Skip to content

[deps] Update google.golang.org/protobuf from v1.36.8 to v1.36.11 #19833

New issue
New issue
Closed as not planned
Closed as not planned
[deps] Update google.golang.org/protobuf from v1.36.8 to v1.36.11#19833
Labels
cookieIssue Monster Loves Cookies!dependenciesPull requests that update a dependency filego
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 6, 2026

Summary

Update google.golang.org/protobuf indirect dependency from v1.36.8 to v1.36.11.

Current State

  • Package: google.golang.org/protobuf
  • Current Version: v1.36.8 (in go.mod as // indirect)
  • Proposed Version: v1.36.11
  • Update Type: Multi-version patch jump (3 patch releases)

Why Separate Issue

⚠️ Multi-version patch jump requires review

  • This jumps 3 patch versions (v1.36.8 → v1.36.9 → v1.36.10 → v1.36.11)
  • While each is a patch release, multiple accumulated changes need verification
  • Includes both bug fixes and new feature additions (prototext URL support)
  • Indirect dependency — update happens via dependent packages

Safety Assessment

⚠️ Requires careful review

  • Multi-version patch jump increases aggregate risk
  • Includes a change to support URL chars in text-format (potential behavior change)
  • Bug fix for recursion limit in lazy decoding — could affect deep proto structures
  • Generally backward-compatible but combined changes warrant individual review

Changes

v1.36.9–v1.36.11 highlights:

  • encoding/prototext: Support URL chars in type URLs in text-format
  • internal/impl: Fix recursion limit check in lazy decoding validation (security/correctness)
  • reflect/protodesc: Fix handling of import options in dynamic builds
  • reflect/protodesc: Add support for edition unstable
  • types: Regenerated using latest protobuf v33.2 release
  • Various maintenance and internal improvements

Links

Note: google.golang.org/protobuf is maintained at github.com/protocolbuffers/protobuf-go with canonical release pages on GitHub.

Recommended Action

go get -u google.golang.org/protobuf@v1.36.11
go mod tidy

Testing Notes

  • Run all tests: make test
  • Verify protobuf serialization/deserialization works correctly
  • Check that MCP SDK (which depends on protobuf) still functions properly
  • Test any workflows that use gRPC or structured data formats

Generated by Dependabot Dependency Checker

Generated by Dependabot Dependency Checker ·

  • expires on Mar 8, 2026, 9:21 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    cookieIssue Monster Loves Cookies!dependenciesPull requests that update a dependency filego

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions