chore(deps): bump protobuf from 4.25.8 to 6.33.5 in /integration_tests

[dependabot]

Bumps protobuf from 4.25.8 to 6.33.5.

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

• This version includes breaking changes to: C++, Objective-C, PHP, Python.
• [Bazel] Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• [C++] Make generator headers private (protocolbuffers/protobuf@3a2af35)
• [C++] Add a debug check that the target of CopyFrom is not a descendant of the source. (protocolbuffers/protobuf@7a75898)
• [C++] Add [[nodiscard]] to many APIs. (protocolbuffers/protobuf@a70115f)
• [C++] Make the arena-enabled constructors of RepeatedField, RepeatedPtrField, and Map private. (protocolbuffers/protobuf@ef890c3)
• [C++] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria that takes a raw pointer as an argument in favor of the overload that takes a unique_ptr. Remove macro PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (protocolbuffers/protobuf@b115358)
• [C++] Remove deprecated FieldDescriptor::has_optional_keyword() in OSS. Use is_repeated() or has_presence() instead (protocolbuffers/protobuf@68346ec)
• [C++] Remove AddUnusedImportTrackFile() and ClearUnusedImportTrackFiles(). Remove PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (protocolbuffers/protobuf@837a2cd)
• [C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use (!is_required() && !is_repeated()) instead (protocolbuffers/protobuf@9dbc5d4)
• [C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• [C++] All entity names have length limit (2afb0dc)
• [ObjC] Remove generate_minimal_imports generation option warning (protocolbuffers/protobuf@45b1297)
• [ObjC] Fix nullability annotations on some GPB*Dictionary types. (protocolbuffers/protobuf@ea67d6d)
• [ObjC] Remove -[GPBFieldDescriptor optional] (protocolbuffers/protobuf@3414dc1)
• [Other] Remove deprecated flag for enabling MSVC support (protocolbuffers/protobuf@97c979b)
• [PHP] Remove deprecated PHP APIs (protocolbuffers/protobuf@9c45014)
• [PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use IsRepeated or isRequired instead. (protocolbuffers/protobuf@4208121, protocolbuffers/protobuf@cd76e67, protocolbuffers/protobuf@4208121)
• [PHP] Add PHP typehints for setters and remove redundant GPBUtil checks (protocolbuffers/protobuf#25296) (protocolbuffers/protobuf@aee03b7)
• [PHP] support default values for editions/proto2 (protocolbuffers/protobuf#25161) (protocolbuffers/protobuf@b01099d)
• [Python] Raise errors in OSS when assign bool to int/enum field in Python Proto. (protocolbuffers/protobuf@5b116fe)
• [Python] Remove float_format/double_format from python proto text_format (protocolbuffers/protobuf@e4854a1)
• [Python] Raise TypeError when convert non-timedelta to Duration, or convert non-datetime to Timestamp in python proto. (Original code may raise ArributeError) (protocolbuffers/protobuf@00aaca1)
• [Python] Remove float_precision from python proto json_format (protocolbuffers/protobuf@f027f1f)
• [Python] Remove deprecated FieldDescriptor::label() in OSS. Use is_repeated() or is_required() instead (protocolbuffers/protobuf@b76faa9)
• [Python] Remove deprecated FieldDescriptor.label (protocolbuffers/protobuf@0a8ff55)
• [Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (protocolbuffers/protobuf@c301c2c)
• Protobuf News may include additional announcements or pre-announcements for upcoming changes.
• Migration Guide may include additional guidance for breaking changes.

