Skip to content

Ignore momentarily CVE-2026-0994 in protobuf#296

Merged
aponcedeleonch merged 1 commit intomainfrom
ignore-protobuf-cve
Jan 26, 2026
Merged

Ignore momentarily CVE-2026-0994 in protobuf#296
aponcedeleonch merged 1 commit intomainfrom
ignore-protobuf-cve

Conversation

@aponcedeleonch
Copy link
Member

@aponcedeleonch aponcedeleonch commented Jan 26, 2026

This will enable running the CI and its checks. There is a fix upstream waiting to be merged and released: protocolbuffers/protobuf#25239

@aponcedeleonch
Ignore momentarily CVE-2026-0994 in protobuf
2678bde 
This will enable running the CI and its checks. There is a fix
upstream waiting to be merged and released: protocolbuffers/protobuf#25239
@claude
Copy link

claude bot commented Jan 26, 2026

PR Review

Summary

Temporarily ignores CVE-2026-0994 in protobuf to unblock CI while waiting for upstream fix.

Issues Found

⚠️ Critical - Verify CVE Number
The CVE is listed as CVE-2026-0994 but we are currently in January 2026. This seems unusual - CVEs are typically assigned in the year they are discovered. Please verify:

  • Is this actually CVE-2025-0994 or CVE-2024-0994?
  • If it is 2026, can you confirm the CVE number is correct?

This is important for security tracking - the wrong CVE number defeats the purpose of the ignore flag.

Positives

  • ✅ Both pip-audit commands updated consistently
  • ✅ Clear TODO comment for tracking removal
  • ✅ Minimal, focused change
  • ✅ Whitespace cleanup on line 62

Recommendations

  1. Verify and correct the CVE number if needed
  2. Consider adding the upstream PR link in the TODO comment for easier tracking: 
    # TODO: Remove --ignore-vuln once protobuf releases a fix for CVE-2026-0994
# Tracking: https://github.com/protocolbuffers/protobuf/pull/25239

Approval: Conditional - please verify CVE number before merging.

therealnb
therealnb approved these changes Jan 26, 2026
View reviewed changes
Copy link
Contributor

@therealnb therealnb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Odd that there's no ignore file.

@aponcedeleonch
Copy link
Member Author

aponcedeleonch commented Jan 26, 2026

@therealnb we could probably use the pyproject.toml file as ignore file. From there we could pass the vulnerabilities to ignore and have visibility of them. Will introduce in a later PR

@aponcedeleonch aponcedeleonch merged commit 4b6b4f3 into main Jan 26, 2026
8 checks passed
@aponcedeleonch aponcedeleonch deleted the ignore-protobuf-cve branch January 26, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@therealnb therealnb therealnb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aponcedeleonch @therealnb