[Feature Request] Upgrade protobuf requirement to support at least 6.x branch as well

[barseghyanartur]

What motivated you to submit this feature request?
protobuf version pinned is on 5.x branch. Protobuf < 6.31.1 has a HIGH CVE: https://www.cve.org/CVERecord?id=CVE-2025-4565. Moreover, this causes irresolvable dependency conflicts with other projects, requiring a modern version of the protobuf.

Describe the solution you'd like
protobuf as dependency soft-pinned to support at least 6.x branch, in addition to currently supported 5.x.

Describe alternatives you've considered
There are no alternatives. This is a maintenance issue. Sticking to old Pinecone client (5.x) is not really an option.

Additional context
This is actually a maintenance request. GRPC is recommended when using Pinecone at scale. In the code, with grpc option, protobuf is soft-pinned to support 5.x branch only: https://github.com/pinecone-io/pinecone-python-client/blob/main/pyproject.toml#L115

[rohanshah18]

@barseghyanartur thank you for reporting this issue. I'll update the proto version as part of the next release.

[rohanshah18]

@barseghyanartur The CVE-2025-4565 patch was included in protobuf 5.29.5, so that version should be secure. Is the >= 6.31.1 constraint driven by other factors (e.g. dependency resolution), or would relaxing it to 5.29.5 be acceptable?

[barseghyanartur]

@rohanshah18:
Among others, dependency resolution.

[rohanshah18]

@barseghyanartur We'll be releasing a patch with protobuf 5.29.5 to fix the security issue as a next step.
We'll bump to protobuf 6.x for 2025-10 release since major version updates can break things, so we want to test thoroughly first.