Bazel

• Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)
• Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use equivalent transitive_sources instead (protocolbuffers/protobuf@0a5c2f6)
• Feat(bazel): wire up prebuilt protoc toolchain (#24115) (protocolbuffers/protobuf@cc23698)
• Migrate proto_descriptor_set (#23369) (protocolbuffers/protobuf@8d4dfdd)

Compiler

• Ruby codegen: support generation of rbs files (#15633) (protocolbuffers/protobuf@6ebdf85)
• Avoid collision name problems between a message named Xyz and a direct sibling enum named XyzView (protocolbuffers/protobuf@eba53e8)
• Generalizing and implementing ValidateFeatureSupport for both Options and Features during proto parsing (protocolbuffers/protobuf@ed3c571)
• Fix a bug with custom features outside of the pb package. (protocolbuffers/protobuf@872d3ce)
• Fix import option handling when include_imports isn't set. (protocolbuffers/protobuf@9ef9e80)
• Fix a bug in STRICT check of namespaced enums to properly check for 'reserved 1 to max' (protocolbuffers/protobuf@1229d4a)
• Prevent accidental stripping of debug_redact options via import option. (protocolbuffers/protobuf@f58b098)

C++

• Add EnumerateEnumValues function. (protocolbuffers/protobuf@397d5d9)

... (truncated)

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​protobuf@​4.25.8 ⏵ 6.33.5		+16

View full report

[JayT106]

@claude review this PR

[github-actions]

Claude finished @JayT106's task in 2m 50s —— View job

---

PR Review: chore(deps): bump protobuf from 4.25.8 to 6.33.5 in /integration_tests

• Gather context and review changed files
• Analyze compatibility and breaking changes
• Post review feedback

---

Summary

This is a Dependabot-generated dependency bump updating protobuf from 4.25.8 to 6.33.5 — a major version jump (v4 → v6, skipping v5 entirely). The changes are minimal: pyproject.toml updates the exact pinned version and poetry.lock updates the corresponding checksums.

Positives

• Security improvement: The Socket.dev scan shows the new version scores 100/100 across all categories, with +16 resolved vulnerabilities.
• Python version alignment: protobuf v6 requires Python ≥ 3.9, which matches the project's python = "^3.9" constraint.
• Checksums: The poetry.lock hashes look correctly updated for the new package artifacts.

Concerns

1. Generated pb2 files may be incompatible with protobuf v6

The project ships 12 hand-generated/committed protobuf files under integration_tests/protobuf/ that all use the old-style reflection API:

# integration_tests/protobuf/cosmos/tx/v1beta1/tx_pb2.py (and 11 others)
from google.protobuf import reflection as _reflection

Tx = _reflection.GeneratedProtocolMessageType('Tx', (_message.Message,), {...})

This pattern was deprecated in protobuf v3.x. In protobuf v5, the new code generator stopped producing it. In v6, deprecated Python APIs are actively removed (the PR description explicitly lists "[Python] Remove deprecated ..." entries). If reflection.GeneratedProtocolMessageType or symbol_database usage was cleaned up in v6, these files will raise import errors at test time.

These files were not regenerated as part of this PR — they remain as-is from their original generation with an older protoc.

Recommendation: Verify the integration tests actually pass with v6 by checking CI results. If they fail, the pb2 files should be regenerated using a v6-compatible protoc + protoc-gen-python.

2. Exact version pin instead of a range

# integration_tests/pyproject.toml
protobuf = "6.33.5"   # exact pin, no ^ or ~

The version is pinned exactly. While this is consistent with the previous 4.25.8 pin, consider whether a ^6.33.5 constraint (patch/minor updates allowed) would be better going forward so Dependabot can make smaller, lower-risk bumps rather than accumulating major jumps.

3. Python breaking changes in v6

Per the PR description (protobuf v34.0 release notes, which maps to the Python package v6.x):

• Bool-to-int/enum field assignments now raise errors — if any test code assigns True/False to an integer protobuf field, that will now fail.
• FieldDescriptor.label removed — if any code reads .label on a field descriptor it will break.
• float_format/float_precision removed from text_format/json_format — unlikely to affect this project but worth noting.

Verdict

The lockfile and pyproject.toml changes themselves look correct. The main risk is runtime compatibility of the committed pb2 files with the new protobuf runtime. This should be caught by CI — confirm integration tests pass before merging.