security: update protobuf to 6.33.5

[rchampourlier]

Summary

• Updates protobuf from 6.33.4 to 6.33.5
• Fixes CVE-2026-0994 (HIGH severity)

Vulnerability Details

JSON recursion depth bypass in protobuf

Protobuf was affected by a JSON recursion depth bypass vulnerability.

Test plan

• Verify CI passes
• Confirm protobuf version is 6.33.5 in lock file

🤖 Generated with Claude Code

---

Summary by cubic

Update protobuf to 6.33.5 to patch CVE-2026-0994 (JSON recursion depth bypass). No runtime code changes; security-only dependency update.

• Dependencies
  • Bumped protobuf from 6.33.4 to 6.33.5 in uv.lock.
  • Removed accidentally added poetry.lock to keep uv-only setup.

^{Written for commit 1fe7139. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant External as External Client
    participant App as Application Server
    participant Proto as Protobuf Library (v6.33.5)
    participant Memory as System Stack/Heap

    Note over External,Memory: JSON Deserialization Flow (CVE-2026-0994 Patch)

    External->>App: Sends request with nested JSON payload
    App->>Proto: CHANGED: Unmarshal JSON to Protobuf Message
    
    Proto->>Proto: Initialize recursion counter
    
    loop For each nested JSON level
        Proto->>Memory: Allocate frame for nested object
        Note over Proto: NEW: Validate recursion depth < MAX_LIMIT
        
        alt Recursion Depth Exceeded
            Proto-->>App: Return "Recursion limit reached" error
            App-->>External: 400 Bad Request (Protection Triggered)
        else Depth Within Limits
            Proto-->>Proto: Continue parsing
        end
    end

    Proto-->>App: Return populated Message object
    App->>App: Process business logic
    App-->>External: 200 OK Response

Loading