Protobuf and gRPC Version Updates for Python 3.9 - 3.12

[hallvictoria]

Summary

Due to a critical security vulnerability (CVE-2026-0994) discovered in protobuf versions prior to 5.29.6, we are updating the protobuf and grpcio dependencies in the Python Worker. This update will be rolled out with host version 4.1049 and may cause breaking changes for some Python function apps.

What's Changing

The following dependency versions are being updated in the Azure Functions Python Worker:

• protobuf: ~=4.25.3 → ~=5.29.6
• grpcio: ~=1.59.0 → ~=1.70.0

Who Is Affected

This change may affect you if:

• Your Python function app uses protobuf or grpcio directly in your code or dependencies
• Your app runs on Python 3.9, 3.10, 3.11, or 3.12
• You have pinned specific versions of protobuf or grpcio in your requirements.txt that are incompatible with the new versions

Rollout Timeline

• Host Version: 4.1049
• Rollout Start: End of March 2026
• Expected Completion: Late April 2026

Potential Impact

After this update is deployed, function apps that depend on older versions of protobuf or grpcio may experience:

• Runtime errors or import failures
• Type incompatibilities if using protobuf-generated code compiled with older versions
• Breaking changes in gRPC functionality due to API changes between major versions

Mitigation Options

Option 1: Update Your Dependencies

Update your requirements.txt to use compatible versions:

protobuf~=5.29.6
grpcio~=1.70.0

Option 2: Use Isolated Worker Dependencies

If you need to continue using older versions of protobuf or grpcio, you can set the PYTHON_ISOLATE_WORKER_DEPENDENCIES application setting to 1 to prioritize your app's pinned versions.