
`firebase-ml-modeldownloader` library. The Kotlin extensions library has no additional
updates.
firebase-perf 
### {{perfmon}} version 21.0.2 {: #performance_v21-0-2}

* {{changed}} Updated protobuf dependency to `3.25.5` to fix
  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).

#### {{perfmon}} Kotlin extensions version 21.0.2 {: #performance-ktx_v21-0-2}

The Kotlin extensions library transitively includes the updated
`firebase-perf` library. The Kotlin extensions library has no additional
updates.

The following had changelogs that were modified, but did not have any unreleased entries for release notes to generate from.

Changelogs

encoders:firebase-encoders-proto
transport:transport-backend-cct
transport:transport-runtime

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024
edited
Loading

Unit Test Results

  1 018 files  ±0    1 018 suites  ±0   37m 15s ⏱️ +12s
  5 805 tests ±0    5 783 ✔️ ±0  22 💤 ±0  0 ±0 
11 695 runs  ±0  11 651 ✔️ ±0  44 💤 ±0  0 ±0 

Results for commit 06da479. ± Comparison against base commit 7083c1d.

♻️ This comment has been updated with latest results.

@daymxn daymxn requested a review from rlazo October 4, 2024 17:23
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 4, 2024
edited
Loading

Test Results

 1 022 files  +   974   1 022 suites  +974   36m 13s ⏱️ + 34m 47s
 5 809 tests + 5 331   5 787 ✅ + 5 310  22 💤 +21  0 ❌ ±0 
11 703 runs  +10 747  11 659 ✅ +10 705  44 💤 +42  0 ❌ ±0 

Results for commit 4881b82. ± Comparison against base commit b49d448.

♻️ This comment has been updated with latest results.

@daymxn daymxn merged commit 065c732 into main Oct 10, 2024
258 of 260 checks passed
@daymxn daymxn deleted the daymon-bump-protobuf branch October 10, 2024 18:25
@daymxn daymxn mentioned this pull request Oct 14, 2024
Merged
daymxn added a commit that referenced this pull request Oct 15, 2024
@daymxn
Add missing changelogs (#6383)
c50a9b5 
Per [b/373458620](https://b.corp.google.com/issues/373458620),

This PR adds changelogs that were missing from #6343; due to library
groups.
@rlazo rlazo mentioned this pull request Oct 30, 2024
Closed
@firebase firebase locked and limited conversation to collaborators Nov 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rlazo rlazo rlazo approved these changes

Assignees

@daymxn daymxn

Labels
main-merge-ack size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

protobuf-javalite version 3.21.11 contains a high-severity CVE
3 participants
@daymxn @rlazo @google-oss-bot