Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency @grpc/grpc-js to v1.10.9 [security] - autoclosed #13661

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency @grpc/grpc-js to v1.10.9 [security] - autoclosed #13661

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 10, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@grpc/grpc-js (source) 1.10.0 -> 1.10.9 age adoption passing confidence
@grpc/grpc-js (source) 1.10.8 -> 1.10.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-37168

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

  1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
  2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.

Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

Release Notes

grpc/grpc-node (@​grpc/grpc-js)

v1.10.9

Compare Source

v1.10.8: @​grpc/grpc-js 1.10.8

Compare Source

  • Fix a bug that caused channels with unix: targets to not reconnect after the channel goes idle (#​2750)

v1.10.7: @​grpc/grpc-js 1.10.7

Compare Source

  • Improve reporting of HTTP error codes (#​2723)
  • Update dependency on @grpc/proto-loader to the latest version (#​2732)

v1.10.6

Compare Source

v1.10.5: @​grpc/grpc-js 1.10.5

Compare Source

  • Resolve exception when Error.stackTraceLimit is undefined (#​2701 contributed by @​davidfiala)
  • Call configured checkServerIdentity when grpc.ssl_target_name_override is set (#​2704)
  • Add more information to DEADLINE_EXCEEDED error details strings (#​2692)

v1.10.4: @​grpc/grpc-js 1.10.4

Compare Source

  • Fix a bug that caused server interceptors to crash when using partially-populated ResponderBuilder and ListenerBuilder objects (#​2696)
  • Avoid sending RST_STREAM from the client when the server has already finished its side of the stream (#​2695)

v1.10.3: @​grpc/grpc-js 1.10.3

Compare Source

v1.10.2: @​grpc/grpc-js 1.10.2

Compare Source

  • Implement server connection idle timeouts and improve channelz performance (#​2677 contributed by @​AVVS)
  • Fix a bug that caused clients to automatically reconnect even when there were no active requests (#​2680)
  • Modify order of server call events to more closely match pre-1.10.x behavior (#​2683)

v1.10.1: @​grpc/grpc-js 1.10.1

Compare Source

  • Fix a bug causing channels using the round_robin LB policy to fail to reconnect after a connection drops (#​2667)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 10, 2024
@coveralls
Copy link

coveralls commented Jun 10, 2024
edited
Loading

Pull Request Test Coverage Report for Build 8d077f78-a023-41bb-97a3-f47fc2888376

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 92.207%
Totals Coverage Status
Change from base Build a3b0f48c-dffc-41ad-97ad-04cc13945fe9: 0.0%
Covered Lines: 6744
Relevant Lines: 7314
💛 - Coveralls

@renovate renovate bot force-pushed the renovate/npm-@grpc/grpc-js-vulnerability branch from cd4243f to ad3a59b Compare June 10, 2024 22:19
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jun 10, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @nestjs/graphql@12.1.1
npm error Found: ts-morph@22.0.0
npm error node_modules/ts-morph
npm error   dev ts-morph@"22.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peerOptional ts-morph@"^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @nestjs/graphql@12.1.1
npm error node_modules/@nestjs/graphql
npm error   dev @nestjs/graphql@"12.1.1" from the root project
npm error   peer @nestjs/graphql@"^12.0.0" from @nestjs/apollo@12.1.0
npm error   node_modules/@nestjs/apollo
npm error     dev @nestjs/apollo@"12.1.0" from the root project
npm error
npm error Conflicting peer dependency: ts-morph@21.0.1
npm error node_modules/ts-morph
npm error   peerOptional ts-morph@"^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0" from @nestjs/graphql@12.1.1
npm error   node_modules/@nestjs/graphql
npm error     dev @nestjs/graphql@"12.1.1" from the root project
npm error     peer @nestjs/graphql@"^12.0.0" from @nestjs/apollo@12.1.0
npm error     node_modules/@nestjs/apollo
npm error       dev @nestjs/apollo@"12.1.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-06-10T22_19_06_019Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-06-10T22_19_06_019Z-debug-0.log

@renovate renovate bot changed the title fix(deps): update dependency @grpc/grpc-js to v1.10.9 [security] fix(deps): update dependency @grpc/grpc-js to v1.10.9 [security] - autoclosed Jun 11, 2024
@renovate renovate bot closed this Jun 11, 2024
@renovate renovate bot deleted the renovate/npm-@grpc/grpc-js-vulnerability branch June 11, 2024 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@coveralls