fix(deps): update dependency @grpc/grpc-js to v1.8.22 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@grpc/grpc-js (source)	1.1.8 -> 1.8.22

GitHub Vulnerability Alerts

CVE-2024-37168

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.

Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

---

Release Notes

grpc/grpc-node (@​grpc/grpc-js)

v1.8.22: @​grpc/grpc-js 1.8.22

Compare Source

• Avoid buffering significantly more than grpc.max_receive_message_size per received message.

v1.8.21

Compare Source

• Fix propagation of UNIMPLEMENTED error messages (#​2528)

v1.8.20: @​grpc/grpc-js 1.8.20

Compare Source

• Fix a crash when the channel option grpc.keepalive_permit_without_calls is set (#​2519)

v1.8.19: @​grpc/grpc-js 1.8.19

Compare Source

• Update keepalive behavior to more correctly handle short calls and long periods of inactivity (#​2513)

v1.8.18: @​grpc/grpc-js 1.8.18

Compare Source

• Fix reporting of call stacks in unary request errors (#​2503)
• Fix reporting of proxy info in channelz socket responses (#​2503)

v1.8.17: @​grpc/grpc-js 1.8.17

Compare Source

• Disallow pick_first LB policy as the direct child of an outlier_detection LB policy (#​2476)

v1.8.16: @​grpc/grpc-js 1.8.16

Compare Source

• Fix missing transport trace logs (#​2470)

v1.8.15: @​grpc/grpc-js 1.8.15

Compare Source

• Fix a memory leak that could result from a specific pattern of recursive function calls (#​2456)
• Ensure status and error events are consistently emitted asynchronously (#​2456)

v1.8.14: @​grpc/grpc-js 1.8.14

Compare Source

• Fix sequencing of some events related to connectivity state changes (#​2421)

v1.8.13: @​grpc/grpc-js 1.8.13

Compare Source

• Fix memory leak in channelz socket tracking (#​2394)

v1.8.12

Compare Source

• Fix an occasional type error when receiving DNS updates (#​2380)
• Fix ordering of events when handing requests on the server (#​2376 contributed by @​phoenix741)

v1.8.11: @​grpc/grpc-js 1.8.11

Compare Source

• Avoid accumulating placeholder objects when sending many messages on a long-running stream (#​2372)

v1.8.10: @​grpc/grpc-js 1.8.10

Compare Source

• Fix bugs in "pick first" load balancing policy that caused incorrect reconnection behavior (#​2369)

v1.8.9: @​grpc/grpc-js 1.8.9

Compare Source

• Fix a bug where clients would continue to send pings at the original configured rate after receiving a backoff request from the server (#​2363)

v1.8.8: @​grpc/grpc-js 1.8.8

Compare Source

• Remove progress field in returned status object (#​2350)
• Export InterceptingListener and NextCall types (#​2351)
• Fix a bug that could cause a crash when sending messages that exceed the outgoing message buffer size while a retry is in progress (#​2349)

v1.8.7: @​grpc/grpc-js 1.8.7

Compare Source

• Make handling of HTTP2 session references work independent of keepalive settings (#​2337)

v1.8.6: @​grpc/grpc-js 1.8.6

Compare Source

• Hold a reference to transport from call to avoid premature garbage collection (#​2336)

v1.8.5: @​grpc/grpc-js 1.8.5

Compare Source

• Cancel deadline timer when the call ends (#​2335)

v1.8.4

Compare Source

• Fix a bug that would sometimes allow the Node process to exit even though a gRPC request is active (#​2322)

v1.8.3: @​grpc/grpc-js 1.8.3

Compare Source

• Fix bug that caused streams to fail early when receiving a GOAWAY (#​2319)

v1.8.2

Compare Source

• Continue keepalive pings after receiving a GOAWAY on the client (#​2308)
• Fix handling of keepalive timers when the timeout is longer than the interval (#​2304 contributed by @​nicknotfun, included in #​2308)
• Ensure the last received message is fully handled before outputting status (#​2316)

v1.8.1

Compare Source

• Implement support for the grpc.service_config_disable_resolution channel option (#​2277 contributed by @​kleinsch)
• Include standard headers in trailers-only responses (#​2305)
• Fix a memory leak in the retry implementation (#​2306)

v1.8.0: @​grpc/grpc-js 1.8.0

Compare Source

• Implement retries (specified in gRFC A6) (#​2243, #​2278)
• Enable servers to send trailers-only responses (#​2278)
• Add server connection management options (#​2272)

v1.7.3: @​grpc/grpc-js 1.7.3

Compare Source

• Server performance improvements (#​2249 contributed by @​AVVS)

v1.7.2: @​grpc/grpc-js 1.7.2

Compare Source

• Make the default value of the grpc-node.max_session_memory option Number.MAX_SAFE_INTEGER on the server (#​2245)

v1.7.1: Node gRPC v1.7.1

Compare Source

Changes

• Publish prebuilt binaries for Node 9
• Fix file permissions issue with Linux prebuilt binaries (reported in #​76).

v1.7.0: @​grpc/grpc-js 1.7.0

Compare Source

• Enable outlier detection support by default (#​2221)
• Expose path and callEnd event in ServerSurfaceCall (#​2132 contributed by @​ajmath)
• Make graceful switch happen more quickly in some cases when service config is updated (#​2199)

v1.6.12: @​grpc/grpc-js 1.6.12

Compare Source

• Fix typo in the error handling fix released in 1.6.11 (#​2216, contributed by @​clww in #​2213)

v1.6.11

Compare Source

• Fix handling of malformed status messages (#​2210)

v1.6.10: @​grpc/grpc-js 1.6.10

Compare Source

• Fix a memory leak of Node http2 stream objects when cancelling streaming requests (#​2193)

v1.6.9: @​grpc/grpc-js 1.6.9

• Fix bugs in the Outlier Detection implementation (#​2173, #​2181)
• Handle errors when sending keepalive pings (#​2188)
• Fix Typescript reference tag generation (#​2126)

v1.6.7: @​grpc/grpc-js 1.6.7

Compare Source

• Fix a bug that could cause double DNS requests in the DNS resolver in some rare cases (#​2100)
• Report request failures when a method expecting a unary response receives no messages (#​2102)
• Fix spurious subchannel shutdowns in channels with the grpc.use_local_subchannel_pool option set (#​2103)

v1.6.6: @​grpc/grpc-js 1.6.6

Compare Source

• Fail calls immediately when their connection's keepalive ping times out (#​2097)
• Fix a bug that would cause the DNS resolver to keep making DNS requests forever even if it was not needed (#​2098)

v1.6.5: @​grpc/grpc-js 1.6.5

Compare Source

• Consistently trigger name resolution when idle (#​2095)

v1.6.4: @​grpc/grpc-js 1.6.4

Compare Source

• Ensure that request failures due to name resolution failure are reported consistently (#​2092)

v1.6.3: @​grpc/grpc-js 1.6.3

Compare Source

• Disable per-session memory limit by default. (#​2084)
• Track existing ping timeouts even when there are no active requests on a connection (#​2087)
• Add more details to trace logs of keepalive pings (#​2085)
• Fix entity IDs in trace logs when channelz is disabled (#​2082)

v1.6.2: @​grpc/grpc-js 1.6.2

Compare Source

• Adjusted the behavior of exponential backoff timers (#​2077)

v1.6.1: @​grpc/grpc-js 1.6.1

Compare Source

• Enable support for the grpc.dns_min_time_between_resolutions_ms channel option, which controls the minimum time between successful DNS requests, with a default of 30,000 (30 seconds) (#​2076)

v1.6.0: @​grpc/grpc-js 1.6.0

Compare Source

• Add credentials.createFromSecureContext, as described in gRFC L93 (#​1988)
• Set provided serviceName as property of generated Client subclasses (#​1993 contributed by @​DavyJohnes)
• Return never from functions that always throw (#​2056 contributed by @​dacioromero)
• Add experimental Outlier Detection load balancing policy, as described in gRFC A50 (disabled by default, enabled by setting the environment variable GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION=true) (#​2058)
• Expose MetadataOptions interface (#​2071 contributed by @​kskalski)
• Surface stream writing errors as standard gRPC errors (#​2073)

v1.5.10: @​grpc/grpc-js 1.5.10

Compare Source

• Fix inconsistent checks for grpc.enable_channelz in the server (#​2069)

v1.5.9: @​grpc/grpc-js 1.5.9

Compare Source

• Add transparent retries for "The session has been destroyed" errors (#​2063)
• Add channel_stacktrace tracer to log stacktraces of channel construction (#​2061)
• Move a log line to eliminate misleading double call "ended with status" trace lines (#​2062)

v1.5.8: @​grpc/grpc-js 1.5.8

Compare Source

• Add subchannel and call ID numbers to relevant trace logs for better cross-referencing (#​2059)

v1.5.7: @​grpc/grpc-js 1.5.7

Compare Source

• Improve handling of some disconnection events (#​2052)

v1.5.6: @​grpc/grpc-js 1.5.6

Compare Source

• Add debug logging for http2 session state when starting calls (#​2051)

v1.5.5: @​grpc/grpc-js 1.5.5

Compare Source

• Add HTTP/2 settings frame tracing (#​2040)
• Add HTTP/2 flow control tracing (#​2041)

v1.5.4: @​grpc/grpc-js 1.5.4

Compare Source

• Fix exitIdle propagation and DNS IP result backoff (#​2037)

v1.5.3: @​grpc/grpc-js 1.5.3

Compare Source

• Fix a null reference exception when closing a channel that was constructed using the grpc.use_local_subchannel_pool option (#​2029)

v1.5.2: @​grpc/grpc-js 1.5.2

Compare Source

• Prevent TLSWrap errors from being surfaced to server applications (#​2027)

v1.5.1: @​grpc/grpc-js 1.5.1

Compare Source

• Don't use http_proxy for uds connections (#​2022 contributed by @​raksooo)
• Add backoff to DNS resolution attempts (#​2024)

v1.5.0: @​grpc/grpc-js 1.5.0

Compare Source

• Add support for request compression on clients and request decompression on servers (#​1952 contributed by @​b0b3rt)
• Improve messaging for some RESOURCE_EXHAUSTED errors (#​1946)
• Export TypeScript types for ServiceClientConstructor and ProtobufTypeDefinition (#​1951 contributed by @​howyi)
• Provide the full certificate object in the checkServerIdentity callback (#​1968)
• Remove @types/semver from the production dependencies list (#​1989)
• Add information about supported channel options to the README (#​1996 contributed by @​josephharrington)

v1.4.6: @​grpc/grpc-js 1.4.6

Compare Source

• Fix compatibility with @​types/node 17.0.6 (#​2007)

v1.4.5: @​grpc/grpc-js 1.4.5

Compare Source

• Use configured backoff options when retrying name resolution (#​1987 contributed by @​cloverheap)
• Preserve order of metadata, messages, and call end with async interceptors (#​1986)

v1.4.4

Compare Source

v1.4.3: @​grpc/grpc-js 1.4.3

Compare Source

• Fix a bug that caused requests to not progress properly when the option grpc.enable_channelz was set to 0 (#​1961)
• Fix a bug causing channelz to generate the wrong binary representation for IPv6 addresses in some cases (#​1960)

v1.4.2: @​grpc/grpc-js 1.4.2

Compare Source

• Limit the number of channelz trace events retained per channel/subchannel/server (#​1943)
• Enable support for the grpc.enable_channelz option, allowing users to disable channelz stats tracking and tracing for a channel (and corresponding subchannels) or server (#​1944)
• Handle undefined socket.localAddress in channelz stats gathering code (#​1954)

v1.4.1: @​grpc/grpc-js 1.4.1

Compare Source

• Publish channelz files missing from the previous release (#​1937)

v1.4.0: @​grpc/grpc-js 1.4.0

• Add Channelz support (specification here) (#​1915)
  This adds the following public APIs:
  • getChannelzServiceDefinition(): ServiceDefinition
  • getChannelzHandlers(): ServiceHandler
    These two can be used together to serve the channelz service as follows:

    server.addService(getChannelzServiceDefinition(), getChannelzHandlers());

  • Channel#getChannelzRef(): ChannelRef
  • Server#getChannelzRef(): ServerRef
• Add the admin interface (specification here) (#​1915)
  Currently the only admin service is Channelz, but more can be added in the future. This adds the following public api:
  • addAdminServicesToServer(server: Server): void
• Add support for timeouts in service configs (#​1785)
• Remove type restrictions on Channel options (#​1916)
• Report ECONNRESET errors with the UNAVAILABLE status code (#​1878)
• Tighten type checking for credentials argument to Server#bindAsync (#​1852)
• Pass log messages to different log functions based on severity in custom loggers, and note the severity in the default logger output (#​1851)
• Add logging for TLS errors when connecting through a proxy (#​1842)
• Refactor code to eliminate runtime dependency cycles (#​1829)

Changes to experimental APIs

• Added exports of the following:
  • Duration
  • registerAdminService
  • createChildChannelControlHelper
• Picker#extraFilterFactory has been replaced with Picker#extraFilterFactories with type FilterFactory<Filter>[]
• CallConfig has a new property dynamicFilterFactories with type FilterFactory<Filter>[]
• ChannelControlHelper has the new properties addChannelzChild(child: ChannelRef | SubchannelRef) and removeChannelzChild(child: ChannelRef | SubchannelRef)

v1.3.7: @​grpc/grpc-js 1.3.7

Compare Source

• Fix server handling of streams that are already closed (#​1873)
• Handle errors thrown on client when writing to a stream that is already closed (#​1875)

v1.3.6: @​grpc/grpc-js 1.3.6

Compare Source

• Add more trace logging around establishing connections (#​1857)

v1.3.5: @​grpc/grpc-js 1.3.5

Compare Source

• Add logging for TLS over proxy connection errors (#​1845)

v1.3.4: @​grpc/grpc-js 1.3.4

Compare Source

• Ensure that the grpc.keepalive_permit_without_calls option does not cause unused clients to keep the process from exiting (#​1828)

v1.3.3: @​grpc/grpc-js 1.3.3

Compare Source

• Add some options to logging environment variables (full documentation (#​1822)

v1.3.2: @​grpc/grpc-js 1.3.2

Compare Source

• Fix function type check so that callbacks can be async functions (#​1787)

v1.3.1: @​grpc/grpc-js 1.3.1

Compare Source

• Change a couple of isFunction checks to work in more contexts (#​1761 contributed by @​zereraz)
• Eliminate some log spam in subchannel trace logs (#​1770)
• Fix the check for outputting the "read ECONNRESET" error as UNAVAILABLE (#​1780)
• Make the GRPC_VERBOSITY environment variable accept lower-case values (#​1781)

v1.3.0: @​grpc/grpc-js 1.3.0

• Add support for ipv4 and ipv6 address schemes (#​1752)
• Remove google-auth-library dependency (#​1703)
• Add grpc-node.max_session_memory channel argument to configure maximum memory used per HTTP/2 session (#​1666 contributed by dwrip)
• Remove runtime Node version compatibility check (#​1739)
• Experimental API changes: Add ConfigSelector type and add configSelector argument to ResolverListener#onSuccessfulResolution (#​1681)

v1.2.11: @​grpc/grpc-js 1.2.11

Compare Source

• Fix a crash when using the library on Electron (#​1709)
• Make waitForReady finish immediately if the client has been closed (#​1714)

v1.2.10: @​grpc/grpc-js 1.2.10

Compare Source

• Fixed an internal bug that caused trailer filters to be called twice for most calls (#​1707)

v1.2.9: @​grpc/grpc-js 1.2.9

Compare Source

• Speculative fix for ECONNRESET errors (#​1705)

v1.2.8: @​grpc/grpc-js 1.2.8

Compare Source

• Don't propagate non-numeric errors from auth plugins (#​1690)

v1.2.7: @​grpc/grpc-js 1.2.7

Compare Source

• Fix an issue holding the Node process open after the channel was closed in some cases (#​1688)
• Improve error reporting when a stream fails to start (#​1689)

v1.2.6: @​grpc/grpc-js 1.2.6

Compare Source

• Loosen the dependency on @types/node to avoid conflicts with other packages' dependencies on the same types package (#​1683)

v1.2.5: @​grpc/grpc-js 1.2.5

Compare Source

• Fix a bug that caused some errors thrown in client response handling code to be incorrectly reported as response message parsing errors. (#​1672)

v1.2.4: @​grpc/grpc-js 1.2.4

Compare Source

• In the round robin load balancer, update name resolution when receiving a GOAWAY or similar disconnection (#​1665)

v1.2.3: @​grpc/grpc-js 1.2.3

@​grpc/grpc-js 1.2.1

• Fix handling of propagated and explicitly set deadlines when both are set (#​1633)

@​grpc/grpc-js 1.2.2

• Add destroy method to the experimental.Resolver interface (#​1641)

@​grpc/grpc-js 1.2.3

• End calls faster if the deadline has already passed (#​1648)
• Improve reporting of some internal client errors (#​1658)
• Prevent prototype pollution in loadPackageDefinition (#​1654 contributed by @​d3v53c)

v1.2.0: @​grpc/grpc-js 1.2.0

New Features

• Add an experimental namespace with APIs that are primarily intended to be used by a plugin library that will be published soon. These APIs are only guaranteed to be stable within a minor version. (#​1607)
• Add support for grpc.keepalive_permit_without_calls channel argument (#​1612)
• Allow the Server method addService to be called on a running server, and add the methods unregister and removeService to the Server class (#​1614 contributed by @​hugebdu)
• Add support for automatically propagating deadlines and cancellation events from server calls to child outgoing requests (#​1616)
• Allow clients and servers to send metadata of unlimited size (#​1571)

Bug Fixes

• Fix a bug that would sometimes allow the Node process to exit without processing outstanding calls when taking a long time to establish a connection to the server (#​1580)
• Export handleClientStreamingCall type for compatibility with grpc (#​1587 contributed by @​badsyntax)
• Fix a bug that would cause the library to incorrectly attempt to contact a proxy at port 443 when the proxy environment variable specified port 80 or omitted a port (#​1609)
• Rearrange the connectivityState enum to match the native library (#​1621)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}