Problem
The current unbabel-comet package specifies protobuf>=4.24.4,<5.0.0 in its dependencies. However, protobuf versions <5.29.6 are affected by CVE-2026-0994 (a high-severity DoS vulnerability).
This creates a security conflict where users cannot both:
Use unbabel-comet
Have a CVE-free protobuf installation
Analysis
I've investigated and found that unbabel-comet does not directly use protobuf in its source code. The dependency appears to come transitively (likely via tensorboard/pytorch-lightning), and the <5.0.0 constraint is overly restrictive.
I've tested unbabel-comet 2.2.7 with protobuf 5.29.6 and confirmed it works correctly.
Proposed Fix
Update the protobuf constraint in pyproject.toml from:
protobuf = ">=4.24.4,<5.0.0"
to:
protobuf = ">=4.24.4,<7.0.0"
Or remove the upper bound entirely if not needed.
CVE Reference
[https://github.com/advisories/GHSA-7gcm-g887-7qv7]
Patched versions: 5.29.6, 6.33.5
Thank you!
Problem
The current unbabel-comet package specifies protobuf>=4.24.4,<5.0.0 in its dependencies. However, protobuf versions <5.29.6 are affected by CVE-2026-0994 (a high-severity DoS vulnerability).
This creates a security conflict where users cannot both:
Use unbabel-comet
Have a CVE-free protobuf installation
Analysis
I've investigated and found that unbabel-comet does not directly use protobuf in its source code. The dependency appears to come transitively (likely via tensorboard/pytorch-lightning), and the <5.0.0 constraint is overly restrictive.
I've tested unbabel-comet 2.2.7 with protobuf 5.29.6 and confirmed it works correctly.
Proposed Fix
Update the protobuf constraint in pyproject.toml from:
protobuf = ">=4.24.4,<5.0.0"
to:
protobuf = ">=4.24.4,<7.0.0"
Or remove the upper bound entirely if not needed.
CVE Reference
[https://github.com/advisories/GHSA-7gcm-g887-7qv7]
Patched versions: 5.29.6, 6.33.5
Thank you!