SNOW-3018722: Use latest protobuf version due to CVE-2026-0994

[blotero]

What is the current behavior?

In CVE-2026-0994 a high severity issue was found in protobuf. A patch has been published in protobuf==7.34.0rc1

What is the desired behavior?

If the dependency constraint is no longer constraint in https://github.com/snowflakedb/snowpark-python/blob/main/setup.py#L31 as:

"protobuf>=3.20, <6.34"

but as (for example):

"protobuf>=3.20, <7.35",  # Snowpark IR

Then, dependencies solvers may get a proper safe version of the dependency when locking/upgrading (with a prerelease flag). This is particularly sensible for our use case since it does not allow protobuf to get solved to a safe version in the whole environment.

How would this improve snowflake-snowpark-python?

This would make snowflake-snowpark-python safer and its execution environments.

References, Other Background

https://db.fluidattacks.com/vul/FLAT-8D1FP/

https://www.cve.org/CVERecord?id=CVE-2026-0994

https://nvd.nist.gov/vuln/detail/CVE-2026-0994

https://osv.dev/vulnerability/CVE-2026-0994

protocolbuffers/protobuf#25070

protocolbuffers/protobuf#25239

[sfc-gh-joshi]

Thanks for the report. I have a fix ready to merge, though I'd like to wait for a full (non-rc) release of protobuf to properly test against before completing it.

[sfc-gh-joshi]

It looks like protobuf just created a patch release 6.33.5, so a safe version should be getting picked up by package resolvers with no action needed on our end.