fix(deps): Upgrade protobuf to 5.29.6 to fix CVE-2026-0994

[robertlacok]

Unpin google-cloud-bigquery-storage from ==2.16.2 (py<3.13) to

=2.33.1,<3 across all Python versions. This removes the transitive
cap that held protobuf at 4.25.x on py3.10–3.12, allowing it to resolve to 5.29.6 which patches CVE-2026-0994 (JSON recursion depth bypass via nested Any messages).

Summary by CodeRabbit

• Chores
  • Unified dependency constraints for BigQuery storage and updated the protobuf constraint to a newer minimum version, improving compatibility, security posture, and consistency across Python environments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d8bd6929-4676-444a-81c5-1ca148edfe5e

📥 Commits

Reviewing files that changed from the base of the PR and between 954db1d and a8f97d3.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

The pyproject.toml dependency constraints were simplified: google-cloud-bigquery-storage pins for Python-specific versions were replaced with a single universal constraint google-cloud-bigquery-storage>=2.33.1,<3. The transitive protobuf constraint minimum was raised from 4.25.8 to 5.29.6 (protobuf>=5.29.6,<6).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately reflects the main change: upgrading protobuf to address a security vulnerability (CVE-2026-0994).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Updates Docs	✅ Passed	Security/dependency update for CVE-2026-0994; custom check applies only to feature implementations, not patches.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Python package built successfully!

• Version: 2.2.0.dev8+2adbc3e
• Wheel: deepnote_toolkit-2.2.0.dev8+2adbc3e-py3-none-any.whl
• Install:

  pip install "deepnote-toolkit @ https://deepnote-staging-runtime-artifactory.s3.amazonaws.com/deepnote-toolkit-packages/2.2.0.dev8%2B2adbc3e/deepnote_toolkit-2.2.0.dev8%2B2adbc3e-py3-none-any.whl"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.32%. Comparing base (7ca9716) to head (a8f97d3).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #93   +/-   ##
=======================================
  Coverage   74.32%   74.32%           
=======================================
  Files          94       94           
  Lines        5535     5535           
  Branches      824      824           
=======================================
  Hits         4114     4114           
  Misses       1155     1155           
  Partials      266      266           

Flag	Coverage Δ
combined	74.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 63: Update the explicit protobuf dependency constraint in pyproject.toml
so it pins the fixed floor directly: change the existing "protobuf>=4.25.8,<6"
entry to "protobuf>=5.29.6,<6" (and ensure this replaces the standalone protobuf
dependency rather than relying on google-cloud-bigquery-storage's indirect pin);
after editing, regenerate or update lock/constraints files and run the provided
verification script to confirm pyproject.toml and any lock/constraints files now
list the new "protobuf>=5.29.6,<6" constraint and no other looser protobuf
bounds remain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 687206d4-aa57-46c9-b510-d13afc1f4972

📥 Commits

Reviewing files that changed from the base of the PR and between 7ca9716 and 954db1d.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

[deepnote-bot]

🚀 Review App Deployment Started

📝 Description	🌐 Link / Info
🌍 Review application	ra-93
🔑 Sign-in URL	Click to sign-in
📊 Application logs	View logs
🔄 Actions	Click to redeploy
🚀 ArgoCD deployment	View deployment
⏰ Last deployed	2026-04-16 11:26:54 (UTC)
📜 Deployed commit	80b24352fe203eb6c8148f3b01a0a9adaba5852d
🛠️ Toolkit version	2adbc3e