fix: mitigate CVE-2024-37168

[coreydaley]

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• [x] Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
• [ ] Ensure the tests and linter pass
• [ ] Code coverage does not decrease (if any source code was changed)
• [ ] Appropriate docs were updated (if necessary)

Fixes #1620

[conventional-commit-lint-gcf[bot]]

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot https://conventionalcommits.org/

[SmashingQuasar]

I think it would be a better alternative to change the package reference to a more lenient approach such as:

"@grpc/grpc-js": "^1.10.9",

Or to install DependaBot or similar to avoid having to handle this type of issue manually. This package is widely used in Google projects and having vulnerable dependencies has serious repercussion on hundreds of projects.

[coreydaley]

I think it would be a better alternative to change the package reference to a more lenient approach such as:

"@grpc/grpc-js": "^1.10.9",

Or to install DependaBot or similar to avoid having to handle this type of issue manually. This package is widely used in Google projects and having vulnerable dependencies has serious repercussion on hundreds of projects.

Updated per your suggestion. Thanks!

[coreydaley]

@sofisl It looks like these two tests are failing on multiple recent pull requests. Is there a fix in the works?

[coreydaley]

Superseded by https://github.com/googleapis/gax-nodejs/pull/1622