fix: update protobuf to resolve CVE-2026-0994

[dannyneira]

Summary

• Updated protobuf from 6.30.2 to 6.33.5 in candle-examples/examples/marian-mt/python/requirements.txt.
• Resolves direct runtime pip dependency alerts for:
  • CVE-2025-4565 / GHSA-8qvm-5x2c-j2w7: GHSA-8qvm-5x2c-j2w7
  • CVE-2026-0994 / GHSA-7gcm-g887-7qv7: GHSA-7gcm-g887-7qv7
• Dependabot alerts:
  • https://github.com/warpdotdev/candle/security/dependabot/3
  • https://github.com/warpdotdev/candle/security/dependabot/21

Details

• This is a direct dependency update in the Marian MT Python requirements file.
• No workaround, override, or transitive parent update was needed.
• Dependabot did not report an error for these alerts.

Verification

• python3 -m venv /tmp/candle-protobuf-venv
• /tmp/candle-protobuf-venv/bin/python -m pip install --dry-run -r /workspace/candle/candle-examples/examples/marian-mt/python/requirements.txt
• /tmp/candle-protobuf-venv/bin/pip-audit -r /workspace/candle/candle-examples/examples/marian-mt/python/requirements.txt --format json
  • Confirmed protobuf==6.33.5 has vulns: [].
  • Remaining audit findings are for unrelated packages tracked by separate alerts.
• /tmp/candle-protobuf-venv/bin/python -m pip install -r /workspace/candle/candle-examples/examples/marian-mt/python/requirements.txt
• /tmp/candle-protobuf-venv/bin/python -c "import google.protobuf; print(google.protobuf.__version__)"
  • Output: 6.33.5
• cargo check --manifest-path /workspace/candle/Cargo.toml -p candle-examples --example marian-mt

Conversation: https://staging.warp.dev/conversation/8af8b244-71b1-49b7-b91b-565aa6de1015
Run: https://oz.staging.warp.dev/runs/019e506a-59c0-7dbd-91e0-92c1cf58b65e
Co-Authored-By: Oz oz-agent@warp.dev
This PR was generated with Oz.