chore: update dependency @grpc/grpc-js to v1.8.22 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@grpc/grpc-js (source)	1.6.7 -> 1.8.22

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-37168

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.

Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

---

Release Notes

grpc/grpc-node (@​grpc/grpc-js)

v1.8.22: @​grpc/grpc-js 1.8.22

Compare Source

• Avoid buffering significantly more than grpc.max_receive_message_size per received message.

v1.8.21

Compare Source

• Fix propagation of UNIMPLEMENTED error messages (#​2528)

v1.8.20: @​grpc/grpc-js 1.8.20

Compare Source

• Fix a crash when the channel option grpc.keepalive_permit_without_calls is set (#​2519)

v1.8.19: @​grpc/grpc-js 1.8.19

Compare Source

• Update keepalive behavior to more correctly handle short calls and long periods of inactivity (#​2513)

v1.8.18: @​grpc/grpc-js 1.8.18

Compare Source

• Fix reporting of call stacks in unary request errors (#​2503)
• Fix reporting of proxy info in channelz socket responses (#​2503)

v1.8.17: @​grpc/grpc-js 1.8.17

Compare Source

• Disallow pick_first LB policy as the direct child of an outlier_detection LB policy (#​2476)

v1.8.16: @​grpc/grpc-js 1.8.16

Compare Source

• Fix missing transport trace logs (#​2470)

v1.8.15: @​grpc/grpc-js 1.8.15

Compare Source

• Fix a memory leak that could result from a specific pattern of recursive function calls (#​2456)
• Ensure status and error events are consistently emitted asynchronously (#​2456)

v1.8.14: @​grpc/grpc-js 1.8.14

Compare Source

• Fix sequencing of some events related to connectivity state changes (#​2421)

v1.8.13: @​grpc/grpc-js 1.8.13

Compare Source

• Fix memory leak in channelz socket tracking (#​2394)

v1.8.12

Compare Source

• Fix an occasional type error when receiving DNS updates (#​2380)
• Fix ordering of events when handing requests on the server (#​2376 contributed by @​phoenix741)

v1.8.11: @​grpc/grpc-js 1.8.11

Compare Source

• Avoid accumulating placeholder objects when sending many messages on a long-running stream (#​2372)

v1.8.10: @​grpc/grpc-js 1.8.10

Compare Source

• Fix bugs in "pick first" load balancing policy that caused incorrect reconnection behavior (#​2369)

v1.8.9: @​grpc/grpc-js 1.8.9

Compare Source

• Fix a bug where clients would continue to send pings at the original configured rate after receiving a backoff request from the server (#​2363)

v1.8.8: @​grpc/grpc-js 1.8.8

Compare Source

• Remove progress field in returned status object (#​2350)
• Export InterceptingListener and NextCall types (#​2351)
• Fix a bug that could cause a crash when sending messages that exceed the outgoing message buffer size while a retry is in progress (#​2349)

v1.8.7: @​grpc/grpc-js 1.8.7

Compare Source

• Make handling of HTTP2 session references work independent of keepalive settings (#​2337)

v1.8.6: @​grpc/grpc-js 1.8.6

Compare Source

• Hold a reference to transport from call to avoid premature garbage collection (#​2336)

v1.8.5: @​grpc/grpc-js 1.8.5

Compare Source

• Cancel deadline timer when the call ends (#​2335)

v1.8.4

Compare Source

• Fix a bug that would sometimes allow the Node process to exit even though a gRPC request is active (#​2322)

v1.8.3: @​grpc/grpc-js 1.8.3

Compare Source

• Fix bug that caused streams to fail early when receiving a GOAWAY (#​2319)

v1.8.2

Compare Source

• Continue keepalive pings after receiving a GOAWAY on the client (#​2308)
• Fix handling of keepalive timers when the timeout is longer than the interval (#​2304 contributed by @​nicknotfun, included in #​2308)
• Ensure the last received message is fully handled before outputting status (#​2316)

v1.8.1

Compare Source

• Implement support for the grpc.service_config_disable_resolution channel option (#​2277 contributed by @​kleinsch)
• Include standard headers in trailers-only responses (#​2305)
• Fix a memory leak in the retry implementation (#​2306)

v1.8.0: @​grpc/grpc-js 1.8.0

Compare Source

• Implement retries (specified in gRFC A6) (#​2243, #​2278)
• Enable servers to send trailers-only responses (#​2278)
• Add server connection management options (#​2272)

v1.7.3: @​grpc/grpc-js 1.7.3

Compare Source

• Server performance improvements (#​2249 contributed by @​AVVS)

v1.7.2: @​grpc/grpc-js 1.7.2

Compare Source

• Make the default value of the grpc-node.max_session_memory option Number.MAX_SAFE_INTEGER on the server (#​2245)

v1.7.1: Node gRPC v1.7.1

Compare Source

Changes

• Publish prebuilt binaries for Node 9
• Fix file permissions issue with Linux prebuilt binaries (reported in #​76).

v1.7.0: @​grpc/grpc-js 1.7.0

Compare Source

• Enable outlier detection support by default (#​2221)
• Expose path and callEnd event in ServerSurfaceCall (#​2132 contributed by @​ajmath)
• Make graceful switch happen more quickly in some cases when service config is updated (#​2199)

v1.6.12: @​grpc/grpc-js 1.6.12

Compare Source

• Fix typo in the error handling fix released in 1.6.11 (#​2216, contributed by @​clww in #​2213)

v1.6.11

Compare Source

• Fix handling of malformed status messages (#​2210)

v1.6.10: @​grpc/grpc-js 1.6.10

Compare Source

• Fix a memory leak of Node http2 stream objects when cancelling streaming requests (#​2193)

v1.6.9: @​grpc/grpc-js 1.6.9

• Fix bugs in the Outlier Detection implementation (#​2173, #​2181)
• Handle errors when sending keepalive pings (#​2188)
• Fix Typescript reference tag generation (#​2126)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/shopping/package-lock.json

npm ERR! code ETARGET
npm ERR! notarget No matching version found for loopback4-example-recommender@1.1.1.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-08-06T09_49_17_818Z-debug-0.log