https://github.com/googlefonts/fontc/security/dependabot/21 suggests we update our version of protobuf.
The path to it appears to be gftools > axisregistry > protobuf and indeed I see the offending version in https://github.com/googlefonts/axisregistry/blob/main/requirements.txt. Although we don't - as far as I know - process arbitrary inputs we might as well update.
https://github.com/googlefonts/fontc/security/dependabot/21 suggests we update our version of protobuf.
The path to it appears to be gftools > axisregistry > protobuf and indeed I see the offending version in https://github.com/googlefonts/axisregistry/blob/main/requirements.txt. Although we don't - as far as I know - process arbitrary inputs we might as well update.