protobuf-python has a potential Denial of Service issue

**Describe the bug**
Hello! We build a project ([animal-ai](https://github.com/Kinds-of-Intelligence-CFI/animal-ai-python)) using ml-agents, and have recently had a security warning about versions of protobuf below `4.25.8` (See [this](https://github.com/Kinds-of-Intelligence-CFI/animal-ai-python/security/dependabot/5), or [this](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7)).

I guess it's not a big issue as ml-agents protobuf usage doesn't deal with untrusted inputs, but it would be good tidy this up - would it be possible to bump the protobuf version used in ml-agents?

**To Reproduce**
We pin the protobuf version explicitly ([ref](https://github.com/Kinds-of-Intelligence-CFI/animal-ai-python/blob/main/pyproject.toml#L32)), which is why we get the alert. (We pinned before my time, I'm not sure exactly why we need to pin instead of inheriting the version from you).

I'm not sure why we get it and you don't, as your specified protobuf python versions appear to be within the affected range ([ref](https://github.com/Unity-Technologies/ml-agents/blob/develop/ml-agents-envs/setup.py#L59)).

**Console logs / stack traces**
N/A

**Screenshots**
N/A

**Environment (please complete the following information):**
N/A

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

protobuf-python has a potential Denial of Service issue #6218

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

protobuf-python has a potential Denial of Service issue #6218

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions