Skip to content

fix(deps): update dependency @grpc/grpc-js to v1.8.22 [security]#6366

Open
Stanzilla wants to merge 1 commit intoopen-telemetry:mainfrom
Stanzilla:bump-grpc-js
Open

fix(deps): update dependency @grpc/grpc-js to v1.8.22 [security]#6366
Stanzilla wants to merge 1 commit intoopen-telemetry:mainfrom
Stanzilla:bump-grpc-js

Conversation

@Stanzilla
Copy link

@Stanzilla Stanzilla commented Feb 2, 2026

Copy from a renovate PR in another repo:

This MR contains the following updates:

Package Change Age Confidence
@grpc/grpc-js (source) 1.7.1 -> 1.8.22 age confidence

@​grpc/grpc-js can allocate memory for incoming messages well above configured limits

CVE-2024-37168 / GHSA-7v5v-9h63-cj86

More information

Details

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

  1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
  2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.
Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/MR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

grpc/grpc-node (@​grpc/grpc-js)

v1.8.22: @​grpc/grpc-js 1.8.22

Compare Source

  • Avoid buffering significantly more than grpc.max_receive_message_size per received message.

v1.8.21

Compare Source

  • Fix propagation of UNIMPLEMENTED error messages (#​2528)

v1.8.20: @​grpc/grpc-js 1.8.20

Compare Source

  • Fix a crash when the channel option grpc.keepalive_permit_without_calls is set (#​2519)

v1.8.19: @​grpc/grpc-js 1.8.19

Compare Source

  • Update keepalive behavior to more correctly handle short calls and long periods of inactivity (#​2513)

v1.8.18: @​grpc/grpc-js 1.8.18

Compare Source

  • Fix reporting of call stacks in unary request errors (#​2503)
  • Fix reporting of proxy info in channelz socket responses (#​2503)

v1.8.17: @​grpc/grpc-js 1.8.17

Compare Source

  • Disallow pick_first LB policy as the direct child of an outlier_detection LB policy (#​2476)

v1.8.16: @​grpc/grpc-js 1.8.16

Compare Source

  • Fix missing transport trace logs (#​2470)

v1.8.15: @​grpc/grpc-js 1.8.15

Compare Source

  • Fix a memory leak that could result from a specific pattern of recursive function calls (#​2456)
  • Ensure status and error events are consistently emitted asynchronously (#​2456)

v1.8.14: @​grpc/grpc-js 1.8.14

Compare Source

  • Fix sequencing of some events related to connectivity state changes (#​2421)

v1.8.13: @​grpc/grpc-js 1.8.13

Compare Source

  • Fix memory leak in channelz socket tracking (#​2394)

v1.8.12

Compare Source

  • Fix an occasional type error when receiving DNS updates (#​2380)
  • Fix ordering of events when handing requests on the server (#​2376 contributed by @​phoenix741)

v1.8.11: @​grpc/grpc-js 1.8.11

Compare Source

  • Avoid accumulating placeholder objects when sending many messages on a long-running stream (#​2372)

v1.8.10: @​grpc/grpc-js 1.8.10

Compare Source

  • Fix bugs in "pick first" load balancing policy that caused incorrect reconnection behavior (#​2369)

v1.8.9: @​grpc/grpc-js 1.8.9

Compare Source

  • Fix a bug where clients would continue to send pings at the original configured rate after receiving a backoff request from the server (#​2363)

v1.8.8: @​grpc/grpc-js 1.8.8

Compare Source

  • Remove progress field in returned status object (#​2350)
  • Export InterceptingListener and NextCall types (#​2351)
  • Fix a bug that could cause a crash when sending messages that exceed the outgoing message buffer size while a retry is in progress (#​2349)

v1.8.7: @​grpc/grpc-js 1.8.7

Compare Source

  • Make handling of HTTP2 session references work independent of keepalive settings (#​2337)

v1.8.6: @​grpc/grpc-js 1.8.6

Compare Source

  • Hold a reference to transport from call to avoid premature garbage collection (#​2336)

v1.8.5: @​grpc/grpc-js 1.8.5

Compare Source

  • Cancel deadline timer when the call ends (#​2335)

v1.8.4

Compare Source

  • Fix a bug that would sometimes allow the Node process to exit even though a gRPC request is active (#​2322)

v1.8.3: @​grpc/grpc-js 1.8.3

Compare Source

  • Fix bug that caused streams to fail early when receiving a GOAWAY (#​2319)

v1.8.2

Compare Source

  • Continue keepalive pings after receiving a GOAWAY on the client (#​2308)
  • Fix handling of keepalive timers when the timeout is longer than the interval (#​2304 contributed by @​nicknotfun, included in #​2308)
  • Ensure the last received message is fully handled before outputting status (#​2316)

v1.8.1

Compare Source

  • Implement support for the grpc.service_config_disable_resolution channel option (#​2277 contributed by @​kleinsch)
  • Include standard headers in trailers-only responses (#​2305)
  • Fix a memory leak in the retry implementation (#​2306)

v1.8.0: @​grpc/grpc-js 1.8.0

Compare Source

v1.7.3: @​grpc/grpc-js 1.7.3

Compare Source

v1.7.2: @​grpc/grpc-js 1.7.2

Compare Source

  • Make the default value of the grpc-node.max_session_memory option Number.MAX_SAFE_INTEGER on the server (#​2245)

@Stanzilla Stanzilla requested a review from a team as a code owner February 2, 2026 10:33
@codecov
Copy link

codecov bot commented Feb 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.48%. Comparing base (f15aa7e) to head (a1f8826).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6366   +/-   ##
=======================================
  Coverage   95.48%   95.48%           
=======================================
  Files         363      363           
  Lines       11564    11564           
  Branches     2669     2669           
=======================================
  Hits        11042    11042           
  Misses        522      522
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

trentm
trentm requested changes Feb 6, 2026
View reviewed changes
@trentm trentm self-assigned this Feb 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trentm trentm trentm requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@trentm trentm

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Stanzilla @trentm