New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update dependency @grpc/grpc-js to v1.8.8 [security] - autoclosed #1612

Closed

renovate wants to merge 1 commit into master from renovate/npm-@grpc/grpc-js-vulnerability

Contributor

renovate bot commented Jul 6, 2023

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@grpc/grpc-js (source)	`1.6.7` -> `1.8.8`

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-32731

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/32309

Release Notes

grpc/grpc-node (@grpc/grpc-js)

`v1.8.8`: @grpc/grpc-js 1.8.8

Remove progress field in returned status object (#2350)
Export InterceptingListener and NextCall types (#2351)
Fix a bug that could cause a crash when sending messages that exceed the outgoing message buffer size while a retry is in progress (#2349)

`v1.8.7`: @grpc/grpc-js 1.8.7

Make handling of HTTP2 session references work independent of keepalive settings (#2337)

`v1.8.6`: @grpc/grpc-js 1.8.6

Hold a reference to transport from call to avoid premature garbage collection (#2336)

`v1.8.5`: @grpc/grpc-js 1.8.5

Cancel deadline timer when the call ends (#2335)

`v1.8.4`

Fix a bug that would sometimes allow the Node process to exit even though a gRPC request is active (#2322)

`v1.8.3`: @grpc/grpc-js 1.8.3

Fix bug that caused streams to fail early when receiving a GOAWAY (#2319)

`v1.8.2`

Continue keepalive pings after receiving a GOAWAY on the client (#2308)
Fix handling of keepalive timers when the timeout is longer than the interval (#2304 contributed by @nicknotfun, included in #2308)
Ensure the last received message is fully handled before outputting status (#2316)

`v1.8.1`

Implement support for the grpc.service_config_disable_resolution channel option (#2277 contributed by @kleinsch)
Include standard headers in trailers-only responses (#2305)
Fix a memory leak in the retry implementation (#2306)

`v1.8.0`: @grpc/grpc-js 1.8.0

Implement retries (specified in gRFC A6) (#2243, #2278)
Enable servers to send trailers-only responses (#2278)
Add server connection management options (#2272)

`v1.7.3`: @grpc/grpc-js 1.7.3

Server performance improvements (#2249 contributed by @AVVS)

`v1.7.2`: @grpc/grpc-js 1.7.2

Make the default value of the grpc-node.max_session_memory option Number.MAX_SAFE_INTEGER on the server (#2245)

`v1.7.1`: Node gRPC v1.7.1

Changes

Publish prebuilt binaries for Node 9
Fix file permissions issue with Linux prebuilt binaries (reported in #76).

`v1.7.0`: @grpc/grpc-js 1.7.0

Enable outlier detection support by default (#2221)
Expose path and callEnd event in ServerSurfaceCall (#2132 contributed by @ajmath)
Make graceful switch happen more quickly in some cases when service config is updated (#2199)

`v1.6.12`: @grpc/grpc-js 1.6.12

Fix typo in the error handling fix released in 1.6.11 (#2216, contributed by @clww in #2213)

`v1.6.11`

Fix handling of malformed status messages (#2210)

`v1.6.10`: @grpc/grpc-js 1.6.10

Fix a memory leak of Node http2 stream objects when cancelling streaming requests (#2193)

`v1.6.9`: @grpc/grpc-js 1.6.9

Fix bugs in the Outlier Detection implementation (#2173, #2181)
Handle errors when sending keepalive pings (#2188)
Fix Typescript reference tag generation (#2126)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


chore: update dependency @grpc/grpc-js to v1.8.8 [security]

f3955d9

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate bot requested a review from mrmodise as a code owner

July 6, 2023 01:29

renovate bot changed the title ~~chore: update dependency @grpc/grpc-js to v1.8.8 [security]~~ chore: update dependency @grpc/grpc-js to v1.8.8 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-@grpc/grpc-js-vulnerability branch

July 6, 2023 18:52

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment