This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@grpc/grpc-js](https://grpc.io/) ([source](https://togithub.com/grpc/grpc-node)) | dependencies | patch | [`1.10.8` -> `1.10.9`](https://renovatebot.com/diffs/npm/@grpc%2fgrpc-js/1.10.8/1.10.9) | ### GitHub Vulnerability Alerts #### [CVE-2024-37168](https://togithub.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86) ### Impact There are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. ### Patches This has been patched in versions 1.10.9, 1.9.15, and 1.8.22 --- ### Release Notes <details> <summary>grpc/grpc-node (@grpc/grpc-js)</summary> ### [`v1.10.9`](https://togithub.com/grpc/grpc-node/releases/tag/%40grpc/grpc-js%401.10.9): @grpc/grpc-js 1.10.9 [Compare Source](https://togithub.com/grpc/grpc-node/compare/@grpc/grpc-js@1.10.8...@grpc/grpc-js@1.10.9) - Avoid buffering significantly more than `grpc.max_receive_message_size` per received message. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).