Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(deps): Update dependency @grpc/grpc-js to v1.10.9 [SECURITY] (#59)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@grpc/grpc-js](https://grpc.io/) ([source](https://togithub.com/grpc/grpc-node)) | devDependencies | patch | [`1.10.8` -> `1.10.9`](https://renovatebot.com/diffs/npm/@grpc%2fgrpc-js/1.10.8/1.10.9) | ### GitHub Vulnerability Alerts #### [CVE-2024-37168](https://togithub.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86) ### Impact There are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. ### Patches This has been patched in versions 1.10.9, 1.9.15, and 1.8.22 --- ### Release Notes <details> <summary>grpc/grpc-node (@​grpc/grpc-js)</summary> ### [`v1.10.9`](https://togithub.com/grpc/grpc-node/releases/tag/%40grpc/grpc-js%401.10.9): @​grpc/grpc-js 1.10.9 [Compare Source](https://togithub.com/grpc/grpc-node/compare/@grpc/[email protected]...@grpc/[email protected]) - Avoid buffering significantly more than `grpc.max_receive_message_size` per received message. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MDEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjQwMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJzZWN1cml0eSJdfQ==-->
- Loading branch information
