Skip to content

[Snyk] Upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1#10

Open
mhill-os wants to merge 3 commits into
masterfrom
snyk-upgrade-6d5cad7f0f2f648a1599cd15df7ef1ab
Open

[Snyk] Upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1#10
mhill-os wants to merge 3 commits into
masterfrom
snyk-upgrade-6d5cad7f0f2f648a1599cd15df7ef1ab

Conversation

@mhill-os

@mhill-os mhill-os commented Jul 2, 2026

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 188 versions ahead of your current version.

  • The recommended version was released 21 days ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Denial of Service (DoS)
SNYK-JAVA-COMGOOGLEPROTOBUF-2331703
193 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JAVA-COMGOOGLEPROTOBUF-3167772
193 No Known Exploit
high severity Stack-based Buffer Overflow
SNYK-JAVA-COMGOOGLEPROTOBUF-8055227
193 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-COMGOOGLEPROTOBUF-3040284
193 No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1.

See this package in maven:
com.google.protobuf:protobuf-java

See this project in Snyk:
https://app.eu.snyk.io/org/777fa588-a023-437a-b50b-75119de43f30/project/1193234d-c00a-4efa-aaec-c96d7049ff03?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr
@mhill-os

mhill-os commented Jul 2, 2026

Copy link
Copy Markdown
Author

Merge Risk: High

The upgrade from protobuf-java version 3.5.1 to 4.35.1 is a major and complex migration with significant breaking changes. This is not a simple dependency update and requires a multi-step migration effort.

In 2022, Google changed Protobuf's versioning scheme. The 4.x series for protobuf-java is part of a new system where the language-specific major version is decoupled from a global release number. This upgrade crosses that boundary, introducing fundamental changes.

Key Breaking Changes & Required Actions:

  • Protobuf Editions: The syntax = "proto2" and syntax = "proto3" declarations are being replaced by a new edition system (e.g., edition = "2023"). [2, 4, 5] You will need to update your .proto files to use this new syntax. This change unifies the features of proto2 and proto3.

  • Code Regeneration is Mandatory: You must regenerate all your Java classes using a new version of the protoc compiler that corresponds to the 4.x runtime. The runtime and the generated code versions must be compatible. [10, 18] Mismatches will lead to runtime errors like NoSuchMethodError. [16]

  • API and Runtime Incompatibility: There are significant API changes between the 3.x and 4.x series. Code that uses the generated Java classes will likely require modification. The internal implementation of core types like RepeatedPtrField has also changed. [9]

  • Environment Changes: The minimum required Java version for the 4.x series is higher than for version 3.5.1. You must ensure your production environment meets the new requirement.

Recommendation:
This upgrade should be treated as a significant refactoring project. Do not merge this change without a dedicated migration plan. The plan must include updating the protoc compiler, modifying all .proto files for Editions, regenerating all Java code, and thoroughly testing the application for runtime errors and behavioral changes.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@mhill-os

mhill-os commented Jul 2, 2026

Copy link
Copy Markdown
Author

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

snyk-bot added 2 commits July 4, 2026 03:30
Snyk has created this PR to upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1.

See this package in maven:
com.google.protobuf:protobuf-java

See this project in Snyk:
https://app.eu.snyk.io/org/777fa588-a023-437a-b50b-75119de43f30/project/1193234d-c00a-4efa-aaec-c96d7049ff03?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr
Snyk has created this PR to upgrade com.google.protobuf:protobuf-java from 3.5.1 to 4.35.1.

See this package in maven:
com.google.protobuf:protobuf-java

See this project in Snyk:
https://app.eu.snyk.io/org/777fa588-a023-437a-b50b-75119de43f30/project/1193234d-c00a-4efa-aaec-c96d7049ff03?utm_source=github-enterprise&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